Hello mat package maintainers, hi intrigeri,

I contact you as member of the Debian LTS team regarding bug #826101 in
Wheezy. The problem with metadata of embedded images in PDFs is known
for several months now and despite an upstream fix being mentioned in
the Debian bugreport[1], there seems to be no upstream solution in sight
anytime soon[2].

I saw that you completely disabled PDF support from mat in unstable in
the meantime to mitigate this security flaw.

Now I wonder what to do with mat in Wheezy (and Jessie) and would like
to ask for your opinion here. Simply disabling PDF support from mat
there has the big disadvantage of introducing a huge regression: one of
the core features of mat would be disabled within a stable release.
Usually, we try hard to avoid such regressions. But on the other hand,
leaving people alone with an insecure and broken implementation of PDF
metadata anonymisation is even worse in my eyes.

So I suggest to backport your patch[3] to the Wheezy mat packages and
put a fat warning about the regression both in the changelog and the DLA.

Do you (and others) agree with this plan? And would you like to take
care of the upload to wheezy-security yourself? If yes, please follow
the workflow we have defined here:

https://wiki.debian.org/LTS/Development

If you don't want to take care of this update, I could do the backport
and upload as part of my LTS work. Just let me know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Jonas Meurer,
  on behalf of the Debian LTS team.

PS: If we agree on a solution, I intend suggest to the Debian Security
Team to apply the same to mat in Jessie.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826101#22
[2] https://labs.riseup.net/code/issues/11067
[3]
https://anonscm.debian.org/cgit/pkg-privacy/packages/mat.git/commit/?id=a87b93e13c148479e376f028ec7185b935318b56

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to