CVE-2021-45463

NameCVE-2021-45463
Descriptionload_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1002661

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gegl (PTS)buster0.4.12-2vulnerable
bullseye1:0.4.26-2vulnerable
bookworm, sid1:0.4.40-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
geglsource(unstable)1:0.4.34-11002661

Notes

[bullseye] - gegl <no-dsa> (Minor issue)
[buster] - gegl <no-dsa> (Minor issue)
[stretch] - gegl <no-dsa> (Minor issue; can be fixed later)
Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b (GEGL_0_4_34)
Followup: https://gitlab.gnome.org/GNOME/gegl/-/commit/2172cf7e8d7e8891ae2053d6eef213d5bef939cb (GEGL_0_4_34)
Search for package or bug name: Reporting problems