Date: Thu, 2 Jun 2016 10:33:28 +0000 From: Holger Levsen <holger@...er-acht.org> To: oss-security@...ts.openwall.com Subject: CVE request: mat doesn't remove metadata in embedded images in PDFs Hi, https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata explains how mat fails to do what it's supposed to do, namely removing embedded meta data. The bug is that it doesnt remove metadata from images embedded in PDFs (while it does remove metadata from PDFs and from images…) So basically the core feature of mat is partly broken :/ So I think this warrants a CVE as IMHO this ain't just a missing feature and folks on the #debian-security IRC channel agreed. This issue is being tracked by it's developers as https://labs.riseup.net/code/issues/11067 and in Debian as https://bugs.debian.org/826101 and affects all versions of mat and is not fixed anywhere yet. Could a CVE please be assigned to this issue? Also I wonder if similar bugs happen with other recursive formats, like an OpenDocument text embedding an image or embedding a pdf embedding an image or a zip file containing a zip file containing a .odt file containing an pdf containing an image… -- thanks, Holger (not subscribed to the list, please cc: me on replies.) Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