[Mageia-dev] About syslinux & libpng
Michael scherer
misc at zarb.org
Tue Oct 4 16:50:52 CEST 2011
On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote:
> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
>
> > Except if I start to replace this by "here is a nice syslinux boot image
> > with a duck". And then my code is run by syslinux, just because someone
> > took my png picture.
>
> And the same person could say, "Here is my cool plymouth splash screen, use my
> initrd", and there are 1000 easier ways to exploit this (than trying to
> generate a PNG image with exploit code that someone would like enough to use
> syslinux).
Sure, but we can also upload the pics on some gnome-art or something like that.
Now, if we consider every possible exploit requires opening a document as a non
problem, I guess it would surely reduce our workload on security issue, and
for sure enhance the confidence.
And while I was not aware of it when I wrote my mail, it already happened :
MDKSA-2006:210
--
Michael Scherer
More information about the Mageia-dev
mailing list