load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
References
Link | Resource |
---|---|
https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc | Release Notes Third Party Advisory |
https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b | Patch Third Party Advisory |
https://gitlab.gnome.org/GNOME/gegl/-/issues/298 | Vendor Advisory |
https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868 | Patch Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CG635WJCNXHJM5U4BGMAAP4NK2YFTQXK/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP5NDNOTMPI335FXE7VUPW7FXYTT7PYN/ | |
https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/ | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-12-23T06:00:57
Updated: 2022-01-21T15:58:08
Reserved: 2021-12-23T00:00:00
Link: CVE-2021-45463
JSON object: View
NVD Information
Status : Modified
Published: 2021-12-23T06:15:06.787
Modified: 2023-11-07T03:39:51.153
Link: CVE-2021-45463
JSON object: View
Redhat Information
No data.
CWE