Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)

To: intrigeri <intrigeri@debian.org>, julien.voisin@dustri.org
Cc: pkg-privacy-maintainers@lists.alioth.debian.org, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
From: Jonas Meurer <jonas@freesources.org>
Date: Tue, 11 Oct 2016 11:21:11 +0200
Message-id: <[🔎] 5b51922f-389e-cd74-7a7a-6c5154dc4c68@freesources.org>
In-reply-to: <85wpi4z86j.fsf@boum.org>
References: <5e8a6f01-cf19-aeb2-dda0-acab03f543b2@freesources.org> <85wpi4z86j.fsf@boum.org>

Hi intrigeri,

Am 22.09.2016 um 09:48 schrieb intrigeri:
> Jonas Meurer:
>> I contact you as member of the Debian LTS team regarding bug #826101 in
>> Wheezy. The problem with metadata of embedded images in PDFs is known
>> for several months now and despite an upstream fix being mentioned in
>> the Debian bugreport[1], there seems to be no upstream solution in sight
>> anytime soon[2].
> 
>> I saw that you completely disabled PDF support from mat in unstable in
>> the meantime to mitigate this security flaw.
> 
>> Now I wonder what to do with mat in Wheezy (and Jessie) and would like
>> to ask for your opinion here. Simply disabling PDF support from mat
>> there has the big disadvantage of introducing a huge regression: one of
>> the core features of mat would be disabled within a stable release.
>> Usually, we try hard to avoid such regressions. But on the other hand,
>> leaving people alone with an insecure and broken implementation of PDF
>> metadata anonymisation is even worse in my eyes.
> 
>> So I suggest to backport your patch[3] to the Wheezy mat packages and
>> put a fat warning about the regression both in the changelog and the DLA.
> 
>> Do you (and others) agree with this plan?
> 
> For Wheezy: yes, let's do that without waiting.

As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to
wheezy-security, disabling PDF support alltogether.

> For Jessie (and wheezy-backports), I wanted to wait a bit first to
> give Julien (upstream) some time to fix the problem without disabling
> PDF support, and in a way that we can backport to (at least) Jessie.
> If there's no upstream fix available within a month from now, then
> I agree we should go ahead and do that in Jessie too. Julien, any ETA?

Given that Julien didn't reply to your mail yet and it doesn't seem like
a proper fix (e.g. a solution to anonymize metadata of embedded images
in PDFs) is underway, I suggest to go ahead with the dirty - but secure
- solution to disable PDF support at mat in Jessie as well.

@Security Team: I saw that mat was marked mat as 'no DSA' for Jessie. I
tend to disagree: the flaw in question is a severe security issue. Could
you reconsider an upload of mat to jessie-security that disables the PDF
support?

Cheers,
 jonas

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Re: inline gpg signatures from mutt
Next by Date: Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
Previous by thread: Re: inline gpg signatures from mutt
Next by thread: Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
Index(es):
- Date
- Thread