diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2018-08-25 19:29:35 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2018-08-25 19:29:35 +0000 |
commit | c6f955bd2dd76895e94500e953de08c0fee0c49a (patch) | |
tree | d610cbde735eec6890389db5f829d08102cca570 | |
parent | c0e6f08d316cd781b69bfe4f41c9fcf740a1aa77 (diff) | |
download | pkgsrc-c6f955bd2dd76895e94500e953de08c0fee0c49a.tar.gz |
Pullup ticket #5820 - requested by leot
graphics/ImageMagick: security fix
Revisions pulled up:
- graphics/ImageMagick/Makefile 1.246-1.247
- graphics/ImageMagick/Makefile.common 1.175
- graphics/ImageMagick/distinfo 1.190-1.192
- graphics/ImageMagick/patches/patch-config_policy.xml 1.1-1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Aug 16 08:23:16 UTC 2018
Modified Files:
pkgsrc/graphics/ImageMagick: Makefile.common distinfo
Log Message:
ImageMagick: update to 7.0.8.10.
2018-08-13 7.0.8-10 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-10, GIT revision 14646:48fba3256:201=
80813
2018-08-12 7.0.8-10 Dirk Lemstra <dirk@lem.....org>
* Added dcraw coder (dcraw:img.cr2) that can be used to force the use of=
the
dcraw delegate when libraw is the default raw delegate.
* Restored thread support for the HEIC coder.
2018-08-08 7.0.8-10 Cristy <quetzlzacatenango@image...>
* ThumbnailImage function no longer reveals sensitive information (refer=
ence
https://github.com/ImageMagick/ImageMagick/issues/1243).
2018-08-06 7.0.8-9 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-9, GIT revision 14618:a3663c3dc:2018=
0805.
2018-07-24 7.0.8-9 Cristy <quetzlzacatenango@image...>
* XBM coder leaves the hex image data uninitialized if hex value of the
pixel is negative.
* More improvements to SVG text handling.
* New -range threshold option that combines hard and soft thresholding.
2018-07-23 7.0.8-8 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-8, GIT revision 14583:300fdbcfd:2018=
0723.
2018-07-20 7.0.8-8 Cristy <quetzlzacatenango@image...>
* Non-HDRI ScaleLongToQuantum() private method no longer adds a half int=
erval.
* Fixed memset() negative-size-param (reference
https://github.com/ImageMagick/ImageMagick/issues/1217).
2018-07-16 7.0.8-7 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-7, GIT revision 14561:f85c23180:2018=
0716.
2018-07-15 7.0.8-7 Cristy <quetzlzacatenango@image...>
* Fixed numerous use of uninitialized values, integer overflow, memory
exceeded, and timeouts (credit to OSS Fuzz).
2018-07-08 7.0.8-6 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-6, GIT revision 14541:db940ccd2:2018=
0708.
2018-07-06 7.0.8-6 Cristy <quetzlzacatenango@image...>
* Improve SVG support for tspan element.
* Add support for -fx image.extent.
2018-07-04 7.0.8-5 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-5, GIT revision 14514:bba545bbb:2018=
0704.
2018-07-04 7.0.8-5 Cristy <quetzlzacatenango@image...>
* Fixed a few potential memory leaks
https://github.com/ImageMagick/ImageMagick/issues).
2018-07-02 7.0.8-4 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-4, GIT revision 14505:4613eed4a:2018=
0702.
2018-06-28 7.0.8-4 Cristy <quetzlzacatenango@image...>
* Small tweaks to compile under Cygwin.
* Fixed numerous use of uninitialized values, integer overflow, memory
exceeded, and timeouts (credit to OSS Fuzz).
* Support %B property, the image file size without any decorations.
2018-06-24 7.0.8-3 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-3, GIT revision 14489:c63c504e8:2018=
0624.
2018-06-24 7.0.8-3 Cristy <quetzlzacatenango@image...>
* Apply translate component of SVG transform rotate.
---
Module Name: pkgsrc
Committed By: leot
Date: Wed Aug 22 13:39:24 UTC 2018
Modified Files:
pkgsrc/graphics/ImageMagick: Makefile distinfo
Added Files:
pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml
Log Message:
ImageMagick: Disable ghostscript coders by default in policy.xml
Disable ghostscript coders in policy.xml as a workaround for
VU#332928 (<https://www.kb.cert.org/vuls/id/332928>).
Please note that apart commenting/removing lines added in policy.xml,
the ghostscript coders can be enabled per-user by copying policy.xml
to ~/.config/ImageMagick/policy.xml and adjusting it with the
following lines:
| [...]
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PS" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"EPS" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PDF" />
| <policy domain=3D"coder" rights=3D"read|write" pattern=3D"XPS" />
| [...]
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: leot
Date: Thu Aug 23 14:52:23 UTC 2018
Modified Files:
pkgsrc/graphics/ImageMagick: Makefile distinfo
pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml
Log Message:
ImageMagick: Also block PS2 and PS3 coders in policy.xml
At least when reading PS2 and PS3 files via
`convert PS2:<input> <output>' and `convert PS3:<input> <output>'
gslib/ghostscript will be invoked and hence subject to VU#332928.
Pointed out by Bob Friesenhahn via oss-security@ ML (and follow up from
VU#332928 update).
