[mat-dev] mat2 0.13.0

Delete this message

Reply to this message
Author: jvoisin
To: The metadata anonymisation toolkit mailing list
Subject: [mat-dev] mat2 0.13.0

A new version of mat2 was released, the 0.13.0, on the 6th of July,
2022. Signed snapshots are available under the appropriate tag[1],
the full changelog can be found in the CHANGELOG.md file[2].

This release fixes a security issue found by Jan Friedli, namely an
arbitrary file read via path-traversal in zip archives. See the related
blogpost[3] for details: the tl;dr is that an attacker giving you a zip
file to process, and getting the result back is able to read arbitrary
files on your filesystem. A CVE has been requested, and
downstreams/dependees notified.

Feel free to reach out if you have any questions.

Sorry for the inconvenience, and kudos to Jan for finding this

1. https://0xacab.org/jvoisin/mat2/tags/0.12.3
2. https://0xacab.org/jvoisin/mat2/-/blob/master/CHANGELOG.md
3. https://dustri.org/b/mat2-0130.html

Julien (jvoisin) Voisin
GPG: 04D041E8171901CC