rpms / gegl04

Clone
Source Code
GIT

Blame SOURCES/gegl-CVE-2021-45463.patch

c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   gegl-CVE-2021-45463.patch
Blob History Raw
d92cad 
From bfce470f0f2f37968862129d5038b35429f2909b Mon Sep 17 00:00:00 2001
d92cad 
From: =?UTF-8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
d92cad 
Date: Thu, 16 Dec 2021 00:10:24 +0100
d92cad 
Subject: [PATCH] magick-load: use more robust g_spawn_async() instead of
d92cad 
 system()
d92cad
d92cad 
This fixes issue #298 by avoiding the shell parsing being invoked at
d92cad 
all, this less brittle than any forms of escaping characters, while
d92cad 
retaining the ability to address all existing files.
d92cad 
---
d92cad 
 operations/common/magick-load.c | 12 +++++++-----
d92cad 
 1 file changed, 7 insertions(+), 5 deletions(-)
d92cad
d92cad 
diff --git a/operations/common/magick-load.c b/operations/common/magick-load.c
d92cad 
index e2055b2e9..595169115 100644
d92cad 
--- a/operations/common/magick-load.c
d92cad 
+++ b/operations/common/magick-load.c
d92cad 
@@ -41,20 +41,23 @@ load_cache (GeglProperties *op_magick_load)
d92cad 
   if (!op_magick_load->user_data)
d92cad 
     {
d92cad 
       gchar    *filename;
d92cad 
-      gchar    *cmd;
d92cad 
       GeglNode *graph, *sink, *loader;
d92cad 
       GeglBuffer *newbuf = NULL;
d92cad
d92cad 
       /* ImageMagick backed fallback FIXME: make this robust.
d92cad 
        * maybe use pipes in a manner similar to the raw loader,
d92cad 
        * or at least use a properly unique filename  */
d92cad 
+      char     *argv[4]  = {"convert", NULL, NULL, NULL};
d92cad
d92cad 
       filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL);
d92cad 
-      cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"",
d92cad 
-                             op_magick_load->path, filename);
d92cad 
-      if (system (cmd) == -1)
d92cad 
+
d92cad 
+      argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path);
d92cad 
+      argv[2] = filename;
d92cad 
+      if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT,
d92cad 
+                         NULL, NULL, NULL, NULL, NULL, NULL))
d92cad 
         g_warning ("Error executing ImageMagick convert program");
d92cad
d92cad 
+      g_free (argv[1]);
d92cad
d92cad 
       graph = gegl_node_new ();
d92cad 
       sink = gegl_node_new_child (graph,
d92cad 
@@ -67,7 +70,6 @@ load_cache (GeglProperties *op_magick_load)
d92cad 
       gegl_node_process (sink);
d92cad 
       op_magick_load->user_data = (gpointer) newbuf;
d92cad 
       g_object_unref (graph);
d92cad 
-      g_free (cmd);
d92cad 
       g_free (filename);
d92cad 
     }
d92cad 
 }
d92cad 
--
d92cad 
GitLab
d92cad
d92cad
d92cad 
diff -urNp a/tools/exp_combine.cpp b/tools/exp_combine.cpp
d92cad 
--- a/tools/exp_combine.cpp	2022-01-10 15:03:42.765909209 +0100
d92cad 
+++ b/tools/exp_combine.cpp	2022-01-10 15:04:16.864158424 +0100
d92cad 
@@ -8,8 +8,7 @@
d92cad
d92cad 
 #include <iostream>
d92cad
d92cad 
-#include <exiv2/image.hpp>
d92cad 
-#include <exiv2/exif.hpp>
d92cad 
+#include <exiv2/exiv2.hpp>
d92cad
d92cad 
 using namespace std;
d92cad

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation