commit: df7afbda6b12a68578833225e694cee011b20342 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Fri Aug 24 14:33:55 2018 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Fri Aug 24 14:34:15 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df7afbda
media-gfx/imagemagick: extend hardening - PS2 and PS3 coders are now disabled by default, too. - Instead of patching, we now use sed which should make it easier to extend policy.xml in future. Bug: https://bugs.gentoo.org/664236 Package-Manager: Portage-2.3.48, Repoman-2.3.10 RepoMan-Options: --force media-gfx/imagemagick/files/policy-hardening.patch | 15 -------------- .../imagemagick/files/policy-hardening.snippet | 9 ++++++++ ...0-r1.ebuild => imagemagick-6.9.10.10-r2.ebuild} | 22 ++++++++++++++------ ...10-r1.ebuild => imagemagick-7.0.8.10-r2.ebuild} | 24 +++++++++++++++------- media-gfx/imagemagick/imagemagick-9999.ebuild | 22 ++++++++++++++------ 5 files changed, 58 insertions(+), 34 deletions(-) diff --git a/media-gfx/imagemagick/files/policy-hardening.patch b/media-gfx/imagemagick/files/policy-hardening.patch deleted file mode 100644 index 9bb8529d191..00000000000 --- a/media-gfx/imagemagick/files/policy-hardening.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/config/policy.xml -+++ b/config/policy.xml -@@ -52,6 +52,12 @@ - <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" /> - --> - <policymap> -+ <!-- https://www.kb.cert.org/vuls/id/332928 mitigation --> -+ <policy domain="coder" rights="none" pattern="PS" /> -+ <policy domain="coder" rights="none" pattern="EPS" /> -+ <policy domain="coder" rights="none" pattern="PDF" /> -+ <policy domain="coder" rights="none" pattern="XPS" /> -+ - <!-- <policy domain="system" name="shred" value="2"/> --> - <!-- <policy domain="system" name="precision" value="6"/> --> - <!-- <policy domain="system" name="memory-map" value="anonymous"/> --> diff --git a/media-gfx/imagemagick/files/policy-hardening.snippet b/media-gfx/imagemagick/files/policy-hardening.snippet new file mode 100644 index 00000000000..c1a91b0b874 --- /dev/null +++ b/media-gfx/imagemagick/files/policy-hardening.snippet @@ -0,0 +1,9 @@ +<policymap> + <!-- https://www.kb.cert.org/vuls/id/332928 mitigation / https://bugs.gentoo.org/664236 --> + <policy domain="coder" rights="none" pattern="PS" /> + <policy domain="coder" rights="none" pattern="PS2" /> + <policy domain="coder" rights="none" pattern="PS3" /> + <policy domain="coder" rights="none" pattern="EPS" /> + <policy domain="coder" rights="none" pattern="PDF" /> + <policy domain="coder" rights="none" pattern="XPS" /> + diff --git a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild similarity index 94% rename from media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild rename to media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild index dae568f6693..970ff4c9a5a 100644 --- a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild +++ b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild @@ -66,9 +66,19 @@ REQUIRED_USE="corefonts? ( truetype ) S="${WORKDIR}/${MY_P}" -PATCHES=( "${FILESDIR}"/policy-hardening.patch ) - src_prepare() { + default + + # Apply hardening #664236 + cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die + sed -i -e '/^<policymap>$/ { + r policy-hardening.snippet + d + }' \ + config/policy.xml || \ + die "Failed to apply hardening of policy.xml" + einfo "policy.xml hardened" + # Install default (unrestricted) policy in $HOME for test suite #664238 local _im_local_config_home="${HOME}/.config/ImageMagick" mkdir -p "${_im_local_config_home}" || \ @@ -76,12 +86,10 @@ src_prepare() { cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ die "Failed to install default blank policy.xml in '${_im_local_config_home}'" - local mesa_cards ati_cards nvidia_cards render_cards - default - elibtoolize # for Darwin modules # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 + local mesa_cards ati_cards nvidia_cards render_cards shopt -s nullglob ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') if test -n "${ati_cards}"; then @@ -203,7 +211,7 @@ pkg_postinst() { else local v for v in ${REPLACING_VERSIONS}; do - if ! ver_test "${v}" -gt "6.9.10.10-r1"; then + if ! ver_test "${v}" -gt "6.9.10.10-r2"; then # This is an upgrade _show_policy_xml_notice=yes @@ -218,6 +226,8 @@ pkg_postinst() { elog "which will prevent the usage of the following