[Pkg-privacy-maintainers] Bug#858058: mat: "Clean metadata" contextual menu silently fails

intrigeri intrigeri at debian.org
Sat Mar 18 08:59:23 UTC 2017

Control: user tails-dev at boum.org
Control: usertag -1 + misc-reported
Control: usertag -1 + for-stretch


> Steps to reproduce in GNOME:

Good catch, thanks! Reproduced on current sid. The Journal tells me:

  org.gnome.Nautilus[5383]: Traceback (most recent call last):
  org.gnome.Nautilus[5383]:   File "/usr/share/nautilus-python/extensions/nautilus-mat.py", line 80, in menu_activate_cb
  org.gnome.Nautilus[5383]:     if file.is_gone():
  org.gnome.Nautilus[5383]: AttributeError: type object 'file' has no attribute 'is_gone'

The root cause of the problem seems obvious to me, and I'm working on
a fix upstream as we speak.

> I'm flagging this as "important" for the time being but I think that
> it's a serious security issue since people might got use to clean
> metadata from backup file in comparison with the version in Jessie. So,
> in my opinion, and if I understood correctly, this renders MAT useless
> for probably most of its actual uses.

It's not obvious to me that most MAT users use it via the Nautilus
contextual menu: the package also provides a CLI and a GUI, and not
everyone uses GNOME and Nautilus. So I'm a bit unsure about bumping
the severity to RC.

Now, on the grounds that it's a very real security issue, I will
definitely handle this with high priority (ensure 1. the new upstream
maintainer requests a CVE; 2. this is fixed in Stretch; 3.
counter-measures are put in place upstream and in Debian so this kind
of issues never lands into a released package anymore).


More information about the Pkg-privacy-maintainers mailing list