Hello mat package maintainers, hi intrigeri, I contact you as member of the Debian LTS team regarding bug #826101 in Wheezy. The problem with metadata of embedded images in PDFs is known for several months now and despite an upstream fix being mentioned in the Debian bugreport[1], there seems to be no upstream solution in sight anytime soon[2]. I saw that you completely disabled PDF support from mat in unstable in the meantime to mitigate this security flaw. Now I wonder what to do with mat in Wheezy (and Jessie) and would like to ask for your opinion here. Simply disabling PDF support from mat there has the big disadvantage of introducing a huge regression: one of the core features of mat would be disabled within a stable release. Usually, we try hard to avoid such regressions. But on the other hand, leaving people alone with an insecure and broken implementation of PDF metadata anonymisation is even worse in my eyes. So I suggest to backport your patch[3] to the Wheezy mat packages and put a fat warning about the regression both in the changelog and the DLA. Do you (and others) agree with this plan? And would you like to take care of the upload to wheezy-security yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If you don't want to take care of this update, I could do the backport and upload as part of my LTS work. Just let me know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Jonas Meurer, on behalf of the Debian LTS team. PS: If we agree on a solution, I intend suggest to the Debian Security Team to apply the same to mat in Jessie. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826101#22 [2] https://labs.riseup.net/code/issues/11067 [3] https://anonscm.debian.org/cgit/pkg-privacy/packages/mat.git/commit/?id=a87b93e13c148479e376f028ec7185b935318b56
Attachment:
signature.asc
Description: OpenPGP digital signature