From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-October/008613.html | 133 ++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-October/008613.html (limited to 'zarb-ml/mageia-dev/2011-October/008613.html') diff --git a/zarb-ml/mageia-dev/2011-October/008613.html b/zarb-ml/mageia-dev/2011-October/008613.html new file mode 100644 index 000000000..75c6509a2 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-October/008613.html @@ -0,0 +1,133 @@ + + + + [Mageia-dev] About syslinux & libpng + + + + + + + + + +

[Mageia-dev] About syslinux & libpng

+ Michael Scherer + misc at zarb.org +
+ Mon Oct 3 15:58:36 CEST 2011 +

+
+ +
Le jeudi 29 septembre 2011 à 20:41 +0200, Erwan Velu a écrit :
+> Le 28/09/2011 22:13, D.Morgan a écrit :
+> > On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1 at gmail.com>  wrote:
+> >> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
+> >> historically speaking, we do remove the included libpng by the system one.
+> >>
+> >> The compilation process fails. I was wondering if we really consider
+> >> replacing the libpng of syslinux as a security issue.
+> >>
+> >> Sec team ? What's your opinion on it ?
+> >>
+> >> Cheers,
+> >>
+> > hi,
+> >
+> > i take my security hat on, we prefer when possible when we use the system libs.
+> > i have not looked but which libpng is included ?
+> 
+> It take the libpng-source to replace the current syslinux code.
+> 
+> The point is syslinux is a bootloader that obviously don't share libs 
+> with the rest of the system.
+> Considering that we can attack the bootloader via a picture means you 
+> compromized the picture. If you can change the picture located at /boot, 
+> means that you can compromize the booting parameters too.
+
+No, that's not the way it work.
+
+The problem by bundling libpng is the following :
+- imagine there is a security issue in libpng ( like it did in the past,
+and like it happened on libz, or others ). Let's suppose also the
+problem is a simple buffer overflow.  So using this buffer overflow,
+someone reading a image would trigger the error, who could be crafted to
+erase the stack, and inject code in the process.  
+
+So if the error is not fixed, I can simply say on irc : "oh, here is a
+picture of a cute duck on http://example.org/~misc/duck.png". You
+download, you execute my code, you have lost. 
+
+But since the libpng would be fixed, this would not work. Except that we
+cannot garantee that it is fixed everywhere. 
+
+Except if I start to replace this by "here is a nice syslinux boot image
+with a duck". And then my code is run by syslinux, just because someone
+took my png picture. 
+
+So no, bundling is not without causing trouble. 
+
+> So if we take this road of removing bootloader's libs, shall we also 
+> remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
+
+> I do understand the need for the application that runs under linux... 
+> but about the bootloaders...
+
+Unless I am wrong, a bootloader run on ring 0 or can even ( like xen )
+be used to run the kernel in a specific separate memory space ( ie,
+virtualisation ). This could open a whole new range of problem ( like
+the Blue Pill concept code published 5 years ago by Joanna Rutkowska )
+
+So I think that bootloader requires more consideration than regular
+application. 
+
+> What's your thoughts about it ?
+> Would you agree on keep syslinux untouched regarding the png lib ?
+
+For reasons explained before, I would rather disagree.
+
+
+-- 
+Michael Scherer
+
+
+ + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1