diff options
Diffstat (limited to 'zarb-ml/mageia-dev/attachments/20111006')
| -rw-r--r-- | zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html | 5 | ||||
| -rw-r--r-- | zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html new file mode 100644 index 000000000..c3567477f --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment-0001.html @@ -0,0 +1,5 @@ +I think part of the point I noticed didn't got understood/seen by people answering on this topic.<br>I'll rephrase my wondering differently.<br><br>Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg one, maybe other ...).<br> +<br>The patch I was talking about is about to change the png lib with the main argument about the security. A possible scenario with a png attack.<br><br>My point is that if we care about the security of the bootloaders regarding this kind of scenario, our work is very partial.<br> +If we want to stay consitent, we have to remove the jpeg lib too, the compression libs also.<br><br>And this is true about all the other bootloaders. Did someone already thought about managing the security of the builtin libs inside gfxboot ?<br> +Do we care about the gunzip code of grub ?<br><br>Being that intrusive regarding the static inclusion of this libs inside the bootloaders is just a work to report upstream and not the distro side.<br>Only focusing on changing the libpng or not of syslinux isn't enough....<br> +<br>Honestly, for me this really sounds like cutting hairs in 4 with a hammer.<br> diff --git a/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html new file mode 100644 index 000000000..c3567477f --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20111006/354e3360/attachment.html @@ -0,0 +1,5 @@ +I think part of the point I noticed didn't got understood/seen by people answering on this topic.<br>I'll rephrase my wondering differently.<br><br>Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg one, maybe other ...).<br> +<br>The patch I was talking about is about to change the png lib with the main argument about the security. A possible scenario with a png attack.<br><br>My point is that if we care about the security of the bootloaders regarding this kind of scenario, our work is very partial.<br> +If we want to stay consitent, we have to remove the jpeg lib too, the compression libs also.<br><br>And this is true about all the other bootloaders. Did someone already thought about managing the security of the builtin libs inside gfxboot ?<br> +Do we care about the gunzip code of grub ?<br><br>Being that intrusive regarding the static inclusion of this libs inside the bootloaders is just a work to report upstream and not the distro side.<br>Only focusing on changing the libpng or not of syslinux isn't enough....<br> +<br>Honestly, for me this really sounds like cutting hairs in 4 with a hammer.<br> |