1 |
commit: df7afbda6b12a68578833225e694cee011b20342 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Aug 24 14:33:55 2018 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Aug 24 14:34:15 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df7afbda |
7 |
|
8 |
media-gfx/imagemagick: extend hardening |
9 |
|
10 |
- PS2 and PS3 coders are now disabled by default, too. |
11 |
|
12 |
- Instead of patching, we now use sed which should make it |
13 |
easier to extend policy.xml in future. |
14 |
|
15 |
Bug: https://bugs.gentoo.org/664236 |
16 |
Package-Manager: Portage-2.3.48, Repoman-2.3.10 |
17 |
RepoMan-Options: --force |
18 |
|
19 |
media-gfx/imagemagick/files/policy-hardening.patch | 15 -------------- |
20 |
.../imagemagick/files/policy-hardening.snippet | 9 ++++++++ |
21 |
...0-r1.ebuild => imagemagick-6.9.10.10-r2.ebuild} | 22 ++++++++++++++------ |
22 |
...10-r1.ebuild => imagemagick-7.0.8.10-r2.ebuild} | 24 +++++++++++++++------- |
23 |
media-gfx/imagemagick/imagemagick-9999.ebuild | 22 ++++++++++++++------ |
24 |
5 files changed, 58 insertions(+), 34 deletions(-) |
25 |
|
26 |
diff --git a/media-gfx/imagemagick/files/policy-hardening.patch b/media-gfx/imagemagick/files/policy-hardening.patch |
27 |
deleted file mode 100644 |
28 |
index 9bb8529d191..00000000000 |
29 |
--- a/media-gfx/imagemagick/files/policy-hardening.patch |
30 |
+++ /dev/null |
31 |
@@ -1,15 +0,0 @@ |
32 |
---- a/config/policy.xml |
33 |
-+++ b/config/policy.xml |
34 |
-@@ -52,6 +52,12 @@ |
35 |
- <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" /> |
36 |
- --> |
37 |
- <policymap> |
38 |
-+ <!-- https://www.kb.cert.org/vuls/id/332928 mitigation --> |
39 |
-+ <policy domain="coder" rights="none" pattern="PS" /> |
40 |
-+ <policy domain="coder" rights="none" pattern="EPS" /> |
41 |
-+ <policy domain="coder" rights="none" pattern="PDF" /> |
42 |
-+ <policy domain="coder" rights="none" pattern="XPS" /> |
43 |
-+ |
44 |
- <!-- <policy domain="system" name="shred" value="2"/> --> |
45 |
- <!-- <policy domain="system" name="precision" value="6"/> --> |
46 |
- <!-- <policy domain="system" name="memory-map" value="anonymous"/> --> |
47 |
|
48 |
diff --git a/media-gfx/imagemagick/files/policy-hardening.snippet b/media-gfx/imagemagick/files/policy-hardening.snippet |
49 |
new file mode 100644 |
50 |
index 00000000000..c1a91b0b874 |
51 |
--- /dev/null |
52 |
+++ b/media-gfx/imagemagick/files/policy-hardening.snippet |
53 |
@@ -0,0 +1,9 @@ |
54 |
+<policymap> |
55 |
+ <!-- https://www.kb.cert.org/vuls/id/332928 mitigation / https://bugs.gentoo.org/664236 --> |
56 |
+ <policy domain="coder" rights="none" pattern="PS" /> |
57 |
+ <policy domain="coder" rights="none" pattern="PS2" /> |
58 |
+ <policy domain="coder" rights="none" pattern="PS3" /> |
59 |
+ <policy domain="coder" rights="none" pattern="EPS" /> |
60 |
+ <policy domain="coder" rights="none" pattern="PDF" /> |
61 |
+ <policy domain="coder" rights="none" pattern="XPS" /> |
62 |
+ |
63 |
|
64 |
diff --git a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild |
65 |
similarity index 94% |
66 |
rename from media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild |
67 |
rename to media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild |
68 |
index dae568f6693..970ff4c9a5a 100644 |
69 |
--- a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild |
70 |
+++ b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild |
71 |
@@ -66,9 +66,19 @@ REQUIRED_USE="corefonts? ( truetype ) |
72 |
|
73 |
S="${WORKDIR}/${MY_P}" |
74 |
|
75 |
-PATCHES=( "${FILESDIR}"/policy-hardening.patch ) |
76 |
- |
77 |
