From c03d5059039c5b0f43c019edfb541ae396162e6f Mon Sep 17 00:00:00 2001 From: Thomas Deutschmann Date: Fri, 24 Apr 2020 11:48:20 +0200 Subject: [PATCH] media-gfx/imagemagick: restore hardening Bug: https://bugs.gentoo.org/716674 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann --- ....ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) rename media-gfx/imagemagick/{imagemagick-7.0.10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} (86%) diff --git a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild similarity index 86% rename from media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild rename to media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild index 8f24371e2660..4d2561accf79 100644 --- a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild +++ b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild @@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}" src_prepare() { default + # Apply hardening #664236 + cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die + sed -i -e '/^$/ { + r policy-hardening.snippet + d + }' \ + config/policy.xml || \ + die "Failed to apply hardening of policy.xml" + einfo "policy.xml hardened" + elibtoolize # for Darwin modules # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 @@ -223,3 +233,35 @@ src_install() { insinto /usr/share/${PN} doins config/*icm } + +pkg_postinst() { + local _show_policy_xml_notice= + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + _show_policy_xml_notice=yes + else + local v + for v in ${REPLACING_VERSIONS}; do + if ! ver_test "${v}" -gt "7.0.8.10-r2"; then + # This is an upgrade + _show_policy_xml_notice=yes + + # Show this elog only once + break + fi + done + fi + + if [[ -n "${_show_policy_xml_notice}" ]]; then + elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" + elog "which will prevent the usage of the following coders by default:" + elog "" + elog " - PS" + elog " - PS2" + elog " - PS3" + elog " - EPS" + elog " - PDF" + elog " - XPS" + fi +} -- 2.26.2