Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
New Bug report received and forwarded. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>.
(Thu, 02 Jun 2016 09:00:09 GMT) (full text, mbox, link).
package: mat
severity: important
tags: security upstream
forwarded: https://labs.riseup.net/code/issues/11067
Hi,
https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
explains how mat fails to do what it's supposed to do, namely removing
embedded meta data.
I havent't verifed this myself, but appearantly it doesnt remove
metadata from images embedded in PDFs.
So basically the core feature of mat is partly broken :/
I wonder if similar bugs happen with other recursive formats, like an
OpenDocument text embedding an image or embedding a pdf embedding an
image or a zip file containing a zip file containing a .odt file
containing an pdf containing an image…
--
cheers,
Holger
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>: Bug#826101; Package mat.
(Sun, 21 Aug 2016 22:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>.
(Sun, 21 Aug 2016 22:33:04 GMT) (full text, mbox, link).
To: Holger Levsen <holger@layer-acht.org>, 826101@bugs.debian.org
Subject: Re: mat doesn't remove metadata in embedded images in PDFs
Date: Mon, 22 Aug 2016 00:29:43 +0200
[Holger Levsen 2016-06-02]
> https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
> explains how mat fails to do what it's supposed to do, namely removing
> embedded meta data.
>
> I havent't verifed this myself, but appearantly it doesnt remove
> metadata from images embedded in PDFs.
>
> So basically the core feature of mat is partly broken :/
Reading the upstream bug report, there seem to be no solution in sight
any time soon. Perhaps it would be better if mat simply reported a
failure and refused to process the input if it find embedded parts it
can't strip? It would be better than pretending to succeed.
> I wonder if similar bugs happen with other recursive formats, like an
> OpenDocument text embedding an image or embedding a pdf embedding an
> image or a zip file containing a zip file containing a .odt file
> containing an pdf containing an image???
No idea, but it would be useful to check. :)
Did you ever get a CVE for this issue? I did not find one when I followed
the mailing list thread, but might have missed it.
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>: Bug#826101; Package mat.
(Sun, 21 Aug 2016 22:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>.
(Sun, 21 Aug 2016 22:48:05 GMT) (full text, mbox, link).
On Mon, Aug 22, 2016 at 12:29:43AM +0200, Petter Reinholdtsen wrote:
> Reading the upstream bug report, there seem to be no solution in sight
> any time soon. Perhaps it would be better if mat simply reported a
> failure and refused to process the input if it find embedded parts it
> can't strip? It would be better than pretending to succeed.
I agree.
> Did you ever get a CVE for this issue? I did not find one when I followed
> the mailing list thread, but might have missed it.
no.
--
cheers,
Holger
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>: Bug#826101; Package mat.
(Mon, 22 Aug 2016 08:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>.
(Mon, 22 Aug 2016 08:33:04 GMT) (full text, mbox, link).
Subject: Re: Bug#826101: mat doesn't remove metadata in embedded images in PDFs
Date: Mon, 22 Aug 2016 10:28:18 +0200
Hi,
Holger Levsen:
> On Mon, Aug 22, 2016 at 12:29:43AM +0200, Petter Reinholdtsen wrote:
>> Reading the upstream bug report, there seem to be no solution in sight
>> any time soon. Perhaps it would be better if mat simply reported a
>> failure and refused to process the input if it find embedded parts it
>> can't strip? It would be better than pretending to succeed.
> I agree.
Same here :)
I've recently recommended upstream to do so, and Julien essentially
agrees. He might try to go with the "big hammer" approach instead:
just render each page on a bitmap and turn that into a crappy but safe
PDF file. This might not take substantially more time than going
through the process of deprecating PDF support entirely.
I'm glad that you folks are tracking this. Thanks!
Cheers,
--
intrigeri
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>: Bug#826101; Package mat.
(Mon, 22 Aug 2016 08:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>.
(Mon, 22 Aug 2016 08:45:10 GMT) (full text, mbox, link).
On Mon, Aug 22, 2016 at 10:28:18AM +0200, intrigeri wrote:
> > I agree.
> Same here :)
great :)
> I've recently recommended upstream to do so, and Julien essentially
> agrees. He might try to go with the "big hammer" approach instead:
> just render each page on a bitmap and turn that into a crappy but safe
> PDF file. This might not take substantially more time than going
> through the process of deprecating PDF support entirely.
I like this big hammer very much! Thanks already for implementing it! ;)
--
cheers,
Holger
Source: mat
Source-Version: 0.6.1-3
We believe that the bug you reported is fixed in the latest version of
mat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 826101@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
intrigeri <intrigeri@debian.org> (supplier of updated mat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Aug 2016 08:40:53 +0000
Source: mat
Binary: mat
Architecture: source
Version: 0.6.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>
Changed-By: intrigeri <intrigeri@debian.org>
Closes: 826101832479
Description:
mat - Metadata anonymisation toolkit
Changes:
mat (0.6.1-3) unstable; urgency=medium
.
* Update documentation of recommended packages in README.Debian.
* debian/copyright: use HTTPS URL.
* Promote gir1.2-poppler-0.18 to Depends: even though it is supposed
to be an optional dependency, needed only for PDF support, MAT crashes
if it not installed. (Closes: #832479)
* New patch: disable PDF support. (Closes: #826101)
Checksums-Sha1:
c65782f83d38cb5ef20f9fe26d3d80ee51af7e9d 2077 mat_0.6.1-3.dsc
21b1ed34fb7c17673466e8542e0ac564d49093e9 13648 mat_0.6.1-3.debian.tar.xz
Checksums-Sha256:
aa4d2740c5b7bc36b72f0dd3b67bd7b522e11aa337f44f1e5d5465f9c29d667c 2077 mat_0.6.1-3.dsc
0c87284cb0dfd420d97e76e9c3b29d0a1e5df23e651b6f1de911e06243b3baac 13648 mat_0.6.1-3.debian.tar.xz
Files:
54a4f26f43e847136c995312bbc0a864 2077 python optional mat_0.6.1-3.dsc
f28f12f6a49e9744a9fa4ac54b99f713 13648 python optional mat_0.6.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXwAV8AAoJEOxtg78p/CqOpJ0QANv0JLm08qHwqUOOm3Ysw7aM
Ok2oHA5Hu/cGFd+0Yp+xzJpi3+LTvPIjJoYHDO6U+/u9GTC3Pd9W3L8BTRdKJKwj
JTIAI7868ceFDm1JlGGeWdK5SFO1QPgyB3KB6nw6IeL3GnvRACIF1QgZJZRGp+n7
+boFXa7UXG2XgRnx+GwhkHfJboZVaVhUTpYqpCDz2Nj8mRAf8124httOeQAbX74P
r8zoRwENR150FwDTqn4e25UDzY+wbLWP8/8kpDqaHohWnX3fwd06FfK9tUofAnQv
TZrXuwUxJKYPMWZhyg7D7wiXfAKplclKuv41e1R1O7FEgMxsn1C9ENq0iIF7gFPY
5K3VLAHUwIdGtqVLiTB0VCT3TO//9CabNoV1Y7NO6xIpg10+k3AmUcal24iAAXdS
UA8FaPsGXztUEmfHkMBxvU5hDfKYINJmEuv2jz/eVuOpPyTO74Wb9Hyv+ynJZ7fL
l3GQNwe4hk2ssa98W3dQEaJ5iZIma4P1up/5pEM11rCJ8CuhPdH7KtyefNPXPw/0
dvV7wGYm6DwaHIJiDc14D2/oozh/ekWvAtCBoKCk5M4+CZGkCXJ7Z/+lTSEL3F/F
iL/U2rTkuj/WzdUG1/et59ywgQPawu0iSKa0lBL79QgZ+cMU6TXc/mIefW4j36Xb
JVfbDB7cbVwA4mFJh9na
=bZc4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Sep 2016 07:25:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Oct 2016 15:03:05 GMT) (full text, mbox, link).
Marked as found in versions mat/0.5.2-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Oct 2016 15:03:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 09 Nov 2016 07:25:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.