[Mageia-dev] About syslinux & libpng

Michael Scherer misc at zarb.org
Thu Oct 6 00:53:56 CEST 2011 

Le mardi 04 octobre 2011 à 17:24 +0200, Guillaume Rousse a écrit :
> Le 04/10/2011 16:50, Michael scherer a écrit :
> > On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote:
> >> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
> >>
> >>> Except if I start to replace this by "here is a nice syslinux boot image
> >>> with a duck". And then my code is run by syslinux, just because someone
> >>> took my png picture.
> >>
> >> And the same person could say, "Here is my cool plymouth splash screen, use my
> >> initrd", and there are 1000 easier ways to exploit this (than trying to
> >> generate a PNG image with exploit code that someone would like enough to use
> >> syslinux).
> >
> > Sure, but we can also upload the pics on some gnome-art or something like that.
> >
> > Now, if we consider every possible exploit requires opening a document as a non
> > problem, I guess it would surely reduce our workload on security issue, and
> > for sure enhance the confidence.
> Those situations are not really comparable. Opening a document with the 
> corresponding application is a normal usage scenario, whereas 
> configuring the boot process is a system administration scenario, 
> requiring explicit context change.

This depend on the ease of use. If we have something easy to use to
change the boot process, I would not consider that as a system
administration task ( at least, that's not what i do as a sysadmin most
of the time ).

And the question is that if we start to have exception for boot process
because that's too complex to do, and because there is likely no
problem, we are just being lazy. That would not be the first time, nor
the last, and I do not think we will get ride of bundled libraries
( since more expert community with more people have trouble to do that,
and we already traded sanity for convenience the day we packaged firefox
and chrome ), but not even trying will just make things worst in the
future.

> > And while I was not aware of it when I wrote my mail, it already happened :
> >
> > MDKSA-2006:210
> Nobody said it didn't happened, just than forcing build against system 
> version of the library would requires more effort right now, without 
> avoiding the need to also rebuild syslinux in case of vulnerability in 
> libpng, as it is statically linked. It would just make easier to track 
> vulnerability by having a single version, and avoid to patch twice.

Which is already useful by itself. 

If it requires more work for now, that's also because everybody think
"someone else should do it, I will see later". Maybe next time, we
should not push a newer version of anything, and let the other do the
work. This worked fine for Mageia 1, this worked fine for Debian, so
maybe we could just go that way if that's easier. 

But in the same time pushing latest version of low level and higher
level component and then complain this make work is just wrong.

Packager like to push newer stuff, except when it mean work for them
( like mass rebuild and fixing, like gnutls, libpng, python ). That's
not consistent.
-- 
Michael Scherer

More information about the Mageia-dev mailing list