blob: c3567477fdfa79c2773bf16919884375a14ba5d9 (
plain)
1
2
3
4
5
|
I think part of the point I noticed didn't got understood/seen by people answering on this topic.<br>I'll rephrase my wondering differently.<br><br>Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg one, maybe other ...).<br>
<br>The patch I was talking about is about to change the png lib with the main argument about the security. A possible scenario with a png attack.<br><br>My point is that if we care about the security of the bootloaders regarding this kind of scenario, our work is very partial.<br>
If we want to stay consitent, we have to remove the jpeg lib too, the compression libs also.<br><br>And this is true about all the other bootloaders. Did someone already thought about managing the security of the builtin libs inside gfxboot ?<br>
Do we care about the gunzip code of grub ?<br><br>Being that intrusive regarding the static inclusion of this libs inside the bootloaders is just a work to report upstream and not the distro side.<br>Only focusing on changing the libpng or not of syslinux isn't enough....<br>
<br>Honestly, for me this really sounds like cutting hairs in 4 with a hammer.<br>
|
