ImageMagick: Disable ghostscript coders by default in policy.xml Disable ghostscript coders in policy.xml as a workaround for VU#332928 (<https://www.kb.cert.org/vuls/id/332928>). Please note that apart commenting/removing lines added in policy.xml, the ghostscript coders can be enabled per-user by copying policy.xml to ~/.config/ImageMagick/policy.xml and adjusting it with the following lines: | [...] | <policy domain="coder" rights="read|write" pattern="PS" /> | <policy domain="coder" rights="read|write" pattern="EPS" /> | <policy domain="coder" rights="read|write" pattern="PDF" /> | <policy domain="coder" rights="read|write" pattern="XPS" /> | [...] Bump PKGREVISIONdiff -r1.245 -r1.246 pkgsrc/graphics/ImageMagick/Makefile
(leot)
| @@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.245 2018/08/22 09:45:10 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.246 2018/08/22 13:39:24 leot Exp $ | |
| 2 | 2 | |||
| 3 | PKGREVISION= 1 | 3 | PKGREVISION= 2 | |
| 4 | .include "Makefile.common" | 4 | .include "Makefile.common" | |
| 5 | 5 | |||
| 6 | PKGNAME= ImageMagick-${DISTVERSION} | 6 | PKGNAME= ImageMagick-${DISTVERSION} | |
| 7 | 7 | |||
| 8 | MAINTAINER= adam@NetBSD.org | 8 | MAINTAINER= adam@NetBSD.org | |
| 9 | COMMENT= Package for display and interactive manipulation of images | 9 | COMMENT= Package for display and interactive manipulation of images | |
| 10 | 10 | |||
| 11 | CONFLICTS= geomview<1.8.1nb2 # used to have a program named 'animate' | 11 | CONFLICTS= geomview<1.8.1nb2 # used to have a program named 'animate' | |
| 12 | 12 | |||
| 13 | USE_LANGUAGES= c c++ c99 | 13 | USE_LANGUAGES= c c++ c99 | |
| 14 | USE_TOOLS+= gmake pkg-config:run | 14 | USE_TOOLS+= gmake pkg-config:run | |
| 15 | CONFIGURE_ARGS+= --disable-assert | 15 | CONFIGURE_ARGS+= --disable-assert | |
| 16 | CONFIGURE_ARGS+= --with-fontconfig | 16 | CONFIGURE_ARGS+= --with-fontconfig |
| @@ -1,6 +1,7 @@ | @@ -1,6 +1,7 @@ | |||
| 1 | $NetBSD: distinfo,v 1.190 2018/08/16 08:23:16 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.191 2018/08/22 13:39:24 leot Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (ImageMagick-7.0.8-10.tar.xz) = c69fb5b1ec2d04711a98df8762926a37e3f13bc5 | 3 | SHA1 (ImageMagick-7.0.8-10.tar.xz) = c69fb5b1ec2d04711a98df8762926a37e3f13bc5 | |
| 4 | RMD160 (ImageMagick-7.0.8-10.tar.xz) = 9e5339d7e4f2dbc42090cd8394bca5b97dc485ba | 4 | RMD160 (ImageMagick-7.0.8-10.tar.xz) = 9e5339d7e4f2dbc42090cd8394bca5b97dc485ba | |
| 5 | SHA512 (ImageMagick-7.0.8-10.tar.xz) = a4869e0a9be5e04c04fcd1fce5c4141d63968ee7f1dd78d84724921f2f088bdcea8c3b3799e1ff555a2a04dec32a1fb7c4a1e6053a6185e9a36c6ae0f1b9c6ed | 5 | SHA512 (ImageMagick-7.0.8-10.tar.xz) = a4869e0a9be5e04c04fcd1fce5c4141d63968ee7f1dd78d84724921f2f088bdcea8c3b3799e1ff555a2a04dec32a1fb7c4a1e6053a6185e9a36c6ae0f1b9c6ed | |
| 6 | Size (ImageMagick-7.0.8-10.tar.xz) = 8635496 bytes | 6 | Size (ImageMagick-7.0.8-10.tar.xz) = 8635496 bytes | |
| 7 | SHA1 (patch-config_policy.xml) = 2b7e37cc8fedb0d06502ba1d7e65a5aea9d6ec96 |
$NetBSD: patch-config_policy.xml,v 1.1 2018/08/22 13:39:24 leot Exp $
Disable ghostscript coders by default to workaround VU#332928:
<https://www.kb.cert.org/vuls/id/332928>
--- config/policy.xml.orig 2018-08-13 11:05:28.000000000 +0000
+++ config/policy.xml
@@ -74,4 +74,14 @@
<!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
<!-- <policy domain="cache" name="synchronize" value="True"/> -->
<!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+
+ <!--
+ -- Disable ghostscript coders as suggested by VU#332928
+ -- <https://www.kb.cert.org/vuls/id/332928>
+ -->
+ <policy domain="coder" rights="none" pattern="PS" />
+ <policy domain="coder" rights="none" pattern="EPS" />
+ <policy domain="coder" rights="none" pattern="PDF" />
+ <policy domain="coder" rights="none" pattern="XPS" />
+
</policymap>