Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu,  2 Jun 2016 12:21:34 -0400 (EDT)
Subject: Re: CVE request: mat doesn't remove metadata in embedded images in PDFs

Hash: SHA256

> explains how mat fails to do what it's supposed to do, namely removing
> embedded meta data. The bug is that it doesn't remove metadata from images
> embedded in PDFs (while it does remove metadata from PDFs and from
> images)
> So basically the core feature of mat is partly broken :/ So I think this
> warrants a CVE as IMHO this ain't just a missing feature and folks on
> the #debian-security IRC channel agreed.
> This issue is being tracked by it's developers as
> and in Debian as
> and affects all versions of mat and is
> not fixed anywhere yet.
says "We were able to recommend a software library to the main
developer and thus convince him to tackle the problem. He marked the
issue to be resolved for the next major release, 0.7." In other words,
because pypdf2 exists, it is possible to address the specific issue of
metadata inside content that is embedded in a PDF.

> Also I wonder if similar bugs happen with other recursive formats, like an
> OpenDocument text embedding an image or embedding a pdf embedding an
> image or a zip file containing a zip file containing a .odt file
> containing an pdf containing an image currently says "MAT does its best to scrub as
much metadata as possible, it's not really efficient at scrubbing
embedded media inside complex formats. For examples, images embedded
inside PDF may not be cleaned!"

We prefer not to make decisions on whether a CVE ID should exist on
the basis of ease-of-fix information. In other words, it is difficult
to assign CVE IDs if the product's security model is "Complex
embedding is, in general, unsupported, but we will make one-off
changes for specific embedding scenarios when a solution is provided
by a user."

We think you mean that a CVE ID can exist with the rationale of:

  - as of version 0.7, there will be a required security update in
    which the embedded-in-a-PDF security problem is resolved

  - the CVE ID is needed to tag that required security update

  - as of version 0.7, the text may be changed
    from "images embedded inside PDF may not be cleaned" to something
    like "images embedded inside complex documents may not be cleaned,
    but users can rely on cleaning in the specific case of PDF

Does that match your intention for the CVE ID?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.