coders by default:" elog "" elog " - PS" + elog " - PS2" + elog " - PS3" elog " - EPS" elog " - PDF" elog " - XPS" diff --git a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild similarity index 93% rename from media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild rename to media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild index 2c348ed3d6d..63922969bc3 100644 --- a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild +++ b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild @@ -5,8 +5,6 @@ EAPI="6" inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs -PATCHES=( "${FILESDIR}"/policy-hardening.patch ) - if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"; inherit git-r3 @@ -16,7 +14,7 @@ else SRC_URI="mirror://${PN}/${MY_P}.tar.xz" KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" - PATCHES+=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226 + PATCHES=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226 fi DESCRIPTION="A collection of tools and libraries for many image formats" @@ -77,6 +75,18 @@ REQUIRED_USE="corefonts? ( truetype ) S="${WORKDIR}/${MY_P}" src_prepare() { + default + + # Apply hardening #664236 + cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die + sed -i -e '/^<policymap>$/ { + r policy-hardening.snippet + d + }' \ + config/policy.xml || \ + die "Failed to apply hardening of policy.xml" + einfo "policy.xml hardened" + # Install default (unrestricted) policy in $HOME for test suite #664238 local _im_local_config_home="${HOME}/.config/ImageMagick" mkdir -p "${_im_local_config_home}" || \ @@ -84,12 +94,10 @@ src_prepare() { cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ die "Failed to install default blank policy.xml in '${_im_local_config_home}'" - local ati_cards mesa_cards nvidia_cards render_cards - default - elibtoolize # for Darwin modules # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 + local ati_cards mesa_cards nvidia_cards render_cards shopt -s nullglob ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') if test -n "${ati_cards}"; then @@ -211,7 +219,7 @@ pkg_postinst() { else local v for v in ${REPLACING_VERSIONS}; do - if ! ver_test "${v}" -gt "7.0.8.10-r1"; then + if ! ver_test "${v}" -gt "7.0.8.10-r2"; then # This is an upgrade _show_policy_xml_notice=yes @@ -226,6 +234,8 @@ pkg_postinst() { elog "which will prevent the usage of the following coders by default:" elog "" elog " - PS" + elog " - PS2" + elog " - PS3" elog " - EPS" elog " - PDF" elog " - XPS" diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild index c088f2a808b..25c4681ac13 100644 --- a/media-gfx/imagemagick/imagemagick-9999.ebuild +++ b/media-gfx/imagemagick/imagemagick-9999.ebuild @@ -5,8 +5,6 @@ EAPI="6" inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs -PATCHES=( "${FILESDIR}"/policy-hardening.patch ) - if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"; inherit git-r3 @@ -75,6 +73,18 @@ REQUIRED_USE="corefonts? ( truetype ) S="${WORKDIR}/${MY_P}" src_prepare() { + default + + # Apply hardening #664236 + cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die + sed -i -e '/^<policymap>$/ { + r policy-hardening.snippet + d + }' \ + config/policy.xml || \ + die "Failed to apply hardening of policy.xml" + einfo "policy.xml hardened" + # Install default (unrestricted) policy in $HOME for test suite #664238 local _im_local_config_home="${HOME}/.config/ImageMagick" mkdir -p "${_im_local_config_home}" || \ @@ -82,12 +92,10 @@ src_prepare() { cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ die "Failed to install default blank policy.xml in '${_im_local_config_home}'" - local ati_cards mesa_cards nvidia_cards render_cards - default - elibtoolize # for Darwin modules # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 + local ati_cards mesa_cards nvidia_cards render_cards shopt -s nullglob ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') if test -n "${ati_cards}"; then @@ -209,7 +217,7 @@ pkg_postinst() { else local v for v in ${REPLACING_VERSIONS}; do - if ! ver_test "${v}" -gt "7.0.8.10-r1"; then + if ! ver_test "${v}" -gt "7.0.8.10-r2"; then # This is an upgrade _show_policy_xml_notice=yes @@ -224,6 +232,8 @@ pkg_postinst() { elog "which will prevent the usage of the following coders by default:" elog "" elog " - PS" + elog " - PS2" + elog " - PS3" elog " - EPS" elog " - PDF" elog " - XPS"
