Extern: Update TinyGLTF to include fix for CVE-2022-3008
The use of wordexp(3) permits arbitrary code execution from manually-crafted glTF files. See https://github.com/syoyo/tinygltf/issues/368 for more details. In practice this shouldn't be an issue for Blender since the GlTF data isn't manually crafted but from the OpenXR runtime (a bit like a driver). But updating the library to include the fix is not a big deal anyway. Note that the warning that required the local modification is no longer present upstream since https://github.com/syoyo/tinygltf/commit/0bfcb4f49e0b149c41ba67eeb3b64f297c1637f5 Pull Request: https://projects.blender.org/blender/blender/pulls/105536
This commit is contained in:
committed by
Julian Eisel
parent
a60626ab0b
commit
466eb426ed
Vendored
+2
-3
@@ -1,6 +1,5 @@
|
||||
Project: TinyGLTF
|
||||
URL: https://github.com/syoyo/tinygltf
|
||||
License: MIT
|
||||
Upstream version: 2.5.0, 19a41d20ec0
|
||||
Local modifications:
|
||||
* Silence "enum value not handled in switch" warnings due to JSON dependency.
|
||||
Upstream version: 2.8.3, 84a83d39f55d
|
||||
Local modifications: None
|
||||
|
||||
BIN
Binary file not shown.
Vendored
+1191
-894
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user