On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote: > On Monday, 3 October 2011 15:58:36 Michael Scherer wrote: > > > Except if I start to replace this by "here is a nice syslinux boot image > > with a duck". And then my code is run by syslinux, just because someone > > took my png picture. > > And the same person could say, "Here is my cool plymouth splash screen, use > my > initrd", and there are 1000 easier ways to exploit this (than trying to > generate a PNG image with exploit code that someone would like enough to use > syslinux).
Sure, but we can also upload the pics on some gnome-art or something like that. Now, if we consider every possible exploit requires opening a document as a non problem, I guess it would surely reduce our workload on security issue, and for sure enhance the confidence. And while I was not aware of it when I wrote my mail, it already happened : MDKSA-2006:210 -- Michael Scherer
