Bug 2035383 (CVE-2021-45463) - CVE-2021-45463 gegl: shell expansion via a crafted pathname
Summary: CVE-2021-45463 gegl: shell expansion via a crafted pathname
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-45463
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2035384 2035416 2035417 2035418 2035419 2035420 2035421 2035422 2035423 2035424 2035425 2035426 2035427 2035428
Blocks: 2035385
TreeView+ depends on / blocked
 
Reported: 2021-12-23 20:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-01-19 12:00 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Due to the use of the system command in the Magick-Load op used by gegl an attacker is able to craft a command line path that is able to lead to the execution of arbitrary shell commands that impacts availability, confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2022-01-19 12:00:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0162 0 None None None 2022-01-18 13:56:04 UTC
Red Hat Product Errata RHSA-2022:0177 0 None None None 2022-01-19 10:01:05 UTC
Red Hat Product Errata RHSA-2022:0178 0 None None None 2022-01-19 10:01:32 UTC
Red Hat Product Errata RHSA-2022:0184 0 None None None 2022-01-19 11:04:15 UTC

Description Guilherme de Almeida Suckevicz 2021-12-23 20:21:40 UTC 
GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.

Reference:
https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc

Upstream patch:
https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
Comment 1 Guilherme de Almeida Suckevicz 2021-12-23 20:21:52 UTC 
Created gegl04 tracking bugs for this issue:

Affects: fedora-all [bug 2035384]
Comment 4 Garrett Tucker 2021-12-24 00:45:46 UTC 
Filed relevant trackers. However, at this time there is no gegl included in RHEL 9. Will keep an eye out for its possible inclusion in the future, but for right now, no effect on RHEL 9.
Comment 5 Josef Ridky 2022-01-04 12:12:09 UTC 
There is no gegl04 in RHEL9 as it is requirement for GIMP package, which is currently unavailable for RHEL-9, once GIMP release new version, gegl04 in version 0.4.34 or higher will become part of RHEL9 as well.
Comment 6 errata-xmlrpc 2022-01-18 13:56:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0162 https://access.redhat.com/errata/RHSA-2022:0162
Comment 7 errata-xmlrpc 2022-01-19 10:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0177 https://access.redhat.com/errata/RHSA-2022:0177
Comment 8 errata-xmlrpc 2022-01-19 10:01:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0178 https://access.redhat.com/errata/RHSA-2022:0178
Comment 9 errata-xmlrpc 2022-01-19 11:04:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0184 https://access.redhat.com/errata/RHSA-2022:0184
Comment 10 Product Security DevOps Team 2022-01-19 12:00:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45463
Note You need to log in before you can comment on or make changes to this bug.