Date: Tue, 8 Nov 2016 10:48:31 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: CVE request: mat doesn't remove metadata in embedded images in PDFs Hi, On Thu, Jun 02, 2016 at 06:02:40PM +0000, Holger Levsen wrote: > On Thu, Jun 02, 2016 at 12:21:34PM -0400, cve-assign@...re.org wrote: > > We think you mean that a CVE ID can exist with the rationale of: > > > > - as of version 0.7, there will be a required security update in > > which the embedded-in-a-PDF security problem is resolved > > > > - the CVE ID is needed to tag that required security update > > > > - as of version 0.7, the https://mat.boum.org/ text may be changed > > from "images embedded inside PDF may not be cleaned" to something > > like "images embedded inside complex documents may not be cleaned, > > but users can rely on cleaning in the specific case of PDF > > documents" > > > > Does that match your intention for the CVE ID? > > yes. > > Though I disagree with the 3rd paragraph a bit, I don't think it's that > hard to recursivly process files, eg both > https://tracker.debian.org/pkg/strip-nondeterminism (in perl) and > https://tracker.debian.org/pkg/diffoscope (in python) do that. FTR, in Debian for both Debian wheezy and Debian jessie the support for PDF was disabled entirely: https://lists.debian.org/debian-lts-announce/2016/10/msg00006.html https://lists.debian.org/debian-security-announce/2016/msg00291.html Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