tmaq
/
tornavis
1
0
Fork 0
Code Issues 2 Pull Requests 29 Packages Projects 24 Releases Wiki Activity

Extern: Update TinyGLTF to include fix for CVE-2022-3008 

The use of wordexp(3) permits arbitrary code execution from manually-crafted
glTF files. See https://github.com/syoyo/tinygltf/issues/368 for more details.
In practice this shouldn't be an issue for Blender since the GlTF data isn't
manually crafted but from the OpenXR runtime (a bit like a driver). But
updating the library to include the fix is not a big deal anyway.

Note that the warning that required the local modification is no longer present upstream since
  0bfcb4f49e

Pull Request: https://projects.blender.org/blender/blender/pulls/105536
This commit is contained in:
Julian Squires 2023-03-10 14:56:35 +01:00 committed by Julian Eisel
parent a60626ab0b
commit 466eb426ed
3 changed files with 1193 additions and 897 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
extern/tinygltf/README.blender vendored
View File

@ -1,6 +1,5 @@
Project: TinyGLTF
URL: https://github.com/syoyo/tinygltf
License: MIT
Upstream version: 2.5.0, 19a41d20ec0
Local modifications:
* Silence "enum value not handled in switch" warnings due to JSON dependency.
Upstream version: 2.8.3, 84a83d39f55d
Local modifications: None

BIN
extern/tinygltf/patches/TinyGLTF.diff vendored
View File

Binary file not shown.

2085
extern/tinygltf/tiny_gltf.h vendored
View File

File diff suppressed because it is too large Load Diff