Hi Jonas, hi Julien & others,
> I contact you as member of the Debian LTS team regarding bug #826101 in
> Wheezy. The problem with metadata of embedded images in PDFs is known
> for several months now and despite an upstream fix being mentioned in
> the Debian bugreport, there seems to be no upstream solution in sight
> anytime soon.
> I saw that you completely disabled PDF support from mat in unstable in
> the meantime to mitigate this security flaw.
> Now I wonder what to do with mat in Wheezy (and Jessie) and would like
> to ask for your opinion here. Simply disabling PDF support from mat
> there has the big disadvantage of introducing a huge regression: one of
> the core features of mat would be disabled within a stable release.
> Usually, we try hard to avoid such regressions. But on the other hand,
> leaving people alone with an insecure and broken implementation of PDF
> metadata anonymisation is even worse in my eyes.
> So I suggest to backport your patch to the Wheezy mat packages and
> put a fat warning about the regression both in the changelog and the DLA.
> Do you (and others) agree with this plan?
For Wheezy: yes, let's do that without waiting.
For Jessie (and wheezy-backports), I wanted to wait a bit first to
give Julien (upstream) some time to fix the problem without disabling
PDF support, and in a way that we can backport to (at least) Jessie.
If there's no upstream fix available within a month from now, then
I agree we should go ahead and do that in Jessie too. Julien, any ETA?
> And would you like to take care of the upload to
> wheezy-security yourself?
I'm afraid I can't commit to any reasonable timeline to do this,
so please go ahead as part of the wheezy-lts work :)
Thanks for caring!