media-gfx/imagemagick: extend hardening

- PS2 and PS3 coders are now disabled by default, too.

- Instead of patching, we now use sed which should make it
  easier to extend policy.xml in future.

Bug: https://bugs.gentoo.org/664236
Package-Manager: Portage-2.3.48, Repoman-2.3.10
RepoMan-Options: --force

diff --git a/media-gfx/imagemagick/files/policy-hardening.patch b/media-gfx/imagemagick/files/policy-hardening.patch
deleted file mode 100644 (file)
index 9bb8529..0000000
--- a/media-gfx/imagemagick/files/policy-hardening.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- a/config/policy.xml
-+++ b/config/policy.xml
-@@ -52,6 +52,12 @@
-     <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
- -->
- <policymap>
-+  <!-- https://www.kb.cert.org/vuls/id/332928 mitigation -->
-+  <policy domain="coder" rights="none" pattern="PS" />
-+  <policy domain="coder" rights="none" pattern="EPS" />
-+  <policy domain="coder" rights="none" pattern="PDF" />
-+  <policy domain="coder" rights="none" pattern="XPS" />
-+
-   <!-- <policy domain="system" name="shred" value="2"/> -->
-   <!-- <policy domain="system" name="precision" value="6"/> -->
-   <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->

diff --git a/media-gfx/imagemagick/files/policy-hardening.snippet b/media-gfx/imagemagick/files/policy-hardening.snippet
new file mode 100644 (file)
index 0000000..c1a91b0
--- /dev/null
+++ b/media-gfx/imagemagick/files/policy-hardening.snippet
@@ -0,0 +1,9 @@
+<policymap>
+  <!-- https://www.kb.cert.org/vuls/id/332928 mitigation / https://bugs.gentoo.org/664236 -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="PS2" />
+  <policy domain="coder" rights="none" pattern="PS3" />
+  <policy domain="coder" rights="none" pattern="EPS" />
+  <policy domain="coder" rights="none" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
+

diff --git a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild
similarity index 94%
rename from media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild
rename to media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild
index dae568f6693b10954d8809e3c8d0daa6cc0a91f6..970ff4c9a5a9f0a2fb93de4361905803df68ed01 100644 (file)
--- a/media-gfx/imagemagick/imagemagick-6.9.10.10-r1.ebuild
+++ b/media-gfx/imagemagick/imagemagick-6.9.10.10-r2.ebuild
@@ -66,9 +66,19 @@ REQUIRED_USE="corefonts? ( truetype )
 
 S="${WORKDIR}/${MY_P}"
 
-PATCHES=( "${FILESDIR}"/policy-hardening.patch )
-
 src_prepare() {
+       default
+
+       # Apply hardening #664236
+       cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+       sed -i -e '/^<policymap>$/ {
+                       r policy-hardening.snippet
+                       d
+               }' \
+               config/policy.xml || \
+               die "Failed to apply hardening of policy.xml"
+       einfo "policy.xml hardened"
+
        # Install default (unrestricted) policy in $HOME for test suite #664238
        local _im_local_config_home="${HOME}/.config/ImageMagick"
        mkdir -p "${_im_local_config_home}" || \
@@ -76,12 +86,10 @@ src_prepare() {
        cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \
                die "Failed to install default blank policy.xml in '${_im_local_config_home}'"
 
-       local mesa_cards ati_cards nvidia_cards render_cards
-       default
-
        elibtoolize # for Darwin modules
 
        # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
+       local mesa_cards ati_cards nvidia_cards render_cards
        shopt -s nullglob
        ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g')
        if test -n "${ati_cards}"; then
@@ -203,7 +211,7 @@ pkg_postinst() {
        else
                local v
                for v in ${REPLACING_VERSIONS}; do
-                       if ! ver_test "${v}" -gt "6.9.10.10-r1"; then
+                       if ! ver_test "${v}" -gt "6.9.10.10-r2"; then
                                # This is an upgrade
                                _show_policy_xml_notice=yes
 
@@ -218,6 +226,8 @@ pkg_postinst() {
                elog "which will prevent the usage of the following coders by default:"
                elog ""
                elog "  - PS"
+               elog "  - PS2"
+               elog "  - PS3"
                elog "  - EPS"
                elog "  - PDF"
                elog "  - XPS"

diff --git a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild
similarity index 93%
rename from media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild
rename to media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild
index 2c348ed3d6d140a3f30de2e95fb4af22e7327cbe..63922969bc3b6a554fc4e69006e5d1c70fa00c6a 100644 (file)
--- a/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild
+++ b/media-gfx/imagemagick/imagemagick-7.0.8.10-r2.ebuild
@@ -5,8 +5,6 @@ EAPI="6"
 
 inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs
 
-PATCHES=( "${FILESDIR}"/policy-hardening.patch )
-
 if [[ ${PV} == "9999" ]] ; then
        EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"
        inherit git-r3
@@ -16,7 +14,7 @@ else
        SRC_URI="mirror://${PN}/${MY_P}.tar.xz"
        KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
 
