blob: ce7071997e6e4ecac344619e0ee432c888096dcc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] About syslinux & libpng
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3CCAL2JzuwCF4-kHgMzfsf8yVwJ_x5Dp7Sa%2BhZkJZJHNCDc1nk3bA%40mail.gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="008677.html">
<LINK REL="Next" HREF="008670.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] About syslinux & libpng</H1>
<B>Erwan Velu</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3CCAL2JzuwCF4-kHgMzfsf8yVwJ_x5Dp7Sa%2BhZkJZJHNCDc1nk3bA%40mail.gmail.com%3E"
TITLE="[Mageia-dev] About syslinux & libpng">erwanaliasr1 at gmail.com
</A><BR>
<I>Thu Oct 6 10:54:00 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="008677.html">[Mageia-dev] ANN: kernel-3.1-rc9 landing...
</A></li>
<LI>Next message: <A HREF="008670.html">[Mageia-dev] About syslinux & libpng
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#8652">[ date ]</a>
<a href="thread.html#8652">[ thread ]</a>
<a href="subject.html#8652">[ subject ]</a>
<a href="author.html#8652">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>I think part of the point I noticed didn't got understood/seen by people
answering on this topic.
I'll rephrase my wondering differently.
Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg
one, maybe other ...).
The patch I was talking about is about to change the png lib with the main
argument about the security. A possible scenario with a png attack.
My point is that if we care about the security of the bootloaders regarding
this kind of scenario, our work is very partial.
If we want to stay consitent, we have to remove the jpeg lib too, the
compression libs also.
And this is true about all the other bootloaders. Did someone already
thought about managing the security of the builtin libs inside gfxboot ?
Do we care about the gunzip code of grub ?
Being that intrusive regarding the static inclusion of this libs inside the
bootloaders is just a work to report upstream and not the distro side.
Only focusing on changing the libpng or not of syslinux isn't enough....
Honestly, for me this really sounds like cutting hairs in 4 with a hammer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-dev/attachments/20111006/354e3360/attachment.html>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="008677.html">[Mageia-dev] ANN: kernel-3.1-rc9 landing...
</A></li>
<LI>Next message: <A HREF="008670.html">[Mageia-dev] About syslinux & libpng
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#8652">[ date ]</a>
<a href="thread.html#8652">[ thread ]</a>
<a href="subject.html#8652">[ subject ]</a>
<a href="author.html#8652">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
