From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-October/008621.html | 93 +++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-October/008621.html (limited to 'zarb-ml/mageia-dev/2011-October/008621.html') diff --git a/zarb-ml/mageia-dev/2011-October/008621.html b/zarb-ml/mageia-dev/2011-October/008621.html new file mode 100644 index 000000000..7c36d7bab --- /dev/null +++ b/zarb-ml/mageia-dev/2011-October/008621.html @@ -0,0 +1,93 @@ + + + + [Mageia-dev] About syslinux & libpng + + + + + + + + + +

[Mageia-dev] About syslinux & libpng

+ Guillaume Rousse + guillomovitch at gmail.com +
+ Tue Oct 4 17:24:27 CEST 2011 +

+
+ +
Le 04/10/2011 16:50, Michael scherer a écrit :
+> On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote:
+>> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
+>>
+>>> Except if I start to replace this by "here is a nice syslinux boot image
+>>> with a duck". And then my code is run by syslinux, just because someone
+>>> took my png picture.
+>>
+>> And the same person could say, "Here is my cool plymouth splash screen, use my
+>> initrd", and there are 1000 easier ways to exploit this (than trying to
+>> generate a PNG image with exploit code that someone would like enough to use
+>> syslinux).
+>
+> Sure, but we can also upload the pics on some gnome-art or something like that.
+>
+> Now, if we consider every possible exploit requires opening a document as a non
+> problem, I guess it would surely reduce our workload on security issue, and
+> for sure enhance the confidence.
+Those situations are not really comparable. Opening a document with the 
+corresponding application is a normal usage scenario, whereas 
+configuring the boot process is a system administration scenario, 
+requiring explicit context change.
+
+> And while I was not aware of it when I wrote my mail, it already happened :
+>
+> MDKSA-2006:210
+Nobody said it didn't happened, just than forcing build against system 
+version of the library would requires more effort right now, without 
+avoiding the need to also rebuild syslinux in case of vulnerability in 
+libpng, as it is statically linked. It would just make easier to track 
+vulnerability by having a single version, and avoid to patch twice.
+
+-- 
+Guillaume
+
+
+ + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1