-       PATCHES+=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226
+       PATCHES=( "${FILESDIR}"/${P}-quantum-private-compile-fix.patch ) #664226
 fi
 
 DESCRIPTION="A collection of tools and libraries for many image formats"
@@ -77,6 +75,18 @@ REQUIRED_USE="corefonts? ( truetype )
 S="${WORKDIR}/${MY_P}"
 
 src_prepare() {
+       default
+
+       # Apply hardening #664236
+       cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+       sed -i -e '/^<policymap>$/ {
+                       r policy-hardening.snippet
+                       d
+               }' \
+               config/policy.xml || \
+               die "Failed to apply hardening of policy.xml"
+       einfo "policy.xml hardened"
+
        # Install default (unrestricted) policy in $HOME for test suite #664238
        local _im_local_config_home="${HOME}/.config/ImageMagick"
        mkdir -p "${_im_local_config_home}" || \
@@ -84,12 +94,10 @@ src_prepare() {
        cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \
                die "Failed to install default blank policy.xml in '${_im_local_config_home}'"
 
-       local ati_cards mesa_cards nvidia_cards render_cards
-       default
-
        elibtoolize # for Darwin modules
 
        # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
+       local ati_cards mesa_cards nvidia_cards render_cards
        shopt -s nullglob
        ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g')
        if test -n "${ati_cards}"; then
@@ -211,7 +219,7 @@ pkg_postinst() {
        else
                local v
                for v in ${REPLACING_VERSIONS}; do
-                       if ! ver_test "${v}" -gt "7.0.8.10-r1"; then
+                       if ! ver_test "${v}" -gt "7.0.8.10-r2"; then
                                # This is an upgrade
                                _show_policy_xml_notice=yes
 
@@ -226,6 +234,8 @@ pkg_postinst() {
                elog "which will prevent the usage of the following coders by default:"
                elog ""
                elog "  - PS"
+               elog "  - PS2"
+               elog "  - PS3"
                elog "  - EPS"
                elog "  - PDF"
                elog "  - XPS"

diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild
index c088f2a808b934ace429dab432edd156dd6780e8..25c4681ac138b660bc246fca6ad8d3616141dc4f 100644 (file)
--- a/media-gfx/imagemagick/imagemagick-9999.ebuild
+++ b/media-gfx/imagemagick/imagemagick-9999.ebuild
@@ -5,8 +5,6 @@ EAPI="6"
 
 inherit eapi7-ver eutils flag-o-matic libtool multilib toolchain-funcs
 
-PATCHES=( "${FILESDIR}"/policy-hardening.patch )
-
 if [[ ${PV} == "9999" ]] ; then
        EGIT_REPO_URI="https://github.com/ImageMagick/ImageMagick.git"
        inherit git-r3
@@ -75,6 +73,18 @@ REQUIRED_USE="corefonts? ( truetype )
 S="${WORKDIR}/${MY_P}"
 
 src_prepare() {
+       default
+
+       # Apply hardening #664236
+       cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+       sed -i -e '/^<policymap>$/ {
+                       r policy-hardening.snippet
+                       d
+               }' \
+               config/policy.xml || \
+               die "Failed to apply hardening of policy.xml"
+       einfo "policy.xml hardened"
+
        # Install default (unrestricted) policy in $HOME for test suite #664238
        local _im_local_config_home="${HOME}/.config/ImageMagick"
        mkdir -p "${_im_local_config_home}" || \
@@ -82,12 +92,10 @@ src_prepare() {
        cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \
                die "Failed to install default blank policy.xml in '${_im_local_config_home}'"
 
-       local ati_cards mesa_cards nvidia_cards render_cards
-       default
-
        elibtoolize # for Darwin modules
 
        # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
+       local ati_cards mesa_cards nvidia_cards render_cards
        shopt -s nullglob
        ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g')
        if test -n "${ati_cards}"; then
@@ -209,7 +217,7 @@ pkg_postinst() {
        else
                local v
                for v in ${REPLACING_VERSIONS}; do
-                       if ! ver_test "${v}" -gt "7.0.8.10-r1"; then
+                       if ! ver_test "${v}" -gt "7.0.8.10-r2"; then
                                # This is an upgrade
                                _show_policy_xml_notice=yes
 
@@ -224,6 +232,8 @@ pkg_postinst() {
                elog "which will prevent the usage of the following coders by default:"
                elog ""
                elog "  - PS"
+               elog "  - PS2"
+               elog "  - PS3"
                elog "  - EPS"
                elog "  - PDF"
                elog "  - XPS"