diff --git a/.gegl04.metadata b/.gegl04.metadata
new file mode 100644
index 0000000..017fa80
--- /dev/null
+++ b/.gegl04.metadata
@@ -0,0 +1 @@
+b709b5051228014371ff07c065b156923baa817a SOURCES/gegl-0.4.4.tar.bz2
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..97980fa
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/gegl-0.4.4.tar.bz2
diff --git a/SOURCES/gegl-CVE-2021-45463.patch b/SOURCES/gegl-CVE-2021-45463.patch
new file mode 100644
index 0000000..40d8efc
--- /dev/null
+++ b/SOURCES/gegl-CVE-2021-45463.patch
@@ -0,0 +1,70 @@
+From bfce470f0f2f37968862129d5038b35429f2909b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
+Date: Thu, 16 Dec 2021 00:10:24 +0100
+Subject: [PATCH] magick-load: use more robust g_spawn_async() instead of
+ system()
+
+This fixes issue #298 by avoiding the shell parsing being invoked at
+all, this less brittle than any forms of escaping characters, while
+retaining the ability to address all existing files.
+---
+ operations/common/magick-load.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/operations/common/magick-load.c b/operations/common/magick-load.c
+index e2055b2e9..595169115 100644
+--- a/operations/common/magick-load.c
++++ b/operations/common/magick-load.c
+@@ -41,20 +41,23 @@ load_cache (GeglProperties *op_magick_load)
+   if (!op_magick_load->user_data)
+     {
+       gchar    *filename;
+-      gchar    *cmd;
+       GeglNode *graph, *sink, *loader;
+       GeglBuffer *newbuf = NULL;
+ 
+       /* ImageMagick backed fallback FIXME: make this robust.
+        * maybe use pipes in a manner similar to the raw loader,
+        * or at least use a properly unique filename  */
++      char     *argv[4]  = {"convert", NULL, NULL, NULL};
+ 
+       filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL);
+-      cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"",
+-                             op_magick_load->path, filename);
+-      if (system (cmd) == -1)
++
++      argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path);
++      argv[2] = filename;
++      if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT, 
++                         NULL, NULL, NULL, NULL, NULL, NULL))
+         g_warning ("Error executing ImageMagick convert program");
+ 
++      g_free (argv[1]);
+ 
+       graph = gegl_node_new ();
+       sink = gegl_node_new_child (graph,
+@@ -67,7 +70,6 @@ load_cache (GeglProperties *op_magick_load)
+       gegl_node_process (sink);
+       op_magick_load->user_data = (gpointer) newbuf;
+       g_object_unref (graph);
+-      g_free (cmd);
+       g_free (filename);
+     }
+ }
+-- 
+GitLab
+
+
+diff -urNp a/tools/exp_combine.cpp b/tools/exp_combine.cpp
+--- a/tools/exp_combine.cpp	2022-01-10 15:03:42.765909209 +0100
++++ b/tools/exp_combine.cpp	2022-01-10 15:04:16.864158424 +0100
+@@ -8,8 +8,7 @@
+ 
+ #include <iostream>
+ 
+-#include <exiv2/image.hpp>
+-#include <exiv2/exif.hpp>
++#include <exiv2/exiv2.hpp>
+ 
+ using namespace std;
+ 
diff --git a/SPECS/gegl04.spec b/SPECS/gegl04.spec
new file mode 100644
index 0000000..83a14bf
--- /dev/null
+++ b/SPECS/gegl04.spec
@@ -0,0 +1,205 @@
+%global apiver 0.4
+
+Name:           gegl04
+Version:        0.4.4
+Release:        7%{?dist}
+Summary:        Graph based image processing framework
+
+# The binary is under the GPL, while the libs are under LGPL.
+# The main package only installs the libs, which makes the license:
+License:        LGPLv3+
+URL:            http://www.gegl.org/
+Source0:        http://download.gimp.org/pub/gegl/%{apiver}/gegl-%{version}.tar.bz2
+
+Patch1:         gegl-CVE-2021-45463.patch
+
+BuildRequires:  chrpath
+BuildRequires:  enscript
+BuildRequires:  gcc-c++
+BuildRequires:  gettext-devel >= 0.19.8
+BuildRequires:  gobject-introspection-devel >= 1.32.0
+BuildRequires:  libspiro-devel
+BuildRequires:  perl-interpreter
+BuildRequires:  ruby
+BuildRequires:  SDL-devel >= 1.2.0
+BuildRequires:  suitesparse-devel
+BuildRequires:  vala-tools
+
+BuildRequires:  pkgconfig(babl) >= 0.1.52
+BuildRequires:  pkgconfig(cairo) >= 1.12.2
+BuildRequires:  pkgconfig(exiv2) >= 0.25
+BuildRequires:  pkgconfig(gdk-pixbuf-2.0) >= 2.32.0
+BuildRequires:  pkgconfig(glib-2.0) >= 2.44.0
+BuildRequires:  pkgconfig(jasper) >= 1.900.1
+BuildRequires:  pkgconfig(json-glib-1.0)
+BuildRequires:  pkgconfig(lcms2) >= 2.8
+BuildRequires:  pkgconfig(lensfun) >= 0.2.5
+BuildRequires:  pkgconfig(libraw) >= 0.19.0
+BuildRequires:  pkgconfig(libpng) >= 1.6.0
+BuildRequires:  pkgconfig(librsvg-2.0) >= 2.40.6
+BuildRequires:  pkgconfig(libv4l2) >= 1.0.1
+BuildRequires:  pkgconfig(libwebp) >= 0.5.0
+BuildRequires:  pkgconfig(lua) >= 5.1.0
+BuildRequires:  pkgconfig(OpenEXR) >= 1.6.1
+BuildRequires:  pkgconfig(pango) >= 1.38.0
+BuildRequires:  pkgconfig(pangocairo) >= 1.38.0
+BuildRequires:  pkgconfig(pygobject-3.0) >= 3.2
+BuildRequires:  pkgconfig(vapigen) >= 0.20.0
+BuildRequires:  pkgconfig(libtiff-4) >= 4.0.0
+
+# gegl contains a stripped down version of poly2tri-c, a C+glib port of
+# poly2tri, a 2D constrained Delaunay triangulation library.
