Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Nov 2016 10:48:31 +0100
From: Salvatore Bonaccorso <>
Subject: Re: Re: CVE request: mat doesn't remove metadata in
 embedded images in PDFs


On Thu, Jun 02, 2016 at 06:02:40PM +0000, Holger Levsen wrote:
> On Thu, Jun 02, 2016 at 12:21:34PM -0400, wrote:
> > We think you mean that a CVE ID can exist with the rationale of:
> > 
> >   - as of version 0.7, there will be a required security update in
> >     which the embedded-in-a-PDF security problem is resolved
> > 
> >   - the CVE ID is needed to tag that required security update
> > 
> >   - as of version 0.7, the text may be changed
> >     from "images embedded inside PDF may not be cleaned" to something
> >     like "images embedded inside complex documents may not be cleaned,
> >     but users can rely on cleaning in the specific case of PDF
> >     documents"
> > 
> > Does that match your intention for the CVE ID?
> yes.
> Though I disagree with the 3rd paragraph a bit, I don't think it's that
> hard to recursivly process files, eg both
> (in perl) and
> (in python) do that.

FTR, in Debian for both Debian wheezy and Debian jessie the support
for PDF was disabled entirely:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