From: Thomas Deutschmann <whissi@gentoo.org>
Date: Fri, 24 Apr 2020 09:49:15 +0000 (+0200)
Subject: Revert "media-gfx/imagemagick: Hardening is not needed for a long time"
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=3a7675dea3b1f6267beda622d1b0d6b3e5a3f145;p=gentoo.git

Revert "media-gfx/imagemagick: Hardening is not needed for a long time"

This reverts commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe.

Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
---

diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild
index 8f24371e2660..4d2561accf79 100644
--- a/media-gfx/imagemagick/imagemagick-9999.ebuild
+++ b/media-gfx/imagemagick/imagemagick-9999.ebuild
@@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}"
 src_prepare() {
 	default
 
+	# Apply hardening #664236
+	cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+	sed -i -e '/^<policymap>$/ {
+			r policy-hardening.snippet
+			d
+		}' \
+		config/policy.xml || \
+		die "Failed to apply hardening of policy.xml"
+	einfo "policy.xml hardened"
+
 	elibtoolize # for Darwin modules
 
 	# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
@@ -223,3 +233,35 @@ src_install() {
 	insinto /usr/share/${PN}
 	doins config/*icm
 }
+
+pkg_postinst() {
+	local _show_policy_xml_notice=
+
+	if [[ -z "${REPLACING_VERSIONS}" ]]; then
+		# This is a new installation
+		_show_policy_xml_notice=yes
+	else
+		local v
+		for v in ${REPLACING_VERSIONS}; do
+			if ! ver_test "${v}" -gt "7.0.8.10-r2"; then
+				# This is an upgrade
+				_show_policy_xml_notice=yes
+
+				# Show this elog only once
+				break
+			fi
+		done
+	fi
+
+	if [[ -n "${_show_policy_xml_notice}" ]]; then
+		elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7"
+		elog "which will prevent the usage of the following coders by default:"
+		elog ""
+		elog "  - PS"
+		elog "  - PS2"
+		elog "  - PS3"
+		elog "  - EPS"
+		elog "  - PDF"
+		elog "  - XPS"
+	fi
+}