OESA-2021-1150

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1150
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2021-1150.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2021-1150
Upstream
Published
2021-05-06T11:02:50Z
Modified
2025-08-12T05:04:16.972540Z
Summary
rubygem-mini_magick security update
Details

A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small (it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick).

Security Fix(es):

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.(CVE-2019-13574)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / rubygem-mini_magick

Package

Name
rubygem-mini_magick
Purl
pkg:rpm/openEuler/rubygem-mini_magick&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8.0-3.oe1

Ecosystem specific 

{
    "src": [
        "rubygem-mini_magick-4.8.0-3.oe1.src.rpm"
    ],
    "noarch": [
        "rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm",
        "rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm"
    ]
}