Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Jun 2016 10:33:28 +0000
From: Holger Levsen <holger@...er-acht.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: mat doesn't remove metadata in embedded images in PDFs

Hi,

https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
explains how mat fails to do what it's supposed to do, namely removing
embedded meta data. The bug is that it doesnt remove metadata from images
embedded in PDFs (while it does remove metadata from PDFs and from
images…)

So basically the core feature of mat is partly broken :/ So I think this
warrants a CVE as IMHO this ain't just a missing feature and folks on
the #debian-security IRC channel agreed.

This issue is being tracked by it's developers as
https://labs.riseup.net/code/issues/11067 and in Debian as
https://bugs.debian.org/826101 and affects all versions of mat and is
not fixed anywhere yet.

Could a CVE please be assigned to this issue?
 
Also I wonder if similar bugs happen with other recursive formats, like an
OpenDocument text embedding an image or embedding a pdf embedding an
image or a zip file containing a zip file containing a .odt file
containing an pdf containing an image…


-- 
thanks,
	Holger (not subscribed to the list, please cc: me on replies.)

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.