ALT-PU-2022-1871-1
Closed vulnerabilities
Published: 2021-12-23
BDU:2022-02388
Уязвимость функции load_cache графического редактора GIMP, позволяющая нарушителю передавать специальные данные приложению и выполнять произвольные команды ОС в целевой системе
Severity: HIGH (8.8)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2021-12-23
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2021-45463
load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc
- https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc
- https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
- https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
- https://gitlab.gnome.org/GNOME/gegl/-/issues/298
- https://gitlab.gnome.org/GNOME/gegl/-/issues/298
- https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868
- https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868
- FEDORA-2022-a1c5b18362
- FEDORA-2022-a1c5b18362
- FEDORA-2022-5b5a738d7a
- FEDORA-2022-5b5a738d7a
- https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/
- https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/