[mat-dev] mat2 0.6.0

Supprimer ce message

Répondre à ce message
Auteur: jvoisin
Date:  
À: The metadata anonymisation toolkit mailing list
Sujet: [mat-dev] mat2 0.6.0
Greetings,

A new version of mat2 was released, the 0.6.0, on the 10th of November,
2018, with some new features, less bugs, but also with a security fix

The full changelog can be found in the CHANGELOG.md file[1], and signed
snapshots are available under the appropriate tag[2]; I also wrote the
now usual blog post[3].

The vulnerability was found by Sherry Taylor (thanks!), and thoroughly
documented in an issue[4]: some terminals are interpreting dangerous
control characters, so an attacker could embed some of them inside a
metadata field, and gain code execution when they are displayed via mat2
--show my_malicious_picture.jpg. The issue was solved in this commit[5],
by simply not displaying control character. This change only affects
mat2 (the command-line tool) and not libmat2 (the library).


Have a nice day,


1. https://0xacab.org/jvoisin/mat2/blob/master/CHANGELOG.md#060-2018-11-10
2. https://0xacab.org/jvoisin/mat2/tags/0.6.0
3. https://dustri.org/b/mat2-060.html
4. https://0xacab.org/jvoisin/mat2/issues/86
5.
https://0xacab.org/jvoisin/mat2/commit/8ff57c5803152c619f88e44ffded28540a289d44

--
Julien (jvoisin) Voisin
GPG: 04D041E8171901CC
dustri.org