gegl: CVE-2021-45463

Debian Bug report logs - #1002661
gegl: CVE-2021-45463

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gegl: CVE-2021-45463

Date: Sun, 26 Dec 2021 22:00:21 +0100

Source: gegl
Version: 1:0.4.32-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for gegl.

CVE-2021-45463[0]:
| GEGL before 0.4.34, as used (for example) in GIMP before 2.10.30,
| allows shell expansion when a pathname in a constructed command line
| is not escaped or filtered. This is caused by use of the system
| library function for execution of the ImageMagick convert fallback in
| magick-load.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-45463
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45463

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 1002661-submitter@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <noreply@salsa.debian.org>

To: 1002661-submitter@bugs.debian.org

Subject: Bug#1002661 marked as pending in gegl

Date: Sun, 26 Dec 2021 22:45:44 +0000

Control: tag -1 pending

Hello,

Bug #1002661 in gegl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/gnome-team/gegl/-/commit/ae6ff6e4218662a158230ecc71355be31fe593df

------------------------------------------------------------------------
New upstream release

Closes: #1002661
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1002661

Message #15 received at 1002661-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1002661-close@bugs.debian.org

Subject: Bug#1002661: fixed in gegl 1:0.4.34-1

Date: Sun, 26 Dec 2021 23:03:44 +0000

Source: gegl
Source-Version: 1:0.4.34-1
Done: Jeremy Bicha <jbicha@debian.org>

We believe that the bug you reported is fixed in the latest version of
gegl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bicha <jbicha@debian.org> (supplier of updated gegl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 26 Dec 2021 17:43:33 -0500
Source: gegl
Built-For-Profiles: noudeb
Architecture: source
Version: 1:0.4.34-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbicha@debian.org>
Closes: 1002661
Changes:
 gegl (1:0.4.34-1) unstable; urgency=high
 .
   * New upstream release
     - Includes fix for CVE-2021-45463 (Closes: #1002661)
   * Drop all patches: applied in new release
   * Drop debian/rules & debian/clean workaround for endian issue fixed in
     new release
Checksums-Sha1:
 84a756dcc62b7af019f80cffcabd423c5c416ac6 3070 gegl_0.4.34-1.dsc
 055c28bb3c942f85b744201009ac8e02e4182624 5647516 gegl_0.4.34.orig.tar.xz
 9d04d5a8a8ee84c9b8f2b5e01b0f892ccf52c7a6 24496 gegl_0.4.34-1.debian.tar.xz
 27a600d78802ea81088cf8a2ae12d0bcb348659e 13412 gegl_0.4.34-1_source.buildinfo
Checksums-Sha256:
 053bfdc716b0c7ed9eb98c894b9e72e91b5f183ceea06dfd9264a03e3cc5dab1 3070 gegl_0.4.34-1.dsc
 ef63f0bca5b431c6119addd834ca7fbb507c900c4861c57b3667b6f4ccfcaaaa 5647516 gegl_0.4.34.orig.tar.xz
 6e9740fadb8217c1def8fdc28eadc886c00de363a68af379fc3ca6f0b3c3498d 24496 gegl_0.4.34-1.debian.tar.xz
 418ea47663085b0c212bff512d2de1673405371603b6c3c4c90e421073321d27 13412 gegl_0.4.34-1_source.buildinfo
Files:
 bd76a6f7d1dc865f7f5066e2bfd014d0 3070 devel optional gegl_0.4.34-1.dsc
 3701f72771d2e8013c6877405cb409fe 5647516 devel optional gegl_0.4.34.orig.tar.xz
 99ba650af6e143e57c927cb2495455e9 24496 devel optional gegl_0.4.34-1.debian.tar.xz
 68c405a26222e74669b467697d1fae15 13412 devel optional gegl_0.4.34-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmHI8H0ACgkQ5mx3Wuv+
bH0aHw/+LYfJdJVCHwtzCar8J26lXoyocgKjGqtAf4ue/2zVIHre4Gyt4mKq0ZHk
c0xJB3bi7OsjM8+SFY/vTcgYdWktAdyz3REzAyxrbwNkaCF0P6tigmTTN6Fb39ic
fo8KKvQo0xyp2ATbLteeVMVDCm9XvDcf5pPJcgmHOufOFMr1rRuIyWQtapt3ZAcp
daYvckxKxlF2X9vu7LkNOktpLNzZv7gS9YvEcojjUMvGJBLf8/BfkTKgyN78FSDg
K6ncEtxu7+cLoNmHYcklRbdxMF/BonnhIov5hBo8ID2gxtgJ/4tOoOztuDEmdvNY
v5o7WQCUrrQVWRP8xy8mz00mq4f6kGlG9DN8cMwiFAQWBKG/TRPQIQXf3RMLJYj7
JBZrer5MpRfQWizKntFnagi3tgywAFYqWYO0nSbSSqngLI2hMze8gR2xiV7x48xB
P6nxs0uc3WzJ9G8WHw+6z/g9IQSVEiAx3D2Q9vn4V5+vQgZQ+CYDbw2zJoNaLN8i
bfXnzBPXQh/XIaE7DfoolfLzawe4SkI1RJvjIivylxiFwsXfnziQR+s3/WMKchhA
HSkBC0IaomX1rzW/VewhVHPao5mH+sN6OwPP4825QqHVchBmEZYOhrKw55H7SXjl
+eoymNuI6lFUAjnQB7IloAuOuaqJ4vxxC8FXPWILf4HjplS6BSc=
=PGJg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.