Hi intrigeri, Am 22.09.2016 um 09:48 schrieb intrigeri: > Jonas Meurer: >> I contact you as member of the Debian LTS team regarding bug #826101 in >> Wheezy. The problem with metadata of embedded images in PDFs is known >> for several months now and despite an upstream fix being mentioned in >> the Debian bugreport[1], there seems to be no upstream solution in sight >> anytime soon[2]. > >> I saw that you completely disabled PDF support from mat in unstable in >> the meantime to mitigate this security flaw. > >> Now I wonder what to do with mat in Wheezy (and Jessie) and would like >> to ask for your opinion here. Simply disabling PDF support from mat >> there has the big disadvantage of introducing a huge regression: one of >> the core features of mat would be disabled within a stable release. >> Usually, we try hard to avoid such regressions. But on the other hand, >> leaving people alone with an insecure and broken implementation of PDF >> metadata anonymisation is even worse in my eyes. > >> So I suggest to backport your patch[3] to the Wheezy mat packages and >> put a fat warning about the regression both in the changelog and the DLA. > >> Do you (and others) agree with this plan? > > For Wheezy: yes, let's do that without waiting.
As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to wheezy-security, disabling PDF support alltogether. > For Jessie (and wheezy-backports), I wanted to wait a bit first to > give Julien (upstream) some time to fix the problem without disabling > PDF support, and in a way that we can backport to (at least) Jessie. > If there's no upstream fix available within a month from now, then > I agree we should go ahead and do that in Jessie too. Julien, any ETA? Given that Julien didn't reply to your mail yet and it doesn't seem like a proper fix (e.g. a solution to anonymize metadata of embedded images in PDFs) is underway, I suggest to go ahead with the dirty - but secure - solution to disable PDF support at mat in Jessie as well. @Security Team: I saw that mat was marked mat as 'no DSA' for Jessie. I tend to disagree: the flaw in question is a severe security issue. Could you reconsider an upload of mat to jessie-security that disables the PDF support? Cheers, jonas
signature.asc
Description: OpenPGP digital signature