[Pkg-privacy-maintainers] Fixing MAT bug #826101 in Jessie [Was: mat bug #826101 in Wheezy (embeded images in PDFs)]

Mon Oct 24 12:03:08 UTC 2016

On Mon, Oct 24, 2016 at 01:49:14PM +0200, intrigeri wrote:
> Hi security team!
> 
> [dropping debian-lts at l.d.o from the list of recipients]
> 
> Context: this is about
> https://security-tracker.debian.org/tracker/TEMP-0826101-4D75EC
> that was "fixed" in sid and wheezy-security already.
> 
> intrigeri:
> > Jonas Meurer:
> >> Am 22.09.2016 um 09:48 schrieb intrigeri:
> >> As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to
> >> wheezy-security, disabling PDF support alltogether.
> 
> > Thanks!
> 
> >>> For Jessie (and wheezy-backports), I wanted to wait a bit first to
> >>> give Julien (upstream) some time to fix the problem without disabling
> >>> PDF support, and in a way that we can backport to (at least) Jessie.
> >>> If there's no upstream fix available within a month from now, then
> >>> I agree we should go ahead and do that in Jessie too. Julien, any ETA?
> 
> >> Given that Julien didn't reply to your mail yet and it doesn't seem like
> >> a proper fix (e.g. a solution to anonymize metadata of embedded images
> >> in PDFs) is underway, I suggest to go ahead with the dirty - but secure
> >> - solution to disable PDF support at mat in Jessie as well.
> 
> > OK. I'd like to wait until the deadline I've set for Julien has been
> > reached (that's in 11 days now), and then I can handle it either via
> > DSA or jessie-pu, as the security team prefers.
> 
> I am preparing an updated package that disables PDF support for Jessie
> as we speak.
> 
> I see that you've tagged this problem no-dsa on the security tracker.
> 
> Is this final, and therefore I should talk to the release team about
> an upload to jessie-pu? Or is a DSA still an option?

If we only disable PDF support we can also issue a DSA, that allows us to
explicitly point that out.

Can you please send a debdiff before uploading?

Cheers,
        Moritz