Bug 2035383 (CVE-2021-45463)

Summary: CVE-2021-45463 gegl: shell expansion via a crafted pathname
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jridky, nphilipp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Due to the use of the system command in the Magick-Load op used by gegl an attacker is able to craft a command line path that is able to lead to the execution of arbitrary shell commands that impacts availability, confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-19 12:00:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2035384, 2035416, 2035417, 2035418, 2035419, 2035420, 2035421, 2035422, 2035423, 2035424, 2035425, 2035426, 2035427, 2035428    
Bug Blocks: 2035385    

Description Guilherme de Almeida Suckevicz 2021-12-23 20:21:40 UTC 
GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.

Reference:
https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc

Upstream patch:
https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
Comment 1 Guilherme de Almeida Suckevicz 2021-12-23 20:21:52 UTC 
Created gegl04 tracking bugs for this issue:

Affects: fedora-all [bug 2035384]
Comment 4 Garrett Tucker 2021-12-24 00:45:46 UTC 
Filed relevant trackers. However, at this time there is no gegl included in RHEL 9. Will keep an eye out for its possible inclusion in the future, but for right now, no effect on RHEL 9.
Comment 5 Josef Ridky 2022-01-04 12:12:09 UTC 
There is no gegl04 in RHEL9 as it is requirement for GIMP package, which is currently unavailable for RHEL-9, once GIMP release new version, gegl04 in version 0.4.34 or higher will become part of RHEL9 as well.
Comment 6 errata-xmlrpc 2022-01-18 13:56:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0162 https://access.redhat.com/errata/RHSA-2022:0162
Comment 7 errata-xmlrpc 2022-01-19 10:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0177 https://access.redhat.com/errata/RHSA-2022:0177
Comment 8 errata-xmlrpc 2022-01-19 10:01:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0178 https://access.redhat.com/errata/RHSA-2022:0178
Comment 9 errata-xmlrpc 2022-01-19 11:04:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0184 https://access.redhat.com/errata/RHSA-2022:0184
Comment 10 Product Security DevOps Team 2022-01-19 12:00:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45463