commit: 02765dfc333e578af9e3fd525fc0067dc47d6528 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Wed Aug 22 00:37:22 2018 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Wed Aug 22 00:41:20 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02765dfc
media-gfx/imagemagick: rev bump to address VU#332928 Link: https://www.kb.cert.org/vuls/id/332928 Package-Manager: Portage-2.3.48, Repoman-2.3.10 media-gfx/imagemagick/files/policy-hardening.patch | 15 ++++++ ...9999.ebuild => imagemagick-6.9.10.10-r1.ebuild} | 53 ++++++++++++++++------ ...-9999.ebuild => imagemagick-7.0.8.10-r1.ebuild} | 34 +++++++++++++- media-gfx/imagemagick/imagemagick-9999.ebuild | 34 +++++++++++++- 4 files changed, 120 insertions(+), 16 deletions(-) diff --git a/media-gfx/imagemagick/files/policy-hardening.patch b/media-gfx/imagemagick/files/policy-hardening.patch new file mode 100644 index 00000000000..9bb8529d191 --- /dev/null +++ b/media-gfx/imagemagick/files/policy-hardening.patch @@ -0,0 +1,15 @@ +--- a/config/policy.xml ++++ b/config/policy.xml +@@ -52,6 +52,12 @@ + <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" /> + --> + <policymap> ++ <!-- https://www.kb.cert.org/vuls/id/332928 mitigation --> ++ <policy domain="coder" rights="none" pattern="PS" /> ++ <policy domain="coder" rights="none" pattern="EPS" /> ++ <policy domain="coder" rights="none" pattern="PDF" /> ++ <policy domain="coder" rights="none" pattern="XPS" /> ++ + <!-- <policy domain="system" name="shred" value="2"/> --> + <!-- <policy domain="system" name="precision" value="6"/> --> + <!-- <policy domain="system" name="memory-map" value="anonymous"/> --> diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild similarity index 79% copy from media-gfx/imagemagick/imagemagick-9999.ebuild copy to media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild index aa36a8a3e7b..9d95354be24 100644 --- a/media-gfx/imagemagick/imagemagick-9999.ebuild +++ b/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild @@ -3,24 +3,17 @@ EAPI=6 -inherit eutils flag-o-matic libtool multilib toolchain-funcs - -if [[ ${PV} == "9999" ]] ; then - EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"; - inherit git-r3 - MY_P="imagemagick-9999" -else - inherit eapi7-ver - MY_P=ImageMagick-$(ver_rs 3 '-') - SRC_URI="mirror://${PN}/${MY_P}.tar.xz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" -fi +inherit eutils flag-o-matic libtool multilib toolchain-funcs eapi7-ver + +MY_P=ImageMagick-$(ver_rs 3 '-') DESCRIPTION="A collection of tools and libraries for many image formats" HOMEPAGE="https://www.imagemagick.org/"; +SRC_URI="mirror://${PN}/${MY_P}.tar.xz" LICENSE="imagemagick" SLOT="0/${PV}" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" IUSE="bzip2 corefonts cxx djvu fftw fontconfig fpx graphviz hdri jbig jpeg jpeg2k lcms lqr lzma opencl openexr openmp pango perl png postscript q32 q8 raw static-libs svg test tiff truetype webp wmf X xml zlib" RESTRICT="perl? ( userpriv )" @@ -73,8 +66,10 @@ REQUIRED_USE="corefonts? ( truetype ) S="${WORKDIR}/${MY_P}" +PATCHES=( "${FILESDIR}"/policy-hardening.patch ) + src_prepare() { - local ati_cards mesa_cards nvidia_cards render_cards + local mesa_cards ati_cards nvidia_cards render_cards default elibtoolize # for Darwin modules @@ -89,7 +84,7 @@ src_prepare() { if test -n "${mesa_cards}"; then addpredict "${mesa_cards}" fi - nvidia_cards=$(echo -n /dev/nvidia* | sed 's/ /:/g') + nvidia_cards=$(echo -n /dev/nvidia** | sed 's/ /:/g') if test -n "${nvidia_cards}"; then addpredict "${nvidia_cards}" fi @@ -191,3 +186,33 @@ src_install() { insinto /usr/share/${PN} doins config/*icm } + +pkg_postinst() { + local _show_policy_xml_notice= + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + _show_policy_xml_notice=yes + else + local v + for v in ${REPLACING_VERSIONS}; do + if ! version_is_at_least "6.9.10.10-r1" ${v}; then + # This is an upgrade + _show_policy_xml_notice=yes + + # Show this elog only once + break + fi + done + fi + + if [[ -n "${_show_policy_xml_notice}" ]]; then + elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-6" + elog "which will prevent the usage of the following coders by default:" + elog "" + elog " - PS" + elog " - EPS" + elog " - PDF" + elog " - XPS" + fi +} diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild similarity index 87% copy from media-gfx/imagemagick/imagemagick-9999.ebuild copy to media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild index aa36a8a3e7b..c4e21494402 100644 --- a/media-gfx/imagemagick/imagemagick-9999.ebuild +++ b/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild @@ -1,10 +1,12 @@ # Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -EAPI=6 +EAPI="6" inherit eutils flag-o-matic libtool multilib toolchain-funcs +PATCHES=( "${FILESDIR}"/policy-hardening.patch ) + if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"; inherit git-r3 @@ -191,3 +193,33 @@ src_install() { insinto /usr/share/${PN} doins config/*icm } + +pkg_postinst() { + local _show_policy_xml_notice= + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + _show_policy_xml_notice=yes + else + local v + for v in ${REPLACING_VERSIONS}; do + if ! version_is_at_least "7.0.8.10-r1" ${v}; then + # This is an upgrade + _show_policy_xml_notice=yes + + # Show this elog only once + break + fi + done + fi + + if [[ -n "${_show_policy_xml_notice}" ]]; then + elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" + elog "which will prevent the usage of the following coders by default:" + elog "" + elog " - PS" + elog " - EPS" + elog " - PDF" + elog " - XPS" + fi +} diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild index aa36a8a3e7b..c4e21494402 100644 --- a/media-gfx/imagemagick/imagemagick-9999.ebuild +++ b/media-gfx/imagemagick/imagemagick-9999.ebuild @@ -1,10 +1,12 @@ # Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -EAPI=6 +EAPI="6" inherit eutils flag-o-matic libtool multilib toolchain-funcs +PATCHES=( "${FILESDIR}"/policy-hardening.patch ) + if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"; inherit git-r3 @@ -191,3 +193,33 @@ src_install() { insinto /usr/share/${PN} doins config/*icm } + +pkg_postinst() { + local _show_policy_xml_notice= + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + _show_policy_xml_notice=yes + else + local v + for v in ${REPLACING_VERSIONS}; do + if ! version_is_at_least "7.0.8.10-r1" ${v}; then + # This is an upgrade + _show_policy_xml_notice=yes + + # Show this elog only once + break + fi + done + fi + + if [[ -n "${_show_policy_xml_notice}" ]]; then + elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" + elog "which will prevent the usage of the following coders by default:" + elog "" + elog " - PS" + elog " - EPS" + elog " - PDF" + elog " - XPS" + fi +}
