[Mageia-dev] About syslinux & libpng
Buchan Milne
bgmilne at staff.telkomsa.net
Tue Oct 4 11:30:29 CEST 2011
On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
> Except if I start to replace this by "here is a nice syslinux boot image
> with a duck". And then my code is run by syslinux, just because someone
> took my png picture.
And the same person could say, "Here is my cool plymouth splash screen, use my
initrd", and there are 1000 easier ways to exploit this (than trying to
generate a PNG image with exploit code that someone would like enough to use
syslinux).
<troll>
Maybe we need to adopt secure UEFI, and sign our kernels and initial ram disks
...
</troll>
> So no, bundling is not without causing trouble.
>
> > So if we take this road of removing bootloader's libs, shall we also
> > remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too
> > ?
> >
> > I do understand the need for the application that runs under linux...
> > but about the bootloaders...
>
> Unless I am wrong, a bootloader run on ring 0 or can even ( like xen )
> be used to run the kernel in a specific separate memory space ( ie,
> virtualisation ). This could open a whole new range of problem ( like
> the Blue Pill concept code published 5 years ago by Joanna Rutkowska )
>
> So I think that bootloader requires more consideration than regular
> application.
>
> > What's your thoughts about it ?
> > Would you agree on keep syslinux untouched regarding the png lib ?
>
> For reasons explained before, I would rather disagree.
But, users foolish enough to be tricked into booting malicious code can't
really be helped.
I think it would be better if syslinux was compatible with current upstream
libpng, so, if:
1)There is an upstream bug filed regarding support for current libpng
2)We have a registry of software building statically or with internal copies
of libraries, and syslinux is added with a reference to the upstream bug
then I think it is reasonable to build syslinux with internal libpng. Unless
you are going to mitigate *all* other attack vectors based on 'here, boot my
random binaries on your system'.
Regards,
Buchan
More information about the Mageia-dev
mailing list