diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2018-08-25 19:26:01 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2018-08-25 19:26:01 +0000 |
commit | c0e6f08d316cd781b69bfe4f41c9fcf740a1aa77 (patch) | |
tree | 5d79e1c5f1e0e464fa33c9c889c6ab84c3fde7ab | |
parent | 93d8abdcb35795115a590d0595e9be0528cb241f (diff) | |
download | pkgsrc-c0e6f08d316cd781b69bfe4f41c9fcf740a1aa77.tar.gz |
Pullup ticket #5819 - requested by leot
graphics/ImageMagick6: security fix
Revisions pulled up:
- graphics/ImageMagick6/Makefile 1.18-1.19
- graphics/ImageMagick6/distinfo 1.10-1.11
- graphics/ImageMagick6/patches/patch-config_policy.xml 1.1-1.2
---
Module Name: pkgsrc
Committed By: leot
Date: Wed Aug 22 13:38:00 UTC 2018
Modified Files:
pkgsrc/graphics/ImageMagick6: Makefile distinfo
Added Files:
pkgsrc/graphics/ImageMagick6/patches: patch-config_policy.xml
Log Message:
ImageMagick6: Disable ghostscript coders by default in policy.xml
Disable ghostscript coders in policy.xml as a workaround for
VU#332928 (<https://www.kb.cert.org/vuls/id/332928>).
Please note that apart commenting/removing lines added in policy.xml,
the ghostscript coders can be enabled per-user by copying policy.xml
to ~/.config/ImageMagick/policy.xml and adjusting it with the
following lines:
| [...]
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PS" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"EPS" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PDF" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"XPS" />
| [...]
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: leot
Date: Thu Aug 23 14:54:21 UTC 2018
Modified Files:
pkgsrc/graphics/ImageMagick6: Makefile distinfo
pkgsrc/graphics/ImageMagick6/patches: patch-config_policy.xml
Log Message:
ImageMagick6: Also block PS2 and PS3 coders in policy.xml
At least when reading PS2 and PS3 files via
`convert PS2:<input> <output>' and `convert PS3:<input> <output>'
gslib/ghostscript will be invoked and hence subject to VU#332928.
Pointed out by Bob Friesenhahn via oss-security@ ML (and follow up from
VU#332928 update).
-rw-r--r-- | graphics/ImageMagick6/Makefile | 4 | ||||
-rw-r--r-- | graphics/ImageMagick6/distinfo | 3 | ||||
-rw-r--r-- | graphics/ImageMagick6/patches/patch-config_policy.xml | 24 |
3 files changed, 28 insertions, 3 deletions
diff --git a/graphics/ImageMagick6/Makefile b/graphics/ImageMagick6/Makefile index 690ad4db51f..65aa57f1052 100644 --- a/graphics/ImageMagick6/Makefile +++ b/graphics/ImageMagick6/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.16 2018/04/17 22:29:32 wiz Exp $ +# $NetBSD: Makefile,v 1.16.2.1 2018/08/25 19:26:01 bsiegert Exp $ -PKGREVISION= 2 +PKGREVISION= 5 .include "Makefile.common" PKGNAME= ImageMagick6-${DISTVERSION} diff --git a/graphics/ImageMagick6/distinfo b/graphics/ImageMagick6/distinfo index 3c1d71af2a2..c0737e50f3b 100644 --- a/graphics/ImageMagick6/distinfo +++ b/graphics/ImageMagick6/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.9 2018/03/12 15:47:00 fhajny Exp $ +$NetBSD: distinfo,v 1.9.4.1 2018/08/25 19:26:01 bsiegert Exp $ SHA1 (ImageMagick-6.9.9-38.tar.xz) = 2dc6b3c415b342efb7ab64d18bb801c7f1881212 RMD160 (ImageMagick-6.9.9-38.tar.xz) = 50008946057cde9fc7a6d0149414e870a2a351b0 SHA512 (ImageMagick-6.9.9-38.tar.xz) = 78ecb605d2ea529603bab723c284be9c03a7d370814bbe708c2c34e0b91f75c1a0c193a5a2ea8f3583019d3610ac08d0d28671d8fdb2df2478865d9ab7417b91 Size (ImageMagick-6.9.9-38.tar.xz) = 8913864 bytes SHA1 (patch-Makefile.in) = bb747b5e062f2a59e307289b5b33861dd5f96ab0 +SHA1 (patch-config_policy.xml) = 2c446a00fc00f85ab33eae0691d4d8989a46289f diff --git a/graphics/ImageMagick6/patches/patch-config_policy.xml b/graphics/ImageMagick6/patches/patch-config_policy.xml new file mode 100644 index 00000000000..bed9aa95c97 --- /dev/null +++ b/graphics/ImageMagick6/patches/patch-config_policy.xml @@ -0,0 +1,24 @@ +$NetBSD: patch-config_policy.xml,v 1.2.2.2 2018/08/25 19:26:01 bsiegert Exp $ + +Disable ghostscript coders by default to workaround VU#332928: +<https://www.kb.cert.org/vuls/id/332928> + +--- config/policy.xml.orig 2018-08-13 11:05:28.000000000 +0000 ++++ config/policy.xml +@@ -74,4 +74,16 @@ + <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> + <!-- <policy domain="cache" name="synchronize" value="True"/> --> + <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> ++ ++ <!-- ++ -- Disable ghostscript coders as suggested by VU#332928 ++ -- <https://www.kb.cert.org/vuls/id/332928> ++ --> ++ <policy domain="coder" rights="none" pattern="PS" /> ++ <policy domain="coder" rights="none" pattern="PS2" /> ++ <policy domain="coder" rights="none" pattern="PS3" /> ++ <policy domain="coder" rights="none" pattern="EPS" /> ++ <policy domain="coder" rights="none" pattern="PDF" /> ++ <policy domain="coder" rights="none" pattern="XPS" /> ++ + </policymap> |