src_prepare() { |
78 |
+ default |
79 |
+ |
80 |
+ # Apply hardening #664236 |
81 |
+ cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die |
82 |
+ sed -i -e '/^<policymap>$/ { |
83 |
+ r policy-hardening.snippet |
84 |
+ d |
85 |
+ }' \ |
86 |
+ config/policy.xml || \ |
87 |
+ die "Failed to apply hardening of policy.xml" |
88 |
+ einfo "policy.xml hardened" |
89 |
+ |
90 |
# Install default (unrestricted) policy in $HOME for test suite #664238 |
91 |
local _im_local_config_home="${HOME}/.config/ImageMagick" |
92 |
mkdir -p "${_im_local_config_home}" || \ |
93 |
@@ -76,12 +86,10 @@ src_prepare() { |
94 |
cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ |
95 |
die "Failed to install default blank policy.xml in '${_im_local_config_home}'" |
96 |
|
97 |
- local mesa_cards ati_cards nvidia_cards render_cards |
98 |
- default |
99 |
- |
100 |
elibtoolize # for Darwin modules |
101 |
|
102 |
# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 |
103 |
+ local mesa_cards ati_cards nvidia_cards render_cards |
104 |
shopt -s nullglob |
105 |
ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') |
106 |
if test -n "${ati_cards}"; then |
107 |
@@ -203,7 +211,7 @@ pkg_postinst() { |
108 |
else |
109 |
local v |
110 |
for v in ${REPLACING_VERSIONS}; do |
111 |
- if ! ver_test "${v}" -gt "6.9.10.10-r1"; then |
112 |
+ if ! ver_test "${v}" -gt "6.9.10.10-r2"; then |
113 |
# This is an upgrade |
114 |
_show_policy_xml_notice=yes |
115 |
|
116 |
@@ -218,6 +226,8 @@ pkg_postinst() { |
117 |
elog "which will prevent the usage of the following coders by default:" |
118 |
elog "" |
119 |
elog " - PS" |
120 |
+ elog " - PS2" |
121 |
+ elog " - PS3" |
122 |
elog " - EPS" |
123 |
elog " - PDF" |
124 |
elog " - XPS" |
125 |
|
126 |
diff --git a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild |
127 |
similarity index 93% |
128 |
rename from media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild |
129 |
rename to media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild |
130 |
index 2c348ed3d6d..63922969bc3 100644 |
131 |
--- a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild |
132 |
+++ b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild |
133 |
@@ -5,8 +5,6 @@ EAPI="6" |
134 |
|
135 |
inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs |
136 |
|
137 |
-PATCHES=( "${FILESDIR}"/policy-hardening.patch ) |
138 |
- |
139 |
if [[ ${PV} == "9999" ]] ; then |
140 |
EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git" |
141 |
inherit git-r3 |
142 |
@@ -16,7 +14,7 @@ else |
143 |
SRC_URI="mirror://${PN}/${MY_P}.tar.xz" |
144 |
KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" |
145 |
|
146 |
- PATCHES+=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226 |
147 |
+ PATCHES=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226 |
148 |
fi |
149 |
|
150 |
DESCRIPTION="A collection of tools and libraries for many image formats" |
151 |
@@ -77,6 +75,18 @@ REQUIRED_USE="corefonts? ( truetype ) |
152 |
S="${WORKDIR}/${MY_P}" |
153 |
|
154 |
src_prepare() { |
155 |
+ default |
156 |
+ |
157 |
+ # Apply hardening #664236 |
158 |
+ cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die |
159 |
+ sed -i -e '/^<policymap>$/ { |
160 |
+ r policy-hardening.snippet |
161 |
+ d |
162 |
+ }' \ |
163 |
+ config/policy.xml || \ |
164 |
+ die "Failed to apply hardening of policy.xml" |
165 |
+ einfo "policy.xml hardened" |
166 |
+ |
167 |
# Install default (unrestricted) policy in $HOME for test suite #664238 |
168 |
local _im_local_config_home="${HOME}/.config/ImageMagick" |
169 |
mkdir -p "${_im_local_config_home}" || \ |
170 |
@@ -84,12 +94,10 @@ src_prepare() { |
171 |
cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ |
172 |
die "Failed to install default blank policy.xml in '${_im_local_config_home}'" |
173 |
|
174 |
- local ati_cards mesa_cards nvidia_cards render_cards |
175 |
- default |
176 |
- |
177 |
elibtoolize # for Darwin modules |
178 |
|
179 |
# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 |
180 |
+ local ati_cards mesa_cards nvidia_cards render_cards |
181 |
shopt -s nullglob |
182 |
ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') |
183 |
if test -n "${ati_cards}"; then |
184 |
@@ -211,7 +219,7 @@ pkg_postinst() { |
185 |
else |
186 |
local v |
187 |
for v in ${REPLACING_VERSIONS}; do |
188 |
- if ! ver_test "${v}" -gt "7.0.8.10-r1"; then |
189 |
+ if ! ver_test "${v}" -gt "7.0.8.10-r2"; then |
190 |
# This is an upgrade |
191 |
_show_policy_xml_notice=yes |
192 |
|
193 |
@@ -226,6 +234,8 @@ pkg_postinst() { |
194 |
elog "which will prevent the usage of the following coders by default:" |
195 |
elog "" |
196 |
elog " - PS" |
197 |
+ elog " - PS2" |
198 |
+ elog " - PS3" |
199 |
elog " - EPS" |
200 |
elog " - PDF" |
201 |
elog " - XPS" |
202 |
|
203 |
diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild |
204 |
index c088f2a808b..25c4681ac13 100644 |
205 |
--- a/media-gfx/imagemagick/imagemagick-9999.ebuild |
206 |
+++ b/media-gfx/imagemagick/imagemagick-9999.ebuild |
207 |
@@ -5,8 +5,6 @@ EAPI="6" |
208 |
|
209 |
inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs |
210 |
|
211 |
-PATCHES=( "${FILESDIR}"/policy-hardening.patch ) |
212 |
- |
213 |
if [[ ${PV} == "9999" ]] ; then |
214 |
EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git" |
215 |
inherit git-r3 |
216 |
@@ -75,6 +73,18 @@ REQUIRED_USE="corefonts? ( truetype ) |
217 |
S="${WORKDIR}/${MY_P}" |
218 |
|
219 |
src_prepare() { |
220 |
+ default |
221 |
+ |
222 |
+ # Apply hardening #664236 |
223 |
+ cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die |
224 |
+ sed -i -e '/^<policymap>$/ { |
225 |
+ r policy-hardening.snippet |
226 |
+ d |
227 |
+ }' \ |
228 |
+ config/policy.xml || \ |
229 |
+ die "Failed to apply hardening of policy.xml" |
230 |
+ einfo "policy.xml hardened" |
231 |
+ |
232 |
# Install default (unrestricted) policy in $HOME for test suite #664238 |
233 |
local _im_local_config_home="${HOME}/.config/ImageMagick" |
234 |
mkdir -p "${_im_local_config_home}" || \ |
235 |
@@ -82,12 +92,10 @@ src_prepare() { |
236 |
cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \ |
237 |
die "Failed to install default blank policy.xml in '${_im_local_config_home}'" |
238 |
|
239 |
- local ati_cards mesa_cards nvidia_cards render_cards |
240 |
- default |
241 |
- |
242 |
elibtoolize # for Darwin modules |
243 |
|
244 |
# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 |
245 |
+ local ati_cards mesa_cards nvidia_cards render_cards |
246 |
shopt -s nullglob |
247 |
ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g') |
248 |
if test -n "${ati_cards}"; then |
249 |
@@ -209,7 +217,7 @@ pkg_postinst() { |
250 |
else |
251 |
local v |
252 |
for v in ${REPLACING_VERSIONS}; do |
253 |
- if ! ver_test "${v}" -gt "7.0.8.10-r1"; then |
254 |
+ if ! ver_test "${v}" -gt "7.0.8.10-r2"; then |
255 |
# This is an upgrade |
256 |
_show_policy_xml_notice=yes |
257 |
|
258 |
@@ -224,6 +232,8 @@ pkg_postinst() { |
259 |
elog "which will prevent the usage of the following coders by default:" |
260 |
elog "" |
261 |
elog " - PS" |
262 |
+ elog " - PS2" |
263 |
+ elog " - PS3" |
264 |
elog " - EPS" |
265 |
elog " - PDF" |
266 |
elog " - XPS" |