There is a new minor version of MAT2, the 0.6.0, with some new features, improvement, and a security fix.
- Add lightweight cleaning for jpeg
- Add support for zip files
- Add support for mp4 files
- Improve metadata extraction for archives
- Improve robustness against corrupted embedded files
- Fix a possible security issue on some terminals (control character injection via
- Various internal cleanup/improvements
This software is currently in beta, please don't use it for anything critical.
The vulnerability was found by Sherry Taylor
(thanks!), and thoroughly documented in an
issue: some terminals are
interpreting dangerous control characters,
so an attacker could embed some of them inside a metadata field, and gain code
execution when they are displayed via
mat2 --show my_malicious_picture.jpg.
The issue was solved in this commit,
by simply not displaying control character. This change only affects
command-line tool) and not
libmat2 (the library).
The implementation of recursive metadata support in the previous version made it pretty easy to implement zip archive support. There is also an issue about implementing support for more archive formats that I would like to close for 0.7.0 :)
As usual, help is more than welcome.