[syslinux] Security issues with SYSLINUX 2.01
H. Peter Anvin
hpa at zytor.com
Thu Feb 6 17:51:23 PST 2003
I have just received some audit info on the SYSLINUX 2.01 installer
running setuid. There seems to be some issues, and although I can fix
them easily enough I'm somewhat questioning the whole approach.
The other alternative would be to make the syslinux installer a wrapper
around mtools, and use mtools for the filesystem access. Since this
would be done entirely in userspace, as a normal user, there wouldn't be
any security issues with it.
The main problem with this is that mtools is *big*, about 120K worth of
code.
What do people think about this? I'd like to release a security-fixed
version tonight, since I'm leaving on a trip early tomorrow morning.
-hpa
More information about the Syslinux
mailing list