-rw-r--r-- | graphics/ImageMagick/Makefile | 3 | ||||
-rw-r--r-- | graphics/ImageMagick/Makefile.common | 4 | ||||
-rw-r--r-- | graphics/ImageMagick/distinfo | 11 | ||||
-rw-r--r-- | graphics/ImageMagick/patches/patch-config_policy.xml | 24 |
4 files changed, 34 insertions, 8 deletions
diff --git a/graphics/ImageMagick/Makefile b/graphics/ImageMagick/Makefile index 04f45f3c87c..e31c937f10b 100644 --- a/graphics/ImageMagick/Makefile +++ b/graphics/ImageMagick/Makefile @@ -1,5 +1,6 @@ -# $NetBSD: Makefile,v 1.244 2018/05/27 06:49:00 wiz Exp $ +# $NetBSD: Makefile,v 1.244.2.1 2018/08/25 19:29:35 bsiegert Exp $ +PKGREVISION= 3 .include "Makefile.common" PKGNAME= ImageMagick-${DISTVERSION} diff --git a/graphics/ImageMagick/Makefile.common b/graphics/ImageMagick/Makefile.common index 5e9a275ec9f..146176a5d08 100644 --- a/graphics/ImageMagick/Makefile.common +++ b/graphics/ImageMagick/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.174 2018/06/19 22:57:05 ryoon Exp $ +# $NetBSD: Makefile.common,v 1.174.2.1 2018/08/25 19:29:35 bsiegert Exp $ # # When updating this package, please upload the distfile # since they disappear immediately when new releases happen, @@ -7,7 +7,7 @@ # used by graphics/p5-PerlMagick/Makefile IM_MAJOR_VER= 7.0.8 -IM_MINOR_VER= 2 +IM_MINOR_VER= 10 IM_MAJOR_LIB_VER= 7 .if (${IM_MINOR_VER} != NONE) diff --git a/graphics/ImageMagick/distinfo b/graphics/ImageMagick/distinfo index 9d51d830f8e..16a185eb8c6 100644 --- a/graphics/ImageMagick/distinfo +++ b/graphics/ImageMagick/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.189 2018/06/19 22:57:05 ryoon Exp $ +$NetBSD: distinfo,v 1.189.2.1 2018/08/25 19:29:35 bsiegert Exp $ -SHA1 (ImageMagick-7.0.8-2.tar.xz) = 45b18033646f688a01bd14136a3666c95a74bc7e -RMD160 (ImageMagick-7.0.8-2.tar.xz) = 08395e4250451102f7c4142a8a7c369c58137ac6 -SHA512 (ImageMagick-7.0.8-2.tar.xz) = 1a0694dddbe12117341fc82e8f8c023e438f38c9cfb65bdfc4d7f9d31299df77796b4b87df641abc9a8a6670d45785d487d141e2bfbd625cd37aeab6b3a85615 -Size (ImageMagick-7.0.8-2.tar.xz) = 8617868 bytes +SHA1 (ImageMagick-7.0.8-10.tar.xz) = c69fb5b1ec2d04711a98df8762926a37e3f13bc5 +RMD160 (ImageMagick-7.0.8-10.tar.xz) = 9e5339d7e4f2dbc42090cd8394bca5b97dc485ba +SHA512 (ImageMagick-7.0.8-10.tar.xz) = a4869e0a9be5e04c04fcd1fce5c4141d63968ee7f1dd78d84724921f2f088bdcea8c3b3799e1ff555a2a04dec32a1fb7c4a1e6053a6185e9a36c6ae0f1b9c6ed +Size (ImageMagick-7.0.8-10.tar.xz) = 8635496 bytes +SHA1 (patch-config_policy.xml) = 2c446a00fc00f85ab33eae0691d4d8989a46289f diff --git a/graphics/ImageMagick/patches/patch-config_policy.xml b/graphics/ImageMagick/patches/patch-config_policy.xml new file mode 100644 index 00000000000..e6eb3e043e2 --- /dev/null +++ b/graphics/ImageMagick/patches/patch-config_policy.xml @@ -0,0 +1,24 @@ +$NetBSD: patch-config_policy.xml,v 1.2.2.2 2018/08/25 19:29:35 bsiegert Exp $ + +Disable ghostscript coders by default to workaround VU#332928: +<https://www.kb.cert.org/vuls/id/332928> + +--- config/policy.xml.orig 2018-08-13 11:05:28.000000000 +0000 ++++ config/policy.xml +@@ -74,4 +74,16 @@ + <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> + <!-- <policy domain="cache" name="synchronize" value="True"/> --> + <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> ++ ++ <!-- ++ -- Disable ghostscript coders as suggested by VU#332928 ++ -- <https://www.kb.cert.org/vuls/id/332928> ++ --> ++ <policy domain="coder" rights="none" pattern="PS" /> ++ <policy domain="coder" rights="none" pattern="PS2" /> ++ <policy domain="coder" rights="none" pattern="PS3" /> ++ <policy domain="coder" rights="none" pattern="EPS" /> ++ <policy domain="coder" rights="none" pattern="PDF" /> ++ <policy domain="coder" rights="none" pattern="XPS" /> ++ + </policymap> |