diff --git a/SOURCES/gegl-CVE-2021-45463.patch b/SOURCES/gegl-CVE-2021-45463.patch new file mode 100644 index 0000000..40d8efc --- /dev/null +++ b/SOURCES/gegl-CVE-2021-45463.patch @@ -0,0 +1,70 @@ +From bfce470f0f2f37968862129d5038b35429f2909b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=98yvind=20Kol=C3=A5s?= +Date: Thu, 16 Dec 2021 00:10:24 +0100 +Subject: [PATCH] magick-load: use more robust g_spawn_async() instead of + system() + +This fixes issue #298 by avoiding the shell parsing being invoked at +all, this less brittle than any forms of escaping characters, while +retaining the ability to address all existing files. +--- + operations/common/magick-load.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/operations/common/magick-load.c b/operations/common/magick-load.c +index e2055b2e9..595169115 100644 +--- a/operations/common/magick-load.c ++++ b/operations/common/magick-load.c +@@ -41,20 +41,23 @@ load_cache (GeglProperties *op_magick_load) + if (!op_magick_load->user_data) + { + gchar *filename; +- gchar *cmd; + GeglNode *graph, *sink, *loader; + GeglBuffer *newbuf = NULL; + + /* ImageMagick backed fallback FIXME: make this robust. + * maybe use pipes in a manner similar to the raw loader, + * or at least use a properly unique filename */ ++ char *argv[4] = {"convert", NULL, NULL, NULL}; + + filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL); +- cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"", +- op_magick_load->path, filename); +- if (system (cmd) == -1) ++ ++ argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path); ++ argv[2] = filename; ++ if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT, ++ NULL, NULL, NULL, NULL, NULL, NULL)) + g_warning ("Error executing ImageMagick convert program"); + ++ g_free (argv[1]); + + graph = gegl_node_new (); + sink = gegl_node_new_child (graph, +@@ -67,7 +70,6 @@ load_cache (GeglProperties *op_magick_load) + gegl_node_process (sink); + op_magick_load->user_data = (gpointer) newbuf; + g_object_unref (graph); +- g_free (cmd); + g_free (filename); + } + } +-- +GitLab + + +diff -urNp a/tools/exp_combine.cpp b/tools/exp_combine.cpp +--- a/tools/exp_combine.cpp 2022-01-10 15:03:42.765909209 +0100 ++++ b/tools/exp_combine.cpp 2022-01-10 15:04:16.864158424 +0100 +@@ -8,8 +8,7 @@ + + #include + +-#include +-#include ++#include + + using namespace std; + diff --git a/SPECS/gegl04.spec b/SPECS/gegl04.spec index 6585d16..83a14bf 100644 --- a/SPECS/gegl04.spec +++ b/SPECS/gegl04.spec @@ -2,7 +2,7 @@ Name: gegl04 Version: 0.4.4 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Graph based image processing framework # The binary is under the GPL, while the libs are under LGPL. @@ -11,6 +11,8 @@ License: LGPLv3+ URL: http://www.gegl.org/ Source0: http://download.gimp.org/pub/gegl/%{apiver}/gegl-%{version}.tar.bz2 +Patch1: gegl-CVE-2021-45463.patch + BuildRequires: chrpath BuildRequires: enscript BuildRequires: gcc-c++ @@ -96,7 +98,7 @@ GEGL library. %prep %setup -q -n gegl-%{version} - +%patch1 -p1 -b .CVE-2021-45463 %build %configure --disable-static @@ -149,6 +151,9 @@ find %{buildroot} -name '*.la' -delete %changelog +* Tue Jan 11 2022 Josef Ridky - 0.4.4-7 +- Fix CVE-2021-45463 (#2035424) + * Wed Oct 03 2018 Debarshi Ray - 0.4.4-6 - Rebuild against new LibRaw soname Resolves: #1633708