Title: mat2 0.13.0
Date: 2022-07-06 19:25

There is a new bugfix version of MAT2:
[0.13.0](https://0xacab.org/jvoisin/mat2/tags/0.13.0), fixing a security issue,
namely [CVE-2022-35410](https://cve.circl.lu/cve/CVE-2022-35410), found by [jfriedli](https://0xacab.org/jfriedli), the
maintainer of [mat2-web](https://0xacab.org/jvoisin/mat2-web).

The crux of the problem is that when provided a zip archive with a file
with a path pointing outside of the archive, mat2 would include the file
present on the filesystem in the resulting archive. For example, a file named
`../../../var/www/mat2-web/requirements.txt` in a zip archive would result in
the `requirements.txt` file from a mat2-web server being put into the cleaned
archive.

On the bright side, this arbitrary file read should mostly impact administrators
of mat2-web instances, since while mat2 does its very best to handle
malicious/malformed files, it is primarily designed to clean files from trusted
sources. Unfortunately, this arbitrary file read might result in a remote code
execution depending on mat2-web setups, since leaking the `app.secret_key` from
a Flask application yields arbitrary python code execution. A mitigation would
be to pass the `app.secret_key` via an environment variable instead of
hardcoding it, which is a good practise anyway.

Case where an attacker is sending a malicious zip file to a regular mat2 user to process,
and is then able to get it back should hopefully be pretty rare.

[beebca4b](https://0xacab.org/jvoisin/mat2/-/commit/beebca4bf1cd3b935824c966ce077e7bcf610385)
is the commit fixing the vulnerability, and
[e2c4dbf7](https://0xacab.org/jvoisin/mat2/-/commit/e2c4dbf721aca11e8010063ef69dd1e35fd9945a)
provides some hardening on top of it as well, if you want to backport them
instead of updating.

The vulnerability was fixed in the following Debian versions:

* oldstable (buster) in `0.8.0-3+deb10u1`
* stable (bullseye) in `0.12.1-2+deb11u1`
* unstable and testing in `0.13.0-1`

Nevertheless, nice bug, now fixed, you should upgrade, kudos to jfriedli for
finding it and sending a comprehensive report and reproducer my way!

Support for
[heic](https://en.wikipedia.org/wiki/High_Efficiency_Image_File_Format) files
was also added in this release, thanks to [maijin](https://maijin.fr).

As usual, if you know some python or web-fu help is
[more than](https://0xacab.org/jvoisin/mat2-web/-/issues)
[welcome](https://0xacab.org/jvoisin/mat2/issues?label_name%5B%5D=good+first+issue).