{"id":"OESA-2021-1150","summary":"rubygem-mini_magick security update","details":"A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small (it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick).\r\n\r\nSecurity Fix(es):\r\n\r\nIn lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.(CVE-2019-13574)","modified":"2026-03-11T05:58:01.734812Z","published":"2021-05-06T11:02:50Z","upstream":["CVE-2019-13574"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1150"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13574"}],"affected":[{"package":{"name":"rubygem-mini_magick","ecosystem":"openEuler:20.03-LTS-SP1","purl":"pkg:rpm/openEuler/rubygem-mini_magick&distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.8.0-3.oe1"}]}],"ecosystem_specific":{"noarch":["rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm","rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm"],"src":["rubygem-mini_magick-4.8.0-3.oe1.src.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2021-1150.json"}}],"schema_version":"1.7.5"}