在 2011-9-30 上午2:41，"Erwan Velu" <erwanaliasr1@gmail.com>写道：
> Le 28/09/2011 22:13, D.Morgan a écrit :
>> On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1@gmail.com> wrote:
>>> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
>>> historically speaking, we do remove the included libpng by the system one.
>>>
>>> The compilation process fails. I was wondering if we really consider
>>> replacing the libpng of syslinux as a security issue.
>>>
>>> Sec team ? What's your opinion on it ?
>>>
>>> Cheers,
>>>
>> hi,
>>
>> i take my security hat on, we prefer when possible when we use the system libs.
>> i have not looked but which libpng is included ?
>
> It take the libpng-source to replace the current syslinux code.
>
> The point is syslinux is a bootloader that obviously don't share libs
> with the rest of the system.
> Considering that we can attack the bootloader via a picture means you
> compromized the picture. If you can change the picture located at /boot,
> means that you can compromize the booting parameters too.
>
> So if we take this road of removing bootloader's libs, shall we also
> remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
>
> I do understand the need for the application that runs under linux...
> but about the bootloaders...
>
> What's your thoughts about it ?
> Would you agree on keep syslinux untouched regarding the png lib ?
>