diff --git a/SOURCES/gegl-CVE-2021-45463.patch b/SOURCES/gegl-CVE-2021-45463.patch
new file mode 100644
index 0000000..a762c3d
--- /dev/null
+++ b/SOURCES/gegl-CVE-2021-45463.patch
@@ -0,0 +1,38 @@
+diff -urNp a/operations/common/magick-load.c b/operations/common/magick-load.c
+--- a/operations/common/magick-load.c	2022-01-11 10:45:06.197914681 +0100
++++ b/operations/common/magick-load.c	2022-01-11 12:20:00.106477933 +0100
+@@ -39,26 +39,28 @@ load_cache (GeglChantO *op_magick_load)
+   if (!op_magick_load->chant_data)
+     {
+       gchar    *filename;
+-      gchar    *cmd;
+       GeglNode *graph, *sink;
+       GeglBuffer *newbuf = NULL;
+ 
+       /* ImageMagick backed fallback FIXME: make this robust.
+        * maybe use pipes in a manner similar to the raw loader,
+        * or at least use a properly unique filename  */
+-
++      char     *argv[4]  = {"convert", NULL, NULL, NULL};
++      
+       filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL);
+-      cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"",
+-                             op_magick_load->path, filename);
+-      if (system (cmd) == -1)
++      argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path);
++      argv[2] = filename;
++      if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT, 
++                         NULL, NULL, NULL, NULL, NULL, NULL))
+         g_warning ("Error executing ImageMagick convert program");
+ 
++      g_free (argv[1]);
++      
+       graph = gegl_graph (sink=gegl_node ("gegl:buffer-sink", "buffer", &newbuf, NULL,
+                                           gegl_node ("gegl:png-load", "path", filename, NULL)));
+       gegl_node_process (sink);
+       op_magick_load->chant_data = (gpointer) newbuf;
+       g_object_unref (graph);
+-      g_free (cmd);
+       g_free (filename);
+     }
+ }
diff --git a/SPECS/gegl.spec b/SPECS/gegl.spec
index 0418d1a..e8efaf6 100644
--- a/SPECS/gegl.spec
+++ b/SPECS/gegl.spec
@@ -16,7 +16,7 @@
 Summary:    A graph based image processing framework
 Name:       gegl
 Version:    0.2.0
-Release:    19%{?dist}
+Release:    19%{?dist}.1
 
 # Compute some version related macros
 # Ugly hack, you need to get your quoting backslashes/percent signs straight
@@ -33,6 +33,7 @@ Source0:    ftp://ftp.gimp.org/pub/gegl/%{apiver}/%{name}-%{version}.tar.bz2
 Patch0:     gegl-0.2.0-lua-5.2.patch
 Patch1:     gegl-0.2.0-CVE-2012-4433.patch
 Patch2:     gegl-0.2.0-remove-src-over-op.patch
+Patch3:     gegl-CVE-2021-45463.patch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  asciidoc
 BuildRequires:  babl-devel >= 0.1.10
@@ -99,6 +100,7 @@ developing with %{name}.
 %patch0 -p1 -b .lua-5.2
 %patch1 -p1 -b .CVE-2012-4433
 %patch2 -p1 -b .remove-src-over-op
+%patch3 -p1 -b .CVE-2021-45463
 
 %build
 # use hardening compiler/linker flags because gegl is likely to deal with
@@ -228,6 +230,9 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/%{name}-%{apiver}.pc
 
 %changelog
+* Tue Jan 11 2022 Josef Ridky <jridky@redhat.com> - 0.2.0-19.1
+- fix CVE-2021-45463 (#2035416)
+
 * Thu Dec  1 2016 Josef Ridky <jridky@redhat.com> - 0.2.0-19
 - add Requires: dcraw (#1279144)