rpms/gegl04
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import gegl04-0.4.4-7.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-03-29 07:22:27 -04:00 committed by Stepan Oksanichenko
parent c0d3dc38ac
commit f69f836d6d
2 changed files with 77 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
SOURCES/gegl-CVE-2021-45463.patch Normal file
View File

@ -0,0 +1,70 @@
From bfce470f0f2f37968862129d5038b35429f2909b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
Date: Thu, 16 Dec 2021 00:10:24 +0100
Subject: [PATCH] magick-load: use more robust g_spawn_async() instead of
system()
This fixes issue #298 by avoiding the shell parsing being invoked at
all, this less brittle than any forms of escaping characters, while
retaining the ability to address all existing files.
---
operations/common/magick-load.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/operations/common/magick-load.c b/operations/common/magick-load.c
index e2055b2e9..595169115 100644
--- a/operations/common/magick-load.c
+++ b/operations/common/magick-load.c
@@ -41,20 +41,23 @@ load_cache (GeglProperties *op_magick_load)
if (!op_magick_load->user_data)
{
gchar *filename;
- gchar *cmd;
GeglNode *graph, *sink, *loader;
GeglBuffer *newbuf = NULL;
/* ImageMagick backed fallback FIXME: make this robust.
* maybe use pipes in a manner similar to the raw loader,
* or at least use a properly unique filename */
+ char *argv[4] = {"convert", NULL, NULL, NULL};
filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL);
- cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"",
- op_magick_load->path, filename);
- if (system (cmd) == -1)
+
+ argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path);
+ argv[2] = filename;
+ if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT,
+ NULL, NULL, NULL, NULL, NULL, NULL))
g_warning ("Error executing ImageMagick convert program");
+ g_free (argv[1]);
graph = gegl_node_new ();
sink = gegl_node_new_child (graph,
@@ -67,7 +70,6 @@ load_cache (GeglProperties *op_magick_load)
gegl_node_process (sink);
op_magick_load->user_data = (gpointer) newbuf;
g_object_unref (graph);
- g_free (cmd);
g_free (filename);
}
}
--
GitLab
diff -urNp a/tools/exp_combine.cpp b/tools/exp_combine.cpp
--- a/tools/exp_combine.cpp 2022-01-10 15:03:42.765909209 +0100
+++ b/tools/exp_combine.cpp 2022-01-10 15:04:16.864158424 +0100
@@ -8,8 +8,7 @@
#include <iostream>
-#include <exiv2/image.hpp>
-#include <exiv2/exif.hpp>
+#include <exiv2/exiv2.hpp>
using namespace std;

9
SPECS/gegl04.spec
View File

@ -2,7 +2,7 @@
Name: gegl04 Name: gegl04
Version: 0.4.4 Version: 0.4.4
Release: 6%{?dist} Release: 7%{?dist}
Summary: Graph based image processing framework Summary: Graph based image processing framework
# The binary is under the GPL, while the libs are under LGPL. # The binary is under the GPL, while the libs are under LGPL.
@ -11,6 +11,8 @@ License: LGPLv3+
URL: http://www.gegl.org/ URL: http://www.gegl.org/
Source0: http://download.gimp.org/pub/gegl/%{apiver}/gegl-%{version}.tar.bz2 Source0: http://download.gimp.org/pub/gegl/%{apiver}/gegl-%{version}.tar.bz2
Patch1: gegl-CVE-2021-45463.patch
BuildRequires: chrpath BuildRequires: chrpath
BuildRequires: enscript BuildRequires: enscript
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -96,7 +98,7 @@ GEGL library.
%prep %prep
%setup -q -n gegl-%{version} %setup -q -n gegl-%{version}
%patch1 -p1 -b .CVE-2021-45463
%build %build
%configure --disable-static %configure --disable-static
@ -149,6 +151,9 @@ find %{buildroot} -name '*.la' -delete
%changelog %changelog
* Tue Jan 11 2022 Josef Ridky <jridky@redhat.com> - 0.4.4-7
- Fix CVE-2021-45463 (#2035424)
* Wed Oct 03 2018 Debarshi Ray <rishi@fedoraproject.org> - 0.4.4-6 * Wed Oct 03 2018 Debarshi Ray <rishi@fedoraproject.org> - 0.4.4-6
- Rebuild against new LibRaw soname - Rebuild against new LibRaw soname
Resolves: #1633708 Resolves: #1633708