[Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
Jonas Meurer
jonas at freesources.org
Tue Oct 11 09:21:11 UTC 2016
Hi intrigeri,
Am 22.09.2016 um 09:48 schrieb intrigeri:
> Jonas Meurer:
>> I contact you as member of the Debian LTS team regarding bug #826101 in
>> Wheezy. The problem with metadata of embedded images in PDFs is known
>> for several months now and despite an upstream fix being mentioned in
>> the Debian bugreport[1], there seems to be no upstream solution in sight
>> anytime soon[2].
>
>> I saw that you completely disabled PDF support from mat in unstable in
>> the meantime to mitigate this security flaw.
>
>> Now I wonder what to do with mat in Wheezy (and Jessie) and would like
>> to ask for your opinion here. Simply disabling PDF support from mat
>> there has the big disadvantage of introducing a huge regression: one of
>> the core features of mat would be disabled within a stable release.
>> Usually, we try hard to avoid such regressions. But on the other hand,
>> leaving people alone with an insecure and broken implementation of PDF
>> metadata anonymisation is even worse in my eyes.
>
>> So I suggest to backport your patch[3] to the Wheezy mat packages and
>> put a fat warning about the regression both in the changelog and the DLA.
>
>> Do you (and others) agree with this plan?
>
> For Wheezy: yes, let's do that without waiting.
As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to
wheezy-security, disabling PDF support alltogether.
> For Jessie (and wheezy-backports), I wanted to wait a bit first to
> give Julien (upstream) some time to fix the problem without disabling
> PDF support, and in a way that we can backport to (at least) Jessie.
> If there's no upstream fix available within a month from now, then
> I agree we should go ahead and do that in Jessie too. Julien, any ETA?
Given that Julien didn't reply to your mail yet and it doesn't seem like
a proper fix (e.g. a solution to anonymize metadata of embedded images
in PDFs) is underway, I suggest to go ahead with the dirty - but secure
- solution to disable PDF support at mat in Jessie as well.
@Security Team: I saw that mat was marked mat as 'no DSA' for Jessie. I
tend to disagree: the flaw in question is a severe security issue. Could
you reconsider an upload of mat to jessie-security that disables the PDF
support?
Cheers,
jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-privacy-maintainers/attachments/20161011/bb3bb3b2/attachment.sig>
More information about the Pkg-privacy-maintainers
mailing list