diff options
| author | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
|---|---|---|
| committer | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
| commit | 1be510f9529cb082f802408b472a77d074b394c0 (patch) | |
| tree | b175f9d5fcb107576dabc768e7bd04d4a3e491a0 /zarb-ml/mageia-dev/attachments/20111006 | |
| parent | fa5098cf210b23ab4f419913e28af7b1b07dafb2 (diff) | |
| download | archives-master.tar archives-master.tar.gz archives-master.tar.bz2 archives-master.tar.xz archives-master.zip | |
Diffstat (limited to 'zarb-ml/mageia-dev/attachments/20111006')
| -rw-r--r-- | zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html | 5 | ||||
| -rw-r--r-- | zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html new file mode 100644 index 000000000..c3567477f --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html @@ -0,0 +1,5 @@ +I think part of the point I noticed didn't got understood/seen by people answering on this topic.<br>I'll rephrase my wondering differently.<br><br>Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg one, maybe other ...).<br> +<br>The patch I was talking about is about to change the png lib with the main argument about the security. A possible scenario with a png attack.<br><br>My point is that if we care about the security of the bootloaders regarding this kind of scenario, our work is very partial.<br> +If we want to stay consitent, we have to remove the jpeg lib too, the compression libs also.<br><br>And this is true about all the other bootloaders. Did someone already thought about managing the security of the builtin libs inside gfxboot ?<br> +Do we care about the gunzip code of grub ?<br><br>Being that intrusive regarding the static inclusion of this libs inside the bootloaders is just a work to report upstream and not the distro side.<br>Only focusing on changing the libpng or not of syslinux isn't enough....<br> +<br>Honestly, for me this really sounds like cutting hairs in 4 with a hammer.<br> diff --git a/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html new file mode 100644 index 000000000..c3567477f --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html @@ -0,0 +1,5 @@ +I think part of the point I noticed didn't got understood/seen by people answering on this topic.<br>I'll rephrase my wondering differently.<br><br>Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg one, maybe other ...).<br> +<br>The patch I was talking about is about to change the png lib with the main argument about the security. A possible scenario with a png attack.<br><br>My point is that if we care about the security of the bootloaders regarding this kind of scenario, our work is very partial.<br> +If we want to stay consitent, we have to remove the jpeg lib too, the compression libs also.<br><br>And this is true about all the other bootloaders. Did someone already thought about managing the security of the builtin libs inside gfxboot ?<br> +Do we care about the gunzip code of grub ?<br><br>Being that intrusive regarding the static inclusion of this libs inside the bootloaders is just a work to report upstream and not the distro side.<br>Only focusing on changing the libpng or not of syslinux isn't enough....<br> +<br>Honestly, for me this really sounds like cutting hairs in 4 with a hammer.<br> |