Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3008: Command injection via wordexp call. · Issue #368 · syoyo/tinygltf

The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751

CVE
#vulnerability#linux#git#c++#chrome

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

oliverchang opened this issue

Aug 16, 2022

· 5 comments

Comments

Describe the issue

This is a security vulnerability. The wordexp call here allows arbitrary code execution

int ret = wordexp(quoted_path.c_str(), &p, 0);

when parsing a gltf file.

To Reproduce

  • OS: Linux
  • Compiler, compiler version, compile options: Clang 13.0.1-6

$ git clone https://github.com/syoyo/tinygltf $ cd tinygltf && make all $ echo ‘{"images":[{"uri":"a`echo iamhere > poc`"}], "asset":{"version":""}}’ > payload.gltf $ ./loader_example payload.gltf $ cat poc iamhere

Expected behaviour
The echo iamhere > poc command should not be executed and the poc file is not created in the CWD.

Additional context
This was found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053

One potential fix here is to pass WRDE_NOCMD to wordexp per https://man7.org/linux/man-pages/man3/wordexp.3.html

Copy link

Owner

****syoyo** commented Aug 16, 2022**

@oliverchang Thanks! In ExpandFilePath

std::string ExpandFilePath(const std::string &filepath, void *userdata);

wordexp is used to expand file path(i.e, expand environment variable, expand tilde(~) when a file path contains such symbol).

But according to glTF spec https://registry.khronos.org/glTF/specs/2.0/glTF-2.0.html#uris , uri must be URI/IRI, so file(resource) path should not contain environment variables and tilde, so we need to use URI decoder/encoder instead of ExpandFilePath.

Related: #337

Copy link

Owner

****syoyo** commented Aug 16, 2022**

Disabled file path expansion(so no wordexp anymore) in this commit: 52ff00a

TODO: Proper/strict decoding/encoding of URI asset path:

// https://github.com/syoyo/tinygltf/issues/228

Copy link

Owner

****syoyo** commented Aug 16, 2022**

@oliverchang Oh, I didn’t know Github has a Security page 😮 Will take a look it.

This was referenced

Aug 16, 2022

Hi @syoyo, have you had a chance to try generating an advisory for this issue? It’s a crucial part of making sure users of this library are notified of vulnerabilities (and that they need to update).

2 participants

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907