Hi! > as you rely on MAT, the Metadata Anonymization Toolkit, I would like > to make you aware of a deficiency in MAT's current metadata removal > algorithm for PDF. In short, it is non-recursive. This means it cannot > remove metadata in images (and possibly other files) embedded in PDF > files. Be sure to re-check output files after using MAT.
Great that you've found this and sent your findings here. > htgoebel who discovered this bug reported it as a feature request in > early February <https://labs.riseup.net/code/issues/11067> but it > received no attention until I emailed jvoisin in early May. I've discovered this issue yesterday through the Debian bug report which has been opened: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826101 So the issue now seems to be correctly tracked. Looks like simply opening a feature request for something which is important might sometimes not be enough.. > Until this bug is fixed, htgoebel and I think it important to educate > Tails users about it. That is why we published an article about Tails, > MAT and this bug on the Digitalcourage website in English and German: > [en] > https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata > [de] > https://digitalcourage.de/blog/2016/sicherheitsluecke-in-mat-tails-wird-geschlossen I agree that we should inform users about this, I just wonder, if we want to do that in the our news? Should we point to this article in the upcoming monthly report? And as a follow-up question I'm now wondering about: do we want to add bug reporting guidelines for security researchers here: https://tails.boum.org/doc/first_steps/bug_reporting/index.en.html? Cheers! u. _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.