[Mageia-dev] About syslinux & libpng

Michael Scherer misc at zarb.org
Mon Oct 3 15:58:36 CEST 2011 

Le jeudi 29 septembre 2011 à 20:41 +0200, Erwan Velu a écrit :
> Le 28/09/2011 22:13, D.Morgan a écrit :
> > On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1 at gmail.com>  wrote:
> >> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
> >> historically speaking, we do remove the included libpng by the system one.
> >>
> >> The compilation process fails. I was wondering if we really consider
> >> replacing the libpng of syslinux as a security issue.
> >>
> >> Sec team ? What's your opinion on it ?
> >>
> >> Cheers,
> >>
> > hi,
> >
> > i take my security hat on, we prefer when possible when we use the system libs.
> > i have not looked but which libpng is included ?
> 
> It take the libpng-source to replace the current syslinux code.
> 
> The point is syslinux is a bootloader that obviously don't share libs 
> with the rest of the system.
> Considering that we can attack the bootloader via a picture means you 
> compromized the picture. If you can change the picture located at /boot, 
> means that you can compromize the booting parameters too.

No, that's not the way it work.

The problem by bundling libpng is the following :
- imagine there is a security issue in libpng ( like it did in the past,
and like it happened on libz, or others ). Let's suppose also the
problem is a simple buffer overflow.  So using this buffer overflow,
someone reading a image would trigger the error, who could be crafted to
erase the stack, and inject code in the process.  

So if the error is not fixed, I can simply say on irc : "oh, here is a
picture of a cute duck on http://example.org/~misc/duck.png". You
download, you execute my code, you have lost. 

But since the libpng would be fixed, this would not work. Except that we
cannot garantee that it is fixed everywhere. 

Except if I start to replace this by "here is a nice syslinux boot image
with a duck". And then my code is run by syslinux, just because someone
took my png picture. 

So no, bundling is not without causing trouble. 

> So if we take this road of removing bootloader's libs, shall we also 
> remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?

> I do understand the need for the application that runs under linux... 
> but about the bootloaders...

Unless I am wrong, a bootloader run on ring 0 or can even ( like xen )
be used to run the kernel in a specific separate memory space ( ie,
virtualisation ). This could open a whole new range of problem ( like
the Blue Pill concept code published 5 years ago by Joanna Rutkowska )

So I think that bootloader requires more consideration than regular
application. 

> What's your thoughts about it ?
> Would you agree on keep syslinux untouched regarding the png lib ?

For reasons explained before, I would rather disagree.


-- 
Michael Scherer

More information about the Mageia-dev mailing list