[Mageia-dev] About syslinux & libpng

Thu Sep 29 20:41:41 CEST 2011

Le 28/09/2011 22:13, D.Morgan a écrit :
+> On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1 at gmail.com>  wrote:
+>> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
+>> historically speaking, we do remove the included libpng by the system one.
+>>
+>> The compilation process fails. I was wondering if we really consider
+>> replacing the libpng of syslinux as a security issue.
+>>
+>> Sec team ? What's your opinion on it ?
+>>
+>> Cheers,
+>>
+> hi,
+>
+> i take my security hat on, we prefer when possible when we use the system libs.
+> i have not looked but which libpng is included ?
+
+It take the libpng-source to replace the current syslinux code.
+
+The point is syslinux is a bootloader that obviously don't share libs 
+with the rest of the system.
+Considering that we can attack the bootloader via a picture means you 
+compromized the picture. If you can change the picture located at /boot, 
+means that you can compromize the booting parameters too.
+
+So if we take this road of removing bootloader's libs, shall we also 
+remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
+
+I do understand the need for the application that runs under linux... 
+but about the bootloaders...
+
+What's your thoughts about it ?
+Would you agree on keep syslinux untouched regarding the png lib ?
+
+