DEBIAN-CVE-2021-45463

load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.

References

https://security-tracker.debian.org/tracker/CVE-2021-45463

Affected packages

Debian:11 / gegl

Package

Name: gegl
Purl: pkg:deb/debian/gegl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:0.4.26-2+deb11u1

Affected versions

1:0.*

1:0.4.26-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / gegl

Package

Name: gegl
Purl: pkg:deb/debian/gegl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:0.4.34-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gegl

Package

Name: gegl
Purl: pkg:deb/debian/gegl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:0.4.34-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / gegl

Package

Name: gegl
Purl: pkg:deb/debian/gegl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:0.4.34-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}