[Mageia-dev] About syslinux & libpng

Erwan Velu erwanaliasr1 at gmail.com
Thu Oct 6 10:54:00 CEST 2011


I think part of the point I noticed didn't got understood/seen by people
answering on this topic.
I'll rephrase my wondering differently.

Syslinux is a modern bootloader and use some libs (a zlib, a png one, a jpeg
one, maybe other ...).

The patch I was talking about is about to change the png lib with the main
argument about the security. A possible scenario with a png attack.

My point is that if we care about the security of the bootloaders regarding
this kind of scenario, our work is very partial.
If we want to stay consitent, we have to remove the jpeg lib too, the
compression libs also.

And this is true about all the other bootloaders. Did someone already
thought about managing the security of the builtin libs inside gfxboot ?
Do we care about the gunzip code of grub ?

Being that intrusive regarding the static inclusion of this libs inside the
bootloaders is just a work to report upstream and not the distro side.
Only focusing on changing the libpng or not of syslinux isn't enough....

Honestly, for me this really sounds like cutting hairs in 4 with a hammer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-dev/attachments/20111006/354e3360/attachment.html>


More information about the Mageia-dev mailing list