CVE-2020-28589: 
NixOS vulnerability analysis and mitigation

An improper array index validation vulnerability exists in the LoadObj functionality of tinyobjloader v2.0-rc1 and tinyobjloader development commit 79d4421. The vulnerability, tracked as CVE-2020-28589, was discovered by Lilith >> of Cisco Talos. Tinyobjloader is an extremely portable wavefront obj loader library used in multiple graphics-rendering projects ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1212)).

The vulnerability exists in the LoadObj function where array indexes are not properly validated. When triangulating vertices, the validation check at certain points simply continues the loop execution instead of properly handling invalid indices. Despite previous validations, invalid indexes (including negative ones) can be inserted into the shape structure, which are later used to index the attrib.vertices array. The vulnerability has been assigned a CVSSv3 score of 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as CWE-129 - Improper Validation of Array Index (Talos Report).

A specially crafted file could lead to code execution when processed by the affected versions of tinyobjloader. The vulnerability could result in out-of-bounds memory access, potentially leading to code execution depending on how the values are used by the program utilizing the tinyobjloader library (Talos Blog).

The vulnerability affects tinyobjloader v2.0-rc1 and development commit 79d4421. Users should update to a patched version of the software. Additionally, Snort rules 56539 and 56540 have been released to detect exploitation attempts (Talos Blog).