Re: Re: CVE request: mat doesn't remove metadata in embedded images in PDFs

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Thu, Jun 02, 2016 at 06:02:40PM +0000, Holger Levsen wrote:
> On Thu, Jun 02, 2016 at 12:21:34PM -0400, cve-assign () mitre org wrote:
> > We think you mean that a CVE ID can exist with the rationale of:
> >
> >   - as of version 0.7, there will be a required security update in
> >     which the embedded-in-a-PDF security problem is resolved
> >
> >   - the CVE ID is needed to tag that required security update
> >
> >   - as of version 0.7, the https://mat.boum.org/ text may be changed
> >     from "images embedded inside PDF may not be cleaned" to something
> >     like "images embedded inside complex documents may not be cleaned,
> >     but users can rely on cleaning in the specific case of PDF
> >     documents"
> >
> > Does that match your intention for the CVE ID?
>
> yes.
>
> Though I disagree with the 3rd paragraph a bit, I don't think it's that
> hard to recursivly process files, eg both
> https://tracker.debian.org/pkg/strip-nondeterminism (in perl) and
> https://tracker.debian.org/pkg/diffoscope (in python) do that.

FTR, in Debian for both Debian wheezy and Debian jessie the support
for PDF was disabled entirely:

https://lists.debian.org/debian-lts-announce/2016/10/msg00006.html
https://lists.debian.org/debian-security-announce/2016/msg00291.html

Regards,
Salvatore