1 |
commit: 3a7675dea3b1f6267beda622d1b0d6b3e5a3f145 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Apr 24 09:49:15 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Apr 24 09:49:51 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7675de |
7 |
|
8 |
Revert "media-gfx/imagemagick: Hardening is not needed for a long time" |
9 |
|
10 |
This reverts commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe. |
11 |
|
12 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
13 |
|
14 |
media-gfx/imagemagick/imagemagick-9999.ebuild | 42 +++++++++++++++++++++++++++ |
15 |
1 file changed, 42 insertions(+) |
16 |
|
17 |
diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild |
18 |
index 8f24371e266..4d2561accf7 100644 |
19 |
--- a/media-gfx/imagemagick/imagemagick-9999.ebuild |
20 |
+++ b/media-gfx/imagemagick/imagemagick-9999.ebuild |
21 |
@@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}" |
22 |
src_prepare() { |
23 |
default |
24 |
|
25 |
+ # Apply hardening #664236 |
26 |
+ cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die |
27 |
+ sed -i -e '/^<policymap>$/ { |
28 |
+ r policy-hardening.snippet |
29 |
+ d |
30 |
+ }' \ |
31 |
+ config/policy.xml || \ |
32 |
+ die "Failed to apply hardening of policy.xml" |
33 |
+ einfo "policy.xml hardened" |
34 |
+ |
35 |
elibtoolize # for Darwin modules |
36 |
|
37 |
# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 |
38 |
@@ -223,3 +233,35 @@ src_install() { |
39 |
insinto /usr/share/${PN} |
40 |
doins config/*icm |
41 |
} |
42 |
+ |
43 |
+pkg_postinst() { |
44 |
+ local _show_policy_xml_notice= |
45 |
+ |
46 |
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then |
47 |
+ # This is a new installation |
48 |
+ _show_policy_xml_notice=yes |
49 |
+ else |
50 |
+ local v |
51 |
+ for v in ${REPLACING_VERSIONS}; do |
52 |
+ if ! ver_test "${v}" -gt "7.0.8.10-r2"; then |
53 |
+ # This is an upgrade |
54 |
+ _show_policy_xml_notice=yes |
55 |
+ |
56 |
+ # Show this elog only once |
57 |
+ break |
58 |
+ fi |
59 |
+ done |
60 |
+ fi |
61 |
+ |
62 |
+ if [[ -n "${_show_policy_xml_notice}" ]]; then |
63 |
+ elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" |
64 |
+ elog "which will prevent the usage of the following coders by default:" |
65 |
+ elog "" |
66 |
+ elog " - PS" |
67 |
+ elog " - PS2" |
68 |
+ elog " - PS3" |
69 |
+ elog " - EPS" |
70 |
+ elog " - PDF" |
71 |
+ elog " - XPS" |
72 |
+ fi |
73 |
+} |