[gentoo-commits] repo/gentoo:master commit in: media-gfx/imagemagick/

Fri, 24 Apr 2020 02:52:43 -0700 

commit:     c03d5059039c5b0f43c019edfb541ae396162e6f
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 24 09:48:20 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Apr 24 09:49:50 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059

media-gfx/imagemagick: restore hardening

Bug: https://bugs.gentoo.org/716674
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 ....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild 
b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
similarity index 86%
rename from media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild
rename to media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
index 8f24371e266..4d2561accf7 100644
--- a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild
+++ b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
@@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}"
 src_prepare() {
        default
 
+       # Apply hardening #664236
+       cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+       sed -i -e '/^<policymap>$/ {
+                       r policy-hardening.snippet
+                       d
+               }' \
+               config/policy.xml || \
+               die "Failed to apply hardening of policy.xml"
+       einfo "policy.xml hardened"
+
        elibtoolize # for Darwin modules
 
        # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
@@ -223,3 +233,35 @@ src_install() {
        insinto /usr/share/${PN}
        doins config/*icm
 }
+
+pkg_postinst() {
+       local _show_policy_xml_notice=
+
+       if [[ -z "${REPLACING_VERSIONS}" ]]; then
+               # This is a new installation
+               _show_policy_xml_notice=yes
+       else
+               local v
+               for v in ${REPLACING_VERSIONS}; do
+                       if ! ver_test "${v}" -gt "7.0.8.10-r2"; then
+                               # This is an upgrade
+                               _show_policy_xml_notice=yes
+
+                               # Show this elog only once
+                               break
+                       fi
+               done
+       fi
+
+       if [[ -n "${_show_policy_xml_notice}" ]]; then
+               elog "For security reasons, a policy.xml file was installed in 
/etc/ImageMagick-7"
+               elog "which will prevent the usage of the following coders by 
default:"
+               elog ""
+               elog "  - PS"
+               elog "  - PS2"
+               elog "  - PS3"
+               elog "  - EPS"
+               elog "  - PDF"
+               elog "  - XPS"
+       fi
+}

Reply via email to