1 |
commit: c03d5059039c5b0f43c019edfb541ae396162e6f |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Apr 24 09:48:20 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Apr 24 09:49:50 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059 |
7 |
|
8 |
media-gfx/imagemagick: restore hardening |
9 |
|
10 |
Bug: https://bugs.gentoo.org/716674 |
11 |
Package-Manager: Portage-2.3.99, Repoman-2.3.22 |
12 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
13 |
|
14 |
....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++ |
15 |
1 file changed, 42 insertions(+) |
16 |
|
17 |
diff --git a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild |
18 |
similarity index 86% |
19 |
rename from media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild |
20 |
rename to media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild |
21 |
index 8f24371e266..4d2561accf7 100644 |
22 |
--- a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild |
23 |
+++ b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild |
24 |
@@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}" |
25 |
src_prepare() { |
26 |
default |
27 |
|
28 |
+ # Apply hardening #664236 |
29 |
+ cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die |
30 |
+ sed -i -e '/^<policymap>$/ { |
31 |
+ r policy-hardening.snippet |
32 |
+ d |
33 |
+ }' \ |
34 |
+ config/policy.xml || \ |
35 |
+ die "Failed to apply hardening of policy.xml" |
36 |
+ einfo "policy.xml hardened" |
37 |
+ |
38 |
elibtoolize # for Darwin modules |
39 |
|
40 |
# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 |
41 |
@@ -223,3 +233,35 @@ src_install() { |
42 |
insinto /usr/share/${PN} |
43 |
doins config/*icm |
44 |
} |
45 |
+ |
46 |
+pkg_postinst() { |
47 |
+ local _show_policy_xml_notice= |
48 |
+ |
49 |
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then |
50 |
+ # This is a new installation |
51 |
+ _show_policy_xml_notice=yes |
52 |
+ else |
53 |
+ local v |
54 |
+ for v in ${REPLACING_VERSIONS}; do |
55 |
+ if ! ver_test "${v}" -gt "7.0.8.10-r2"; then |
56 |
+ # This is an upgrade |
57 |
+ _show_policy_xml_notice=yes |
58 |
+ |
59 |
+ # Show this elog only once |
60 |
+ break |
61 |
+ fi |
62 |
+ done |
63 |
+ fi |
64 |
+ |
65 |
+ if [[ -n "${_show_policy_xml_notice}" ]]; then |
66 |
+ elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" |
67 |
+ elog "which will prevent the usage of the following coders by default:" |
68 |
+ elog "" |
69 |
+ elog " - PS" |
70 |
+ elog " - PS2" |
71 |
+ elog " - PS3" |
72 |
+ elog " - EPS" |
73 |
+ elog " - PDF" |
74 |
+ elog " - XPS" |
75 |
+ fi |
76 |
+} |