Headline
CVE-2022-3008: Command injection via wordexp call. · Issue #368 · syoyo/tinygltf
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
oliverchang opened this issue
Aug 16, 2022
· 5 comments
Comments
Describe the issue
This is a security vulnerability. The wordexp call here allows arbitrary code execution
int ret = wordexp(quoted_path.c_str(), &p, 0);
when parsing a gltf file.
To Reproduce
- OS: Linux
- Compiler, compiler version, compile options: Clang 13.0.1-6
$ git clone https://github.com/syoyo/tinygltf $ cd tinygltf && make all $ echo ‘{"images":[{"uri":"a`echo iamhere > poc`"}], "asset":{"version":""}}’ > payload.gltf $ ./loader_example payload.gltf $ cat poc iamhere
Expected behaviour
The echo iamhere > poc command should not be executed and the poc file is not created in the CWD.
Additional context
This was found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053
One potential fix here is to pass WRDE_NOCMD to wordexp per https://man7.org/linux/man-pages/man3/wordexp.3.html
Copy link
Owner
****syoyo** commented Aug 16, 2022**
@oliverchang Thanks! In ExpandFilePath
std::string ExpandFilePath(const std::string &filepath, void *userdata);
wordexp is used to expand file path(i.e, expand environment variable, expand tilde(~) when a file path contains such symbol).
But according to glTF spec https://registry.khronos.org/glTF/specs/2.0/glTF-2.0.html#uris , uri must be URI/IRI, so file(resource) path should not contain environment variables and tilde, so we need to use URI decoder/encoder instead of ExpandFilePath.
Related: #337
Copy link
Owner
****syoyo** commented Aug 16, 2022**
Disabled file path expansion(so no wordexp anymore) in this commit: 52ff00a
TODO: Proper/strict decoding/encoding of URI asset path:
// https://github.com/syoyo/tinygltf/issues/228
Copy link
Owner
****syoyo** commented Aug 16, 2022**
@oliverchang Oh, I didn’t know Github has a Security page 😮 Will take a look it.
This was referenced
Aug 16, 2022
Hi @syoyo, have you had a chance to try generating an advisory for this issue? It’s a crucial part of making sure users of this library are notified of vulnerabilities (and that they need to update).
2 participants