Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Nov 2016 10:48:31 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE request: mat doesn't remove metadata in
 embedded images in PDFs

Hi,

On Thu, Jun 02, 2016 at 06:02:40PM +0000, Holger Levsen wrote:
> On Thu, Jun 02, 2016 at 12:21:34PM -0400, cve-assign@...re.org wrote:
> > We think you mean that a CVE ID can exist with the rationale of:
> > 
> >   - as of version 0.7, there will be a required security update in
> >     which the embedded-in-a-PDF security problem is resolved
> > 
> >   - the CVE ID is needed to tag that required security update
> > 
> >   - as of version 0.7, the https://mat.boum.org/ text may be changed
> >     from "images embedded inside PDF may not be cleaned" to something
> >     like "images embedded inside complex documents may not be cleaned,
> >     but users can rely on cleaning in the specific case of PDF
> >     documents"
> > 
> > Does that match your intention for the CVE ID?
> 
> yes.
> 
> Though I disagree with the 3rd paragraph a bit, I don't think it's that
> hard to recursivly process files, eg both
> https://tracker.debian.org/pkg/strip-nondeterminism (in perl) and
> https://tracker.debian.org/pkg/diffoscope (in python) do that.

FTR, in Debian for both Debian wheezy and Debian jessie the support
for PDF was disabled entirely:

https://lists.debian.org/debian-lts-announce/2016/10/msg00006.html
https://lists.debian.org/debian-security-announce/2016/msg00291.html

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