Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

MAT2 0.6.0
Sat 10 November 2018 — download

There is a new minor version of MAT2, the 0.6.0, with some new features, improvement, and a security fix.

Changelog

  • Add lightweight cleaning for jpeg
  • Add support for zip files
  • Add support for mp4 files
  • Improve metadata extraction for archives
  • Improve robustness against corrupted embedded files
  • Fix a possible security issue on some terminals (control character injection via --show)
  • Various internal cleanup/improvements

About the security issue

There is no CVE for the issue, since mat2 isn't a stable software yet, as documented in the README:

This software is currently in beta, please don't use it for anything critical.

The vulnerability was found by Sherry Taylor (thanks!), and thoroughly documented in an issue: some terminals are interpreting dangerous control characters, so an attacker could embed some of them inside a metadata field, and gain code execution when they are displayed via mat2 --show my_malicious_picture.jpg. The issue was solved in this commit, by simply not displaying control character. This change only affects mat2 (the command-line tool) and not libmat2 (the library).

Conclusion

The implementation of recursive metadata support in the previous version made it pretty easy to implement zip archive support. There is also an issue about implementing support for more archive formats that I would like to close for 0.7.0 :)

As usual, help is more than welcome.