Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160602103328.GA6618@layer-acht.org>
Date: Thu, 2 Jun 2016 10:33:28 +0000
From: Holger Levsen <holger@...er-acht.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: mat doesn't remove metadata in embedded images in PDFs

Hi,

https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
explains how mat fails to do what it's supposed to do, namely removing
embedded meta data. The bug is that it doesnt remove metadata from images
embedded in PDFs (while it does remove metadata from PDFs and from
images…)

So basically the core feature of mat is partly broken :/ So I think this
warrants a CVE as IMHO this ain't just a missing feature and folks on
the #debian-security IRC channel agreed.

This issue is being tracked by it's developers as
https://labs.riseup.net/code/issues/11067 and in Debian as
https://bugs.debian.org/826101 and affects all versions of mat and is
not fixed anywhere yet.

Could a CVE please be assigned to this issue?
 
Also I wonder if similar bugs happen with other recursive formats, like an
OpenDocument text embedding an image or embedding a pdf embedding an
image or a zip file containing a zip file containing a .odt file
containing an pdf containing an image…


-- 
thanks,
	Holger (not subscribed to the list, please cc: me on replies.)

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.