Greetings,
A new version of mat2 was released, the 0.13.0, on the 6th of July,
2022. Signed snapshots are available under the appropriate tag[1],
the full changelog can be found in the CHANGELOG.md file[2].
This release fixes a security issue found by Jan Friedli, namely an
arbitrary file read via path-traversal in zip archives. See the related
blogpost[3] for details: the tl;dr is that an attacker giving you a zip
file to process, and getting the result back is able to read arbitrary
files on your filesystem. A CVE has been requested, and
downstreams/dependees notified.
Feel free to reach out if you have any questions.
Sorry for the inconvenience, and kudos to Jan for finding this
vulnerability!
1.
https://0xacab.org/jvoisin/mat2/tags/0.12.3
2.
https://0xacab.org/jvoisin/mat2/-/blob/master/CHANGELOG.md
3.
https://dustri.org/b/mat2-0130.html
--
Julien (jvoisin) Voisin
GPG: 04D041E8171901CC
dustri.org
