[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)

Hi Jonas, hi Julien & others,

Jonas Meurer:
> I contact you as member of the Debian LTS team regarding bug #826101 in
> Wheezy. The problem with metadata of embedded images in PDFs is known
> for several months now and despite an upstream fix being mentioned in
> the Debian bugreport[1], there seems to be no upstream solution in sight
> anytime soon[2].

> I saw that you completely disabled PDF support from mat in unstable in
> the meantime to mitigate this security flaw.

> Now I wonder what to do with mat in Wheezy (and Jessie) and would like
> to ask for your opinion here. Simply disabling PDF support from mat
> there has the big disadvantage of introducing a huge regression: one of
> the core features of mat would be disabled within a stable release.
> Usually, we try hard to avoid such regressions. But on the other hand,
> leaving people alone with an insecure and broken implementation of PDF
> metadata anonymisation is even worse in my eyes.

> So I suggest to backport your patch[3] to the Wheezy mat packages and
> put a fat warning about the regression both in the changelog and the DLA.

> Do you (and others) agree with this plan?

For Wheezy: yes, let's do that without waiting.

For Jessie (and wheezy-backports), I wanted to wait a bit first to
give Julien (upstream) some time to fix the problem without disabling
PDF support, and in a way that we can backport to (at least) Jessie.
If there's no upstream fix available within a month from now, then
I agree we should go ahead and do that in Jessie too. Julien, any ETA?

> And would you like to take care of the upload to
> wheezy-security yourself?

I'm afraid I can't commit to any reasonable timeline to do this,
so please go ahead as part of the wheezy-lts work :)

Thanks for caring!


Reply to: