Hi!
> as you rely on MAT, the Metadata Anonymization Toolkit, I would like
> to make you aware of a deficiency in MAT's current metadata removal
> algorithm for PDF. In short, it is non-recursive. This means it cannot
> remove metadata in images (and possibly other files) embedded in PDF
> files. Be sure to re-check output files after using MAT.
Great that you've found this and sent your findings here.
> htgoebel who discovered this bug reported it as a feature request in
> early February <https://labs.riseup.net/code/issues/11067> but it
> received no attention until I emailed jvoisin in early May.
I've discovered this issue yesterday through the Debian bug report which
has been opened:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826101 So the issue
now seems to be correctly tracked.
Looks like simply opening a feature request for something which is
important might sometimes not be enough..
> Until this bug is fixed, htgoebel and I think it important to educate
> Tails users about it. That is why we published an article about Tails,
> MAT and this bug on the Digitalcourage website in English and German:
> [en] https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
> [de] https://digitalcourage.de/blog/2016/sicherheitsluecke-in-mat-tails-wird-geschlossen
I agree that we should inform users about this, I just wonder, if we
want to do that in the our news? Should we point to this article in the
upcoming monthly report?
And as a follow-up question I'm now wondering about: do we want to add
bug reporting guidelines for security researchers here:
https://tails.boum.org/doc/first_steps/bug_reporting/index.en.html?
Cheers!
u.