[Mageia-dev] About syslinux & libpng
Erwan Velu
erwanaliasr1 at gmail.com
Thu Sep 29 20:41:41 CEST 2011
Le 28/09/2011 22:13, D.Morgan a écrit :
> On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1 at gmail.com> wrote:
>> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
>> historically speaking, we do remove the included libpng by the system one.
>>
>> The compilation process fails. I was wondering if we really consider
>> replacing the libpng of syslinux as a security issue.
>>
>> Sec team ? What's your opinion on it ?
>>
>> Cheers,
>>
> hi,
>
> i take my security hat on, we prefer when possible when we use the system libs.
> i have not looked but which libpng is included ?
It take the libpng-source to replace the current syslinux code.
The point is syslinux is a bootloader that obviously don't share libs
with the rest of the system.
Considering that we can attack the bootloader via a picture means you
compromized the picture. If you can change the picture located at /boot,
means that you can compromize the booting parameters too.
So if we take this road of removing bootloader's libs, shall we also
remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
I do understand the need for the application that runs under linux...
but about the bootloaders...
What's your thoughts about it ?
Would you agree on keep syslinux untouched regarding the png lib ?
More information about the Mageia-dev
mailing list