Date: Thu, 2 Jun 2016 12:21:34 -0400 (EDT) From: cve-assign@...re.org To: holger@...er-acht.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: mat doesn't remove metadata in embedded images in PDFs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata > explains how mat fails to do what it's supposed to do, namely removing > embedded meta data. The bug is that it doesn't remove metadata from images > embedded in PDFs (while it does remove metadata from PDFs and from > images) > > So basically the core feature of mat is partly broken :/ So I think this > warrants a CVE as IMHO this ain't just a missing feature and folks on > the #debian-security IRC channel agreed. > > This issue is being tracked by it's developers as > https://labs.riseup.net/code/issues/11067 and in Debian as > https://bugs.debian.org/826101 and affects all versions of mat and is > not fixed anywhere yet. https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata says "We were able to recommend a software library to the main developer and thus convince him to tackle the problem. He marked the issue to be resolved for the next major release, 0.7." In other words, because pypdf2 exists, it is possible to address the specific issue of metadata inside content that is embedded in a PDF. > Also I wonder if similar bugs happen with other recursive formats, like an > OpenDocument text embedding an image or embedding a pdf embedding an > image or a zip file containing a zip file containing a .odt file > containing an pdf containing an image https://mat.boum.org/ currently says "MAT does its best to scrub as much metadata as possible, it's not really efficient at scrubbing embedded media inside complex formats. For examples, images embedded inside PDF may not be cleaned!" We prefer not to make decisions on whether a CVE ID should exist on the basis of ease-of-fix information. In other words, it is difficult to assign CVE IDs if the product's security model is "Complex embedding is, in general, unsupported, but we will make one-off changes for specific embedding scenarios when a solution is provided by a user." We think you mean that a CVE ID can exist with the rationale of: - as of version 0.7, there will be a required security update in which the embedded-in-a-PDF security problem is resolved - the CVE ID is needed to tag that required security update - as of version 0.7, the https://mat.boum.org/ text may be changed from "images embedded inside PDF may not be cleaned" to something like "images embedded inside complex documents may not be cleaned, but users can rely on cleaning in the specific case of PDF documents" Does that match your intention for the CVE ID? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXUFynAAoJEHb/MwWLVhi2MLQP/i9uyFB9jfMHIMTjfpa4pxNf +FeIcxaMQBJ6Dz56ccwaQRl12Q5LVquPeSxvZtfdh96DqpcNXYsRDh73tFDz8gut x1QRpxiKxKO/Qi2JEXLQStLqDgtjkasv0BWnaAstLKaDC7RrvKBgH+kd89nsdXom rXuVKKrHKlqGcGuvNY6QIP1O2c26iTWC4il4Ml5xb2AcQ0QZuEvEcURzcjFq0I7b eltelIndDxhzqPaZ9Pr8KAdjYTAZxkHi/RsYytA7aymHHe8Xye5V2zcXPtORUjsy y7WH8HyvEEygChJpvVnriHCq+7uoLLm0jOZDt0NJFeGPm1lK0BDXcy/fCEapUFJi 0j7npiZOBX4RIxbxv3S313NwNoNQptAI7VuT964h0o1ziZZMPL4t1cKmX08kbOfK +KWC6pUwx6dhPGZfhI5+D+iSQPELfeRqkPMcBwhJI23PZQFbbY3oDKJqR2qpFRbp zULVuA4PHZnQLrMjjGhwqucNuGcvo5cltJHly7djy4IrksSQw5qip9VGSgYIoDjI yA06YHHfbmBVpxpZcEBTS/ire7IhY77bGUK8XTW6kplkuNq0Q5Bb9oZBdP/pDKHB NeixHM4QY/RtXfD81UoL6Q0643Qk/2emtgZGc/7/YlYEUP9IMizeBKR0NawdJfad EUj+1IljwFdfd8ojFcHM =l+kk -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.