{"id":"UBUNTU-CVE-2021-45463","details":"load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.","modified":"2026-01-31T06:23:48.314200Z","published":"2021-12-23T06:15:00Z","related":["USN-5251-1"],"upstream":["CVE-2021-45463"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-45463"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868"},{"type":"REPORT","url":"https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5251-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-45463"}],"affected":[{"package":{"name":"gegl","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/gegl@0.2.0-4ubuntu1+esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.2.0-4ubuntu1+esm1"}]}],"versions":["0.2.0-3ubuntu1","0.2.0-4ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"gegl","binary_version":"0.2.0-4ubuntu1+esm1"},{"binary_name":"libgegl-0.2-0","binary_version":"0.2.0-4ubuntu1+esm1"},{"binary_name":"libgegl-dev","binary_version":"0.2.0-4ubuntu1+esm1"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-45463.json"}},{"package":{"name":"gegl","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/gegl@0.3.4-1ubuntu2+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.4-1ubuntu2+esm1"}]}],"versions":["0.3.0-4ubuntu2","0.3.2-1ubuntu1","0.3.2-1ubuntu2","0.3.4-1ubuntu1","0.3.4-1ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"gegl","binary_version":"0.3.4-1ubuntu2+esm1"},{"binary_name":"libgegl-0.3-0","binary_version":"0.3.4-1ubuntu2+esm1"},{"binary_name":"libgegl-dev","binary_version":"0.3.4-1ubuntu2+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-45463.json"}},{"package":{"name":"gegl","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/gegl@0.3.30-1ubuntu1+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.30-1ubuntu1+esm1"}]}],"versions":["0.3.20-1","0.3.20-3","0.3.24-1","0.3.28-3","0.3.30-1","0.3.30-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"gegl","binary_version":"0.3.30-1ubuntu1+esm1"},{"binary_name":"gir1.2-gegl-0.3","binary_version":"0.3.30-1ubuntu1+esm1"},{"binary_name":"libgegl-0.3-0","binary_version":"0.3.30-1ubuntu1+esm1"},{"binary_name":"libgegl-dev","binary_version":"0.3.30-1ubuntu1+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-45463.json"}},{"package":{"name":"gegl","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/gegl@0.4.22-3ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.22-3ubuntu0.1~esm1"}]}],"versions":["0.4.14-1","0.4.18-1ubuntu1","0.4.18-2","0.4.18-2build1","0.4.22-1","0.4.22-3"],"ecosystem_specific":{"binaries":[{"binary_name":"gegl","binary_version":"0.4.22-3ubuntu0.1~esm1"},{"binary_name":"gir1.2-gegl-0.4","binary_version":"0.4.22-3ubuntu0.1~esm1"},{"binary_name":"libgegl-0.4-0","binary_version":"0.4.22-3ubuntu0.1~esm1"},{"binary_name":"libgegl-common","binary_version":"0.4.22-3ubuntu0.1~esm1"},{"binary_name":"libgegl-dev","binary_version":"0.4.22-3ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-45463.json"}},{"package":{"name":"gegl","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/gegl@1:0.4.34-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.4.34-1"}]}],"versions":["1:0.4.32-1","1:0.4.32-2"],"ecosystem_specific":{"binaries":[{"binary_name":"gegl","binary_version":"1:0.4.34-1"},{"binary_name":"gir1.2-gegl-0.4","binary_version":"1:0.4.34-1"},{"binary_name":"libgegl-0.4-0","binary_version":"1:0.4.34-1"},{"binary_name":"libgegl-common","binary_version":"1:0.4.34-1"},{"binary_name":"libgegl-dev","binary_version":"1:0.4.34-1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-45463.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}