+# Version information:
+#     CURRENT REVISION: b27c5b79df2ffa4e2cb37f9e5536831f16afb11b
+#     CACHED ON: August 11th, 2012
+Provides:       bundled(poly2tri-c)
+
+
+%description
+GEGL (Generic Graphics Library) is a graph based image processing framework.
+GEGLs original design was made to scratch GIMP's itches for a new
+compositing and processing core. This core is being designed to have
+minimal dependencies and a simple well defined API.
+
+
+%package        devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Obsoletes:      %{name}-devel < 0.4.2
+Conflicts:      %{name}-devel < 0.4.2
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use GEGL API version %{apiver}.
+
+
+%package        devel-docs
+Summary:        Documentation files for developing with %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Obsoletes:      %{name}-devel < 0.4.2
+Conflicts:      %{name}-devel < 0.4.2
+Conflicts:      gegl-devel < 0.4
+
+%description    devel-docs
+The %{name}-devel-docs package contains documentation files for developing
+applications that use GEGL API version %{apiver}.
+
+
+%package        tools
+Summary:        Command line tools for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+License:        GPLv3+
+Conflicts:      gegl < 0.4
+
+%description    tools
+The %{name}-tools package contains tools for the command line that use the
+GEGL library.
+
+
+%prep
+%setup -q -n gegl-%{version}
+%patch1 -p1 -b .CVE-2021-45463
+
+%build
+%configure --disable-static
+make %{?_smp_mflags}
+
+
+%install
+%make_install
+
+# Remove rpaths
+chrpath --delete %{buildroot}%{_bindir}/*
+chrpath --delete %{buildroot}%{_libdir}/*.so*
+chrpath --delete %{buildroot}%{_libdir}/gegl-%{apiver}/*.so
+
+# Remove .la files
+find %{buildroot} -name '*.la' -delete
+
+%find_lang gegl-%{apiver}
+
+
+%ldconfig_scriptlets
+
+
+%files -f gegl-%{apiver}.lang
+%license COPYING.LESSER
+%{_libdir}/gegl-%{apiver}/
+%{_libdir}/libgegl-%{apiver}.so.*
+%{_libdir}/libgegl-npd-%{apiver}.so
+%{_libdir}/libgegl-sc-%{apiver}.so
+%{_libdir}/girepository-1.0/Gegl-%{apiver}.typelib
+
+%files devel
+%{_includedir}/gegl-%{apiver}/
+%{_libdir}/libgegl-%{apiver}.so
+%{_libdir}/pkgconfig/gegl-%{apiver}.pc
+%{_libdir}/pkgconfig/gegl-sc-%{apiver}.pc
+%dir %{_datadir}/gir-1.0
+%{_datadir}/gir-1.0/Gegl-%{apiver}.gir
+%dir %{_datadir}/vala
+%dir %{_datadir}/vala/vapi
+%{_datadir}/vala/vapi/gegl-%{apiver}.deps
+%{_datadir}/vala/vapi/gegl-%{apiver}.vapi
+
+%files devel-docs
+%doc %{_datadir}/gtk-doc/
+
+%files tools
+%license COPYING
+%{_bindir}/*
+
+
+%changelog
+* Tue Jan 11 2022 Josef Ridky <jridky@redhat.com> - 0.4.4-7
+- Fix CVE-2021-45463 (#2035424)
+
+* Wed Oct 03 2018 Debarshi Ray <rishi@fedoraproject.org> - 0.4.4-6
+- Rebuild against new LibRaw soname
+Resolves: #1633708
+
+* Thu Aug 23 2018 Josef Ridky <jridky@redhat.com> - 0.4.4-5
+- Remove ImageMagick requirement
+Resolves: #1620209
+
+* Mon Aug 06 2018 Josef Ridky <jridky@redhat.com> - 0.4.4-4
+- Remove luajit requirement, because it is not available on RHEL-8
+Resolves: #1609985
+
+* Thu Jul 19 2018 Christian Dersch <lupinix@fedoraproject.org> - 0.4.4-3
+- Rebuilt for LibRaw soname bump
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jul 05 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.4-1
+- version 0.4.4
+
+* Mon May 21 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.2-2
+- split off devel docs
+- let gegl04-devel-docs explicitly conflict with old gegl-devel (#1577595)
+
+* Mon May 21 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.2-1
+- version 0.4.2
+
+* Wed May 02 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-2
+- don't require asciidoc for building
+- always install unversioned executables
+
+* Sat Apr 28 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-1
+- import into Fedora dist-git
+
+* Fri Apr 27 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-0.4
+- own all created directories
+- remove rpaths
+
+* Fri Apr 27 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-0.3
+- use %%ldconfig_scriptlets macro
+
+* Fri Apr 27 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-0.2
+- add tools subpackage
+- tidy up remains of 0.3
+- add back gtk-doc documentation
+
+* Fri Apr 27 2018 Nils Philippsen <nils@tiptoe.de> - 0.4.0-0.1
+- initial import