import gegl04-0.4.4-7.el8

SOURCES/gegl-CVE-2021-45463.patch

@@ -0,0 +1,70 @@
+From bfce470f0f2f37968862129d5038b35429f2909b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
+Date: Thu, 16 Dec 2021 00:10:24 +0100
+Subject: [PATCH] magick-load: use more robust g_spawn_async() instead of
+ system()
+
+This fixes issue #298 by avoiding the shell parsing being invoked at
+all, this less brittle than any forms of escaping characters, while
+retaining the ability to address all existing files.
+---
+ operations/common/magick-load.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/operations/common/magick-load.c b/operations/common/magick-load.c
+index e2055b2e9..595169115 100644
+--- a/operations/common/magick-load.c
++++ b/operations/common/magick-load.c
+@@ -41,20 +41,23 @@ load_cache (GeglProperties *op_magick_load)
+   if (!op_magick_load->user_data)
+     {
+       gchar    *filename;
+-      gchar    *cmd;
+       GeglNode *graph, *sink, *loader;
+       GeglBuffer *newbuf = NULL;
+ 
+       /* ImageMagick backed fallback FIXME: make this robust.
+        * maybe use pipes in a manner similar to the raw loader,
+        * or at least use a properly unique filename  */
++      char     *argv[4]  = {"convert", NULL, NULL, NULL};
+ 
+       filename = g_build_filename (g_get_tmp_dir (), "gegl-magick.png", NULL);
+-      cmd = g_strdup_printf ("convert \"%s\"'[0]' \"%s\"",
+-                             op_magick_load->path, filename);
+-      if (system (cmd) == -1)
++
++      argv[1] = g_strdup_printf ("%s[0]", op_magick_load->path);
++      argv[2] = filename;
++      if (!g_spawn_sync (NULL, argv, NULL, G_SPAWN_DEFAULT, 
++                         NULL, NULL, NULL, NULL, NULL, NULL))
+         g_warning ("Error executing ImageMagick convert program");
+ 
++      g_free (argv[1]);
+ 
+       graph = gegl_node_new ();
+       sink = gegl_node_new_child (graph,
+@@ -67,7 +70,6 @@ load_cache (GeglProperties *op_magick_load)
+       gegl_node_process (sink);
+       op_magick_load->user_data = (gpointer) newbuf;
+       g_object_unref (graph);
+-      g_free (cmd);
+       g_free (filename);
+     }
+ }
+-- 
+GitLab
+
+
+diff -urNp a/tools/exp_combine.cpp b/tools/exp_combine.cpp
+--- a/tools/exp_combine.cpp	2022-01-10 15:03:42.765909209 +0100
++++ b/tools/exp_combine.cpp	2022-01-10 15:04:16.864158424 +0100
+@@ -8,8 +8,7 @@
+ 
+ #include <iostream>
+ 
+-#include <exiv2/image.hpp>
+-#include <exiv2/exif.hpp>
++#include <exiv2/exiv2.hpp>
+ 
+ using namespace std;
+ 

SPECS/gegl04.spec

@@ -2,7 +2,7 @@
 
 Name:           gegl04
 Version:        0.4.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Graph based image processing framework
 
 # The binary is under the GPL, while the libs are under LGPL.
@@ -11,6 +11,8 @@ License:        LGPLv3+
 URL:            http://www.gegl.org/
 Source0:        http://download.gimp.org/pub/gegl/%{apiver}/gegl-%{version}.tar.bz2
 
+Patch1:         gegl-CVE-2021-45463.patch
+
 BuildRequires:  chrpath
 BuildRequires:  enscript
 BuildRequires:  gcc-c++
@@ -96,7 +98,7 @@ GEGL library.
 
 %prep
 %setup -q -n gegl-%{version}
-
+%patch1 -p1 -b .CVE-2021-45463
 
 %build
 %configure --disable-static
@@ -149,6 +151,9 @@ find %{buildroot} -name '*.la' -delete
 
 
 %changelog
+* Tue Jan 11 2022 Josef Ridky <jridky@redhat.com> - 0.4.4-7
+- Fix CVE-2021-45463 (#2035424)
+
 * Wed Oct 03 2018 Debarshi Ray <rishi@fedoraproject.org> - 0.4.4-6
 - Rebuild against new LibRaw soname
 Resolves: #1633708