summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbsiegert <bsiegert@pkgsrc.org>2018-08-25 19:29:35 +0000
committerbsiegert <bsiegert@pkgsrc.org>2018-08-25 19:29:35 +0000
commitc6f955bd2dd76895e94500e953de08c0fee0c49a (patch)
treed610cbde735eec6890389db5f829d08102cca570
parentc0e6f08d316cd781b69bfe4f41c9fcf740a1aa77 (diff)
downloadpkgsrc-c6f955bd2dd76895e94500e953de08c0fee0c49a.tar.gz
Pullup ticket #5820 - requested by leot
graphics/ImageMagick: security fix Revisions pulled up: - graphics/ImageMagick/Makefile 1.246-1.247 - graphics/ImageMagick/Makefile.common 1.175 - graphics/ImageMagick/distinfo 1.190-1.192 - graphics/ImageMagick/patches/patch-config_policy.xml 1.1-1.2 --- Module Name: pkgsrc Committed By: wiz Date: Thu Aug 16 08:23:16 UTC 2018 Modified Files: pkgsrc/graphics/ImageMagick: Makefile.common distinfo Log Message: ImageMagick: update to 7.0.8.10. 2018-08-13 7.0.8-10 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-10, GIT revision 14646:48fba3256:201= 80813 2018-08-12 7.0.8-10 Dirk Lemstra <dirk@lem.....org> * Added dcraw coder (dcraw:img.cr2) that can be used to force the use of= the dcraw delegate when libraw is the default raw delegate. * Restored thread support for the HEIC coder. 2018-08-08 7.0.8-10 Cristy <quetzlzacatenango@image...> * ThumbnailImage function no longer reveals sensitive information (refer= ence https://github.com/ImageMagick/ImageMagick/issues/1243). 2018-08-06 7.0.8-9 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-9, GIT revision 14618:a3663c3dc:2018= 0805. 2018-07-24 7.0.8-9 Cristy <quetzlzacatenango@image...> * XBM coder leaves the hex image data uninitialized if hex value of the pixel is negative. * More improvements to SVG text handling. * New -range threshold option that combines hard and soft thresholding. 2018-07-23 7.0.8-8 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-8, GIT revision 14583:300fdbcfd:2018= 0723. 2018-07-20 7.0.8-8 Cristy <quetzlzacatenango@image...> * Non-HDRI ScaleLongToQuantum() private method no longer adds a half int= erval. * Fixed memset() negative-size-param (reference https://github.com/ImageMagick/ImageMagick/issues/1217). 2018-07-16 7.0.8-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-7, GIT revision 14561:f85c23180:2018= 0716. 2018-07-15 7.0.8-7 Cristy <quetzlzacatenango@image...> * Fixed numerous use of uninitialized values, integer overflow, memory exceeded, and timeouts (credit to OSS Fuzz). 2018-07-08 7.0.8-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-6, GIT revision 14541:db940ccd2:2018= 0708. 2018-07-06 7.0.8-6 Cristy <quetzlzacatenango@image...> * Improve SVG support for tspan element. * Add support for -fx image.extent. 2018-07-04 7.0.8-5 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-5, GIT revision 14514:bba545bbb:2018= 0704. 2018-07-04 7.0.8-5 Cristy <quetzlzacatenango@image...> * Fixed a few potential memory leaks https://github.com/ImageMagick/ImageMagick/issues). 2018-07-02 7.0.8-4 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-4, GIT revision 14505:4613eed4a:2018= 0702. 2018-06-28 7.0.8-4 Cristy <quetzlzacatenango@image...> * Small tweaks to compile under Cygwin. * Fixed numerous use of uninitialized values, integer overflow, memory exceeded, and timeouts (credit to OSS Fuzz). * Support %B property, the image file size without any decorations. 2018-06-24 7.0.8-3 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.8-3, GIT revision 14489:c63c504e8:2018= 0624. 2018-06-24 7.0.8-3 Cristy <quetzlzacatenango@image...> * Apply translate component of SVG transform rotate. --- Module Name: pkgsrc Committed By: leot Date: Wed Aug 22 13:39:24 UTC 2018 Modified Files: pkgsrc/graphics/ImageMagick: Makefile distinfo Added Files: pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml Log Message: ImageMagick: Disable ghostscript coders by default in policy.xml Disable ghostscript coders in policy.xml as a workaround for VU#332928 (<https://www.kb.cert.org/vuls/id/332928>). Please note that apart commenting/removing lines added in policy.xml, the ghostscript coders can be enabled per-user by copying policy.xml to ~/.config/ImageMagick/policy.xml and adjusting it with the following lines: | [...] | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PS" /> | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"EPS" /> | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PDF" /> | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"XPS" /> | [...] Bump PKGREVISION --- Module Name: pkgsrc Committed By: leot Date: Thu Aug 23 14:52:23 UTC 2018 Modified Files: pkgsrc/graphics/ImageMagick: Makefile distinfo pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml Log Message: ImageMagick: Also block PS2 and PS3 coders in policy.xml At least when reading PS2 and PS3 files via `convert PS2:<input> <output>' and `convert PS3:<input> <output>' gslib/ghostscript will be invoked and hence subject to VU#332928. Pointed out by Bob Friesenhahn via oss-security@ ML (and follow up from VU#332928 update).
