Le 28/09/2011 22:13, D.Morgan a écrit :
On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<[email protected]> wrote:
I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,
historically speaking, we do remove the included libpng by the system one.
The compilation process fails. I was wondering if we really consider
replacing the libpng of syslinux as a security issue.
Sec team ? What's your opinion on it ?
Cheers,
hi,
i take my security hat on, we prefer when possible when we use the system libs.
i have not looked but which libpng is included ?
It take the libpng-source to replace the current syslinux code.
The point is syslinux is a bootloader that obviously don't share libs
with the rest of the system.
Considering that we can attack the bootloader via a picture means you
compromized the picture. If you can change the picture located at /boot,
means that you can compromize the booting parameters too.
So if we take this road of removing bootloader's libs, shall we also
remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?
I do understand the need for the application that runs under linux...
but about the bootloaders...
What's your thoughts about it ?
Would you agree on keep syslinux untouched regarding the png lib ?
