Title: MAT2 0.6.0
Date: 2018-11-10 13:30

There is a new minor version of MAT2, the [0.6.0](https://0xacab.org/jvoisin/mat2/tags/0.6.0),
with some new features, improvement, and a security fix.

# Changelog

- Add lightweight cleaning for jpeg
- Add support for zip files
- Add support for mp4 files
- Improve metadata extraction for archives
- Improve robustness against corrupted embedded files
- Fix a possible security issue on some terminals (control character injection via `--show`)
- Various internal cleanup/improvements


# About the security issue

There is no [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
for the issue, since mat2 isn't a stable software yet, as [documented in the README](https://0xacab.org/jvoisin/mat2):

> This software is currently in **beta**, please don't use it for anything
critical.

The vulnerability was found by [Sherry Taylor](https://0xacab.org/mied6She)
(thanks!), and thoroughly documented in an
[issue](https://0xacab.org/jvoisin/mat2/issues/86): some terminals are
interpreting dangerous [control characters](https://en.wikipedia.org/wiki/Control_character),
so an attacker could embed some of them inside a metadata field, and gain code
execution when they are displayed via `mat2 --show my_malicious_picture.jpg`.
The issue was solved in [this commit](https://0xacab.org/jvoisin/mat2/commit/8ff57c5803152c619f88e44ffded28540a289d44),
by simply not displaying control character. This change only affects `mat2` (the
command-line tool) and not `libmat2` (the library).


# Conclusion

The implementation of recursive metadata support in the [previous
version]({filename}/metadata/mat2_0.5.0.md) made it pretty easy to implement
zip archive support. There is also an
[issue](https://0xacab.org/jvoisin/mat2/issues/62) about implementing support
for more archive formats that I would like to close for 0.7.0 :)

As usual, help is [more than welcome](https://0xacab.org/jvoisin/mat2/issues?label_name%5B%5D=good+first+issue).