[Mageia-dev] About syslinux & libpng

Funda Wang fundawang at gmail.com
Fri Sep 30 02:06:04 CEST 2011


It seems we are the only distros (with Mandriva) building syslinux with
system libpng.
在 2011-9-30 上午2:41,"Erwan Velu" <erwanaliasr1 at gmail.com>写道:
> Le 28/09/2011 22:13, D.Morgan a écrit :
>> On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<erwanaliasr1 at gmail.com>
wrote:
>>> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble
as,
>>> historically speaking, we do remove the included libpng by the system
one.
>>>
>>> The compilation process fails. I was wondering if we really consider
>>> replacing the libpng of syslinux as a security issue.
>>>
>>> Sec team ? What's your opinion on it ?
>>>
>>> Cheers,
>>>
>> hi,
>>
>> i take my security hat on, we prefer when possible when we use the system
libs.
>> i have not looked but which libpng is included ?
>
> It take the libpng-source to replace the current syslinux code.
>
> The point is syslinux is a bootloader that obviously don't share libs
> with the rest of the system.
> Considering that we can attack the bootloader via a picture means you
> compromized the picture. If you can change the picture located at /boot,
> means that you can compromize the booting parameters too.
>
> So if we take this road of removing bootloader's libs, shall we also
> remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
>
> I do understand the need for the application that runs under linux...
> but about the bootloaders...
>
> What's your thoughts about it ?
> Would you agree on keep syslinux untouched regarding the png lib ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-dev/attachments/20110930/1a03e360/attachment.html>


More information about the Mageia-dev mailing list