Greetings,
A new version of mat2 was released, the 0.6.0, on the 10th of November,
2018, with some new features, less bugs, but also with a security fix
The full changelog can be found in the CHANGELOG.md file[1], and signed
snapshots are available under the appropriate tag[2]; I also wrote the
now usual blog post[3].
The vulnerability was found by Sherry Taylor (thanks!), and thoroughly
documented in an issue[4]: some terminals are interpreting dangerous
control characters, so an attacker could embed some of them inside a
metadata field, and gain code execution when they are displayed via mat2
--show my_malicious_picture.jpg. The issue was solved in this commit[5],
by simply not displaying control character. This change only affects
mat2 (the command-line tool) and not libmat2 (the library).
Have a nice day,
1.
https://0xacab.org/jvoisin/mat2/blob/master/CHANGELOG.md#060-2018-11-10
2.
https://0xacab.org/jvoisin/mat2/tags/0.6.0
3.
https://dustri.org/b/mat2-060.html
4.
https://0xacab.org/jvoisin/mat2/issues/86
5.
https://0xacab.org/jvoisin/mat2/commit/8ff57c5803152c619f88e44ffded28540a289d44
--
Julien (jvoisin) Voisin
GPG: 04D041E8171901CC
dustri.org