Hi intrigeri,

Am 22.09.2016 um 09:48 schrieb intrigeri:
> Jonas Meurer:
>> I contact you as member of the Debian LTS team regarding bug #826101 in
>> Wheezy. The problem with metadata of embedded images in PDFs is known
>> for several months now and despite an upstream fix being mentioned in
>> the Debian bugreport[1], there seems to be no upstream solution in sight
>> anytime soon[2].
>> I saw that you completely disabled PDF support from mat in unstable in
>> the meantime to mitigate this security flaw.
>> Now I wonder what to do with mat in Wheezy (and Jessie) and would like
>> to ask for your opinion here. Simply disabling PDF support from mat
>> there has the big disadvantage of introducing a huge regression: one of
>> the core features of mat would be disabled within a stable release.
>> Usually, we try hard to avoid such regressions. But on the other hand,
>> leaving people alone with an insecure and broken implementation of PDF
>> metadata anonymisation is even worse in my eyes.
>> So I suggest to backport your patch[3] to the Wheezy mat packages and
>> put a fat warning about the regression both in the changelog and the DLA.
>> Do you (and others) agree with this plan?
> For Wheezy: yes, let's do that without waiting.

As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to
wheezy-security, disabling PDF support alltogether.

> For Jessie (and wheezy-backports), I wanted to wait a bit first to
> give Julien (upstream) some time to fix the problem without disabling
> PDF support, and in a way that we can backport to (at least) Jessie.
> If there's no upstream fix available within a month from now, then
> I agree we should go ahead and do that in Jessie too. Julien, any ETA?

Given that Julien didn't reply to your mail yet and it doesn't seem like
a proper fix (e.g. a solution to anonymize metadata of embedded images
in PDFs) is underway, I suggest to go ahead with the dirty - but secure
- solution to disable PDF support at mat in Jessie as well.

@Security Team: I saw that mat was marked mat as 'no DSA' for Jessie. I
tend to disagree: the flaw in question is a severe security issue. Could
you reconsider an upload of mat to jessie-security that disables the PDF


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to