| Package | gegl |
|---|---|
| Version | 0.3.8-4+deb9u1 (stretch) |
| Related CVEs | CVE-2018-10113 CVE-2018-10114 CVE-2021-45463 CVE-2025-10921 |
Multiple vulnerabilities were discovered in GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files or filenames are processed.
-
CVE-2018-10113
The process function in operations/external/ppm-load.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure.
-
CVE-2018-10114
The gegl_buffer_iterate_read_simple function in buffer/gegl-buffer-access.c allows remote attackers to cause a denial of service (write access violation) or possibly have unspecified other impact via a malformed PPM file, related to improper restrictions on memory allocation in the ppm_load_read_header function in operations/external/ppm-load.c.
-
CVE-2021-45463
load_cache allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.
-
CVE-2025-10921
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.
For Debian 9 stretch, these problems have been fixed in version 0.3.8-4+deb9u1.
We recommend that you upgrade your gegl packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.