CVE-2021-45463 (https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b): GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f70b4a9075811da1eb30138b756278d8650e9ded commit f70b4a9075811da1eb30138b756278d8650e9ded Author: Sergey Torokhov <torokhov-s-a@yandex.ru> AuthorDate: 2021-12-23 21:18:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-24 04:45:13 +0000 media-libs/gegl: 0.4.34 version bump Bug: https://bugs.gentoo.org/829880 Signed-off-by: Sergey Torokhov <torokhov-s-a@yandex.ru> Signed-off-by: Sam James <sam@gentoo.org> media-libs/gegl/Manifest | 1 + media-libs/gegl/gegl-0.4.34.ebuild | 157 +++++++++++++++++++++++++++++++++++++ media-libs/gegl/gegl-9999.ebuild | 2 +- 3 files changed, 159 insertions(+), 1 deletion(-)
Please stable when ready, thanks!
(In reply to Sam James from comment #2) > Please stable when ready, thanks! Should I ask to stabilize media-libs/gegl-0.4.34 in separate issue or it's could be done here by security/arches teams?
(In reply to Sergey Torokhov from comment #3) > (In reply to Sam James from comment #2) > > Please stable when ready, thanks! > > Should I ask to stabilize media-libs/gegl-0.4.34 in separate issue or it's > could be done here by security/arches teams? File a separate bug and have it block this one if that's ok :)
(In reply to Sam James from comment #4) > (In reply to Sergey Torokhov from comment #3) > > (In reply to Sam James from comment #2) > > > Please stable when ready, thanks! > > > > Should I ask to stabilize media-libs/gegl-0.4.34 in separate issue or it's > > could be done here by security/arches teams? > > File a separate bug and have it block this one if that's ok :) (Note that for security bugs you do not need to wait 30 days)
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ed3104af9d0bc7b2aaccaa0a423f0522b91ab10 commit 3ed3104af9d0bc7b2aaccaa0a423f0522b91ab10 Author: Sergey Torokhov <torokhov-s-a@yandex.ru> AuthorDate: 2022-03-14 19:18:25 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-03-15 04:05:20 +0000 media-libs/gegl: drop <gegl-0.4.34, CVE-2021-45463 affected Bug: https://bugs.gentoo.org/829880 Signed-off-by: Sergey Torokhov <torokhov-s-a@yandex.ru> Signed-off-by: John Helmert III <ajak@gentoo.org> media-libs/gegl/Manifest | 4 - .../files/gegl-0.4.18-drop-failing-tests.patch | 43 ------ .../gegl/files/gegl-0.4.18-program-suffix.patch | 39 ----- .../files/gegl-0.4.26-fix-build-glib-2.67.3.patch | 24 --- .../files/gegl-0.4.30-fix-build-openexr-3.patch | 22 --- media-libs/gegl/gegl-0.4.26-r1.ebuild | 167 --------------------- media-libs/gegl/gegl-0.4.28.ebuild | 167 --------------------- media-libs/gegl/gegl-0.4.30.ebuild | 161 -------------------- media-libs/gegl/gegl-0.4.32.ebuild | 157 ------------------- 9 files changed, 784 deletions(-)
Can we close this?