mat2 0.13.0
Wed 06 July 2022 — download

There is a new bugfix version of MAT2: 0.13.0, fixing a security issue, namely CVE-2022-35410, found by jfriedli, the maintainer of mat2-web.

The crux of the problem is that when provided a zip archive with a file with a path pointing outside of the archive, mat2 would include the file present on the filesystem in the resulting archive. For example, a file named ../../../var/www/mat2-web/requirements.txt in a zip archive would result in the requirements.txt file from a mat2-web server being put into the cleaned archive.

On the bright side, this arbitrary file read should mostly impact administrators of mat2-web instances, since while mat2 does its very best to handle malicious/malformed files, it is primarily designed to clean files from trusted sources. Unfortunately, this arbitrary file read might result in a remote code execution depending on mat2-web setups, since leaking the app.secret_key from a Flask application yields arbitrary python code execution. A mitigation would be to pass the app.secret_key via an environment variable instead of hardcoding it, which is a good practise anyway.

Case where an attacker is sending a malicious zip file to a regular mat2 user to process, and is then able to get it back should hopefully be pretty rare.

beebca4b is the commit fixing the vulnerability, and e2c4dbf7 provides some hardening on top of it as well, if you want to backport them instead of updating.

The vulnerability was fixed in the following Debian versions:

  • oldstable (buster) in 0.8.0-3+deb10u1
  • stable (bullseye) in 0.12.1-2+deb11u1
  • unstable and testing in 0.13.0-1

Nevertheless, nice bug, now fixed, you should upgrade, kudos to jfriedli for finding it and sending a comprehensive report and reproducer my way!

Support for heic files was also added in this release, thanks to maijin.

As usual, if you know some python or web-fu help is more than welcome.