Author: jvoisin Date: To: The metadata anonymisation toolkit mailing list Subject: [mat-dev] mat2 0.13.0
A new version of mat2 was released, the 0.13.0, on the 6th of July,
2022. Signed snapshots are available under the appropriate tag,
the full changelog can be found in the CHANGELOG.md file.
This release fixes a security issue found by Jan Friedli, namely an
arbitrary file read via path-traversal in zip archives. See the related
blogpost for details: the tl;dr is that an attacker giving you a zip
file to process, and getting the result back is able to read arbitrary
files on your filesystem. A CVE has been requested, and
Feel free to reach out if you have any questions.
Sorry for the inconvenience, and kudos to Jan for finding this