diff options
| author | nia <nia@pkgsrc.org> | 2021-04-23 07:23:29 +0000 |
|---|---|---|
| committer | nia <nia@pkgsrc.org> | 2021-04-23 07:23:29 +0000 |
| commit | 2527c094e709060fee1b07f2c1089024b22cc335 (patch) | |
| tree | 93268f8a7bb02e6694b471e9fabf4152f8dfb0b4 /graphics | |
| parent | 3c4df326ec8224c6f708f253bc5b06efd2e9ac88 (diff) | |
| download | pkgsrc-2527c094e709060fee1b07f2c1089024b22cc335.tar.gz | |
ImageMagick: overhaul default policy following discussion
allow writing PDF/PostScript, disallow other coders following
"imagetragick" recommendations
bump PKGREVISION
Diffstat (limited to 'graphics')
| -rw-r--r-- | graphics/ImageMagick/Makefile | 4 | ||||
| -rw-r--r-- | graphics/ImageMagick/distinfo | 4 | ||||
| -rw-r--r-- | graphics/ImageMagick/patches/patch-config_policy.xml | 37 |
3 files changed, 29 insertions, 16 deletions
diff --git a/graphics/ImageMagick/Makefile b/graphics/ImageMagick/Makefile index 1205ceed909..c5b87a7e200 100644 --- a/graphics/ImageMagick/Makefile +++ b/graphics/ImageMagick/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.287 2021/04/21 13:24:11 adam Exp $ +# $NetBSD: Makefile,v 1.288 2021/04/23 07:23:29 nia Exp $ -PKGREVISION= 2 +PKGREVISION= 3 .include "Makefile.common" PKGNAME= ImageMagick-${DISTVERSION} diff --git a/graphics/ImageMagick/distinfo b/graphics/ImageMagick/distinfo index e12aa1bc1e6..9ec9bb13b06 100644 --- a/graphics/ImageMagick/distinfo +++ b/graphics/ImageMagick/distinfo @@ -1,7 +1,7 @@ -$NetBSD: distinfo,v 1.248 2021/04/20 16:28:16 wiz Exp $ +$NetBSD: distinfo,v 1.249 2021/04/23 07:23:29 nia Exp $ SHA1 (ImageMagick-7.0.11-8.tar.xz) = 04e57678910593fbdc7e57d5f5c6740de731425a RMD160 (ImageMagick-7.0.11-8.tar.xz) = 45176a36c35efa4af252d6633df0f89d2cfc9a41 SHA512 (ImageMagick-7.0.11-8.tar.xz) = e4aa87b30bb75fba815cd4f617a7c0dba29523c03ad6670c7514842587678553d0b45100ccd6e041d59628cf30fe047243d440af78b39d0f82cd405ff0ea0f96 Size (ImageMagick-7.0.11-8.tar.xz) = 10280632 bytes -SHA1 (patch-config_policy.xml) = 55b8f30200a1e790543f38bf850026100ed5fdca +SHA1 (patch-config_policy.xml) = 492aa9fa410dbbbded377fbcf06675f32224e5d8 diff --git a/graphics/ImageMagick/patches/patch-config_policy.xml b/graphics/ImageMagick/patches/patch-config_policy.xml index 1421bcd76d3..eb28bca5db3 100644 --- a/graphics/ImageMagick/patches/patch-config_policy.xml +++ b/graphics/ImageMagick/patches/patch-config_policy.xml @@ -1,25 +1,38 @@ -$NetBSD: patch-config_policy.xml,v 1.8 2021/01/04 10:20:15 wiz Exp $ +$NetBSD: patch-config_policy.xml,v 1.9 2021/04/23 07:23:29 nia Exp $ -Disable ghostscript coders by default to workaround VU#332928: -<https://www.kb.cert.org/vuls/id/332928> +Update default policies for better resistance to untrusted input. ---- config/policy.xml.orig 2021-01-02 12:53:07.000000000 +0000 +Discussion: +http://mail-index.netbsd.org/tech-pkg/2021/04/03/msg024740.html + +--- config/policy.xml.orig 2021-04-17 15:26:24.000000000 +0000 +++ config/policy.xml -@@ -76,6 +76,18 @@ +@@ -76,6 +76,29 @@ <!-- <policy domain="cache" name="synchronize" value="True"/> --> <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> --> + + <!-- -+ -- Disable ghostscript coders as suggested by VU#332928 ++ -- Disable ghostscript decoders as suggested by VU#332928 + -- <https://www.kb.cert.org/vuls/id/332928> + --> -+ <policy domain="coder" rights="none" pattern="PS" /> -+ <policy domain="coder" rights="none" pattern="PS2" /> -+ <policy domain="coder" rights="none" pattern="PS3" /> -+ <policy domain="coder" rights="none" pattern="EPS" /> -+ <policy domain="coder" rights="none" pattern="PDF" /> -+ <policy domain="coder" rights="none" pattern="XPS" /> ++ <policy domain="coder" rights="write" pattern="PS" /> ++ <policy domain="coder" rights="write" pattern="PS2" /> ++ <policy domain="coder" rights="write" pattern="PS3" /> ++ <policy domain="coder" rights="write" pattern="EPS" /> ++ <policy domain="coder" rights="write" pattern="PDF" /> ++ <policy domain="coder" rights="write" pattern="XPS" /> ++ ++ <!-- Recommended policies from <https://imagetragick.com/> --> ++ <policy domain="coder" rights="none" pattern="EPHEMERAL" /> ++ <policy domain="coder" rights="none" pattern="URL" /> ++ <policy domain="coder" rights="none" pattern="HTTPS" /> ++ <policy domain="coder" rights="none" pattern="MVG" /> ++ <policy domain="coder" rights="none" pattern="MSL" /> ++ <policy domain="coder" rights="none" pattern="TEXT" /> ++ <policy domain="coder" rights="none" pattern="SHOW" /> ++ <policy domain="coder" rights="none" pattern="WIN" /> ++ <policy domain="coder" rights="none" pattern="PLT" /> + <!-- <policy domain="system" name="shred" value="2"/> --> <!-- <policy domain="system" name="precision" value="6"/> --> |