Headline
Ubuntu Security Notice USN-7129-1
Ubuntu Security Notice 7129-1 - It was discovered that TinyGLTF performed file path expansion in an insecure way on certain inputs. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.
==========================================================================Ubuntu Security Notice USN-7129-1November 26, 2024TinyGLTF vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:TinyGLTF could be made to crash or run programs as your login if itreceived specially crafted input.Software Description:- tinygltf: glTF loader and saver libraryDetails:It was discovered that TinyGLTF performed file path expansion in aninsecure way on certain inputs. An attacker could possibly use thisissue to cause a denial of service, or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTSlibtinygltf-dev 2.5.0+dfsg-4ubuntu0.1libtinygltf1d 2.5.0+dfsg-4ubuntu0.1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-7129-1CVE-2022-3008Package Information:https://launchpad.net/ubuntu/+source/tinygltf/2.5.0+dfsg-4ubuntu0.1Related news
CVE-2022-3008: Command injection via wordexp call. · Issue #368 · syoyo/tinygltf
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751