Diffstat
-rw-r--r--graphics/ImageMagick/Makefile3
-rw-r--r--graphics/ImageMagick/Makefile.common4
-rw-r--r--graphics/ImageMagick/distinfo11
-rw-r--r--graphics/ImageMagick/patches/patch-config_policy.xml24
4 files changed, 34 insertions, 8 deletions
diff --git a/graphics/ImageMagick/Makefile b/graphics/ImageMagick/Makefile
index 04f45f3c87c..e31c937f10b 100644
--- a/graphics/ImageMagick/Makefile
+++ b/graphics/ImageMagick/Makefile
@@ -1,5 +1,6 @@
-# $NetBSD: Makefile,v 1.244 2018/05/27 06:49:00 wiz Exp $
+# $NetBSD: Makefile,v 1.244.2.1 2018/08/25 19:29:35 bsiegert Exp $
+PKGREVISION= 3
.include "Makefile.common"
PKGNAME= ImageMagick-${DISTVERSION}
diff --git a/graphics/ImageMagick/Makefile.common b/graphics/ImageMagick/Makefile.common
index 5e9a275ec9f..146176a5d08 100644
--- a/graphics/ImageMagick/Makefile.common
+++ b/graphics/ImageMagick/Makefile.common
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.174 2018/06/19 22:57:05 ryoon Exp $
+# $NetBSD: Makefile.common,v 1.174.2.1 2018/08/25 19:29:35 bsiegert Exp $
#
# When updating this package, please upload the distfile
# since they disappear immediately when new releases happen,
@@ -7,7 +7,7 @@
# used by graphics/p5-PerlMagick/Makefile
IM_MAJOR_VER= 7.0.8
-IM_MINOR_VER= 2
+IM_MINOR_VER= 10
IM_MAJOR_LIB_VER= 7
.if (${IM_MINOR_VER} != NONE)
diff --git a/graphics/ImageMagick/distinfo b/graphics/ImageMagick/distinfo
index 9d51d830f8e..16a185eb8c6 100644
--- a/graphics/ImageMagick/distinfo
+++ b/graphics/ImageMagick/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.189 2018/06/19 22:57:05 ryoon Exp $
+$NetBSD: distinfo,v 1.189.2.1 2018/08/25 19:29:35 bsiegert Exp $
-SHA1 (ImageMagick-7.0.8-2.tar.xz) = 45b18033646f688a01bd14136a3666c95a74bc7e
-RMD160 (ImageMagick-7.0.8-2.tar.xz) = 08395e4250451102f7c4142a8a7c369c58137ac6
-SHA512 (ImageMagick-7.0.8-2.tar.xz) = 1a0694dddbe12117341fc82e8f8c023e438f38c9cfb65bdfc4d7f9d31299df77796b4b87df641abc9a8a6670d45785d487d141e2bfbd625cd37aeab6b3a85615
-Size (ImageMagick-7.0.8-2.tar.xz) = 8617868 bytes
+SHA1 (ImageMagick-7.0.8-10.tar.xz) = c69fb5b1ec2d04711a98df8762926a37e3f13bc5
+RMD160 (ImageMagick-7.0.8-10.tar.xz) = 9e5339d7e4f2dbc42090cd8394bca5b97dc485ba
+SHA512 (ImageMagick-7.0.8-10.tar.xz) = a4869e0a9be5e04c04fcd1fce5c4141d63968ee7f1dd78d84724921f2f088bdcea8c3b3799e1ff555a2a04dec32a1fb7c4a1e6053a6185e9a36c6ae0f1b9c6ed
+Size (ImageMagick-7.0.8-10.tar.xz) = 8635496 bytes
+SHA1 (patch-config_policy.xml) = 2c446a00fc00f85ab33eae0691d4d8989a46289f
diff --git a/graphics/ImageMagick/patches/patch-config_policy.xml b/graphics/ImageMagick/patches/patch-config_policy.xml
new file mode 100644
index 00000000000..e6eb3e043e2
--- /dev/null
+++ b/graphics/ImageMagick/patches/patch-config_policy.xml
@@ -0,0 +1,24 @@
+$NetBSD: patch-config_policy.xml,v 1.2.2.2 2018/08/25 19:29:35 bsiegert Exp $
+
+Disable ghostscript coders by default to workaround VU#332928:
+<https://www.kb.cert.org/vuls/id/332928>
+
+--- config/policy.xml.orig 2018-08-13 11:05:28.000000000 +0000
++++ config/policy.xml
+@@ -74,4 +74,16 @@
+ <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+ <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+ <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
++
++ <!--
++ -- Disable ghostscript coders as suggested by VU#332928
++ -- <https://www.kb.cert.org/vuls/id/332928>
++ -->
++ <policy domain="coder" rights="none" pattern="PS" />
++ <policy domain="coder" rights="none" pattern="PS2" />
++ <policy domain="coder" rights="none" pattern="PS3" />
++ <policy domain="coder" rights="none" pattern="EPS" />
++ <policy domain="coder" rights="none" pattern="PDF" />
++ <policy domain="coder" rights="none" pattern="XPS" />
++
+ </policymap>
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-05 19:42:54 +0000