Control: found -1 2.0.0~rc5+dfsg1-4
Control: fixed -1 2.0.0~rc9+dfsg-1

Hi,

On Mon, 11 Jul 2022 21:17:31 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= 
<[email protected]> wrote:
CVE-2020-28589[0]:
| An improper array index validation vulnerability exists in the LoadObj
| functionality of tinyobjloader v2.0-rc1 and tinyobjloader development
| commit 79d4421. A specially crafted file could lead to code execution.
| An attacker can provide a malicious file to trigger this
| vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1212
The report has no proof of concept, but I could confirm that invalid
face indices end up in the shape structure. The issue is fixed with
commit 7ba4b652ee0c5175ec8abf66199e84d88adf11f1 and the 2.0.0rc9
pre-release.


Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀   ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁   │ Timo Röhling                                       │
⢿⡄⠘⠷⠚⠋⠀   │ 9B03 EBB9 8300 DF97 C2B1  23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀   ╰────────────────────────────────────────────────────╯

Attachment: signature.asc
Description: PGP signature

Reply via email to