Hi Jonas, hi Julien & others, Jonas Meurer: > I contact you as member of the Debian LTS team regarding bug #826101 in > Wheezy. The problem with metadata of embedded images in PDFs is known > for several months now and despite an upstream fix being mentioned in > the Debian bugreport[1], there seems to be no upstream solution in sight > anytime soon[2].
> I saw that you completely disabled PDF support from mat in unstable in > the meantime to mitigate this security flaw. > Now I wonder what to do with mat in Wheezy (and Jessie) and would like > to ask for your opinion here. Simply disabling PDF support from mat > there has the big disadvantage of introducing a huge regression: one of > the core features of mat would be disabled within a stable release. > Usually, we try hard to avoid such regressions. But on the other hand, > leaving people alone with an insecure and broken implementation of PDF > metadata anonymisation is even worse in my eyes. > So I suggest to backport your patch[3] to the Wheezy mat packages and > put a fat warning about the regression both in the changelog and the DLA. > Do you (and others) agree with this plan? For Wheezy: yes, let's do that without waiting. For Jessie (and wheezy-backports), I wanted to wait a bit first to give Julien (upstream) some time to fix the problem without disabling PDF support, and in a way that we can backport to (at least) Jessie. If there's no upstream fix available within a month from now, then I agree we should go ahead and do that in Jessie too. Julien, any ETA? > And would you like to take care of the upload to > wheezy-security yourself? I'm afraid I can't commit to any reasonable timeline to do this, so please go ahead as part of the wheezy-lts work :) Thanks for caring! Cheers, -- intrigeri