SLFO-pool/ImageMagick
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main ImageMagick revision 28d9aeaaad5f5c506c26d6d9715fa157

Browse Source
This commit is contained in:
Adrian Schröter
2025-06-20 16:41:53 +02:00
parent 43207da262
commit 880061db1e
5 changed files with 299 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
ImageMagick-configuration-SUSE.patch
View File

@@ -1,7 +1,5 @@
Index: ImageMagick-7.1.1-30/config/policy-secure.xml
===================================================================
--- ImageMagick-7.1.1-30.orig/config/policy-secure.xml
+++ ImageMagick-7.1.1-30/config/policy-secure.xml
--- ImageMagick-7.1.1-30/config/policy.xml
+++ ImageMagick-7.1.1-30/config/policy.xml
@@ -62,7 +62,7 @@
<policy domain="resource" name="disk" value="1GiB"/>
<!-- Set the maximum length of an image sequence. When this limit is
@@ -11,26 +9,39 @@ Index: ImageMagick-7.1.1-30/config/policy-secure.xml
<!-- Set the maximum width of an image. When this limit is exceeded, an
exception is thrown. -->
<policy domain="resource" name="width" value="8KP"/>
@@ -83,17 +83,19 @@
@@ -83,11 +83,11 @@
<!-- Replace passphrase for secure distributed processing -->
<!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
<!-- Do not permit any delegates to execute. -->
- <policy domain="delegate" rights="none" pattern="*"/>
+ <!--policy domain="delegate" rights="none" pattern="*"/-->
+ <!--policy domain="delegate" rights="none" pattern="*"/ -->
<!-- Do not permit any image filters to load. -->
<policy domain="filter" rights="none" pattern="*"/>
<!-- Don't read/write from/to stdin/stdout. -->
- <policy domain="path" rights="none" pattern="-"/>
+ <!--policy domain="path" rights="none" pattern="-"/-->
+ <!--policy domain="path" rights="none" pattern="-"/ -->
<!-- don't read sensitive paths. -->
<policy domain="path" rights="none" pattern="/etc/*"/>
<!-- Indirect reads are not permitted. -->
<policy domain="path" rights="none" pattern="@*"/>
+ <!-- These image types can expose risks on read and write -->
+ <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
<!-- These image types are security risks on read, but write is fine -->
- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
+ <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
<!-- This policy sets the number of times to replace content of certain
memory buffers and temporary files before they are freed or deleted. -->
<policy domain="system" name="shred" value="1"/>
@@ -103,4 +103,20 @@
<!-- Set the maximum amount of memory in bytes that are permitted for
allocation requests. -->
<policy domain="system" name="max-memory-request" value="256MiB"/>
+ <!-- Disable insecure coders by default -->
+ <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+ <policy domain="coder" rights="none" pattern="URL" />
+ <policy domain="coder" rights="none" pattern="HTTPS" />
+ <policy domain="coder" rights="none" pattern="MVG" />
+ <policy domain="coder" rights="none" pattern="MSL" />
+ <policy domain="coder" rights="none" pattern="TEXT" />
+ <policy domain="coder" rights="none" pattern="SHOW" />
+ <policy domain="coder" rights="none" pattern="WIN" />
+ <policy domain="coder" rights="none" pattern="PLT" />
+ <policy domain="coder" rights="write" pattern="PS" />
+ <policy domain="coder" rights="write" pattern="PS2" />
+ <policy domain="coder" rights="write" pattern="PS3" />
+ <policy domain="coder" rights="write" pattern="PDF" />
+ <policy domain="coder" rights="write" pattern="XPS" />
+ <policy domain="coder" rights="write" pattern="PCL" />
</policymap>

12
ImageMagick-filter.t-disable-Contrast.patch
View File

@@ -1,12 +0,0 @@
--- a/PerlMagick/t/filter.t.orig 2021-10-04 14:07:03.016458903 +0000
+++ b/PerlMagick/t/filter.t 2021-10-04 14:08:31.717025766 +0000
@@ -57,7 +57,7 @@ testFilterCompare('input.miff', "fuzz=>$
testFilterCompare('input.miff', "fuzz=>$fuzz", 'reference/filter/Colorize.miff', 'Colorize', q/fill=>"red", blend=>"50%"/, 0.00001, 0.004);
++$test;
-testFilterCompare('input.miff', q//, 'reference/filter/Contrast.miff', 'Contrast', q//, 0.00001, 0.004);
+testFilterCompare('input.miff', q//, 'reference/filter/Contrast.miff', 'Contrast', q//, 0.0002, 0.4);
++$test;
testFilterCompare('input.miff', q//, 'reference/filter/Convolve.miff', 'Convolve', q/[0.0625, 0.0625, 0.0625, 0.0625, 0.5, 0.0625, 0.0625, 0.0625, 0.0625]/, 0.1, 0.7);

19
ImageMagick.changes
View File

@@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon May 26 09:10:06 UTC 2025 - pgajdos@suse.com
- fix config policies [bsc#1243622]
- modified patches
% ImageMagick-configuration-SUSE.patch (refreshed)
-------------------------------------------------------------------
Thu May 15 20:20:16 UTC 2025 - pgajdos@suse.com
- drop update-alternatives usage, configuration alternative packages
now conflict
- modified patches
% ImageMagick-configuration-SUSE.patch (refreshed)
- added sources
+ _multibuild
- remove ImageMagick-filter.t-disable-Contrast.patch needed for i586
testing
-------------------------------------------------------------------
Tue Apr 1 11:44:59 UTC 2025 - pgajdos@suse.com

562
ImageMagick.spec
View File

@@ -16,23 +16,25 @@
#
%global flavor @BUILD_FLAVOR@%{nil}
%define debug_build 0
%define asan_build 0
%define maj 7
%define mfr_version %{maj}.1.1
%define mfr_version 7.1.1
%define mfr_revision 47
%define quantum_depth 16
%define source_version %{mfr_version}-%{mfr_revision}
%define clibver 10
%define cwandver 10
%define cxxlibver 5
%define libspec -%{maj}_Q%{quantum_depth}HDRI
%define config_dir ImageMagick-7
%define libspec -7_Q%{quantum_depth}HDRI
%define config_dir IM-7
%define test_verbose 1
# bsc#1088463
%define urw_base35_fonts 0
# do/don't pull djvulibre dependency
%bcond_without djvu
Name: ImageMagick
Version: %{mfr_version}.%{mfr_revision}
Release: 0
@@ -40,21 +42,15 @@ Summary: Viewer and Converter for Images
License: ImageMagick
Group: Productivity/Graphics/Other
URL: https://imagemagick.org/
Source0: https://imagemagick.org/archive/releases/ImageMagick-%{mfr_version}-%{mfr_revision}.tar.xz
Source0: https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz
Source1: baselibs.conf
Source2: https://imagemagick.org/archive/releases/ImageMagick-%{mfr_version}-%{mfr_revision}.tar.xz.asc
Source2: https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz.asc
Source3: ImageMagick.keyring
# suse specific patches
Patch0: ImageMagick-configuration-SUSE.patch
Patch2: ImageMagick-library-installable-in-parallel.patch
#%%ifarch i586
#%%if %%{?suse_version} < 1550
Patch4: ImageMagick-filter.t-disable-Contrast.patch
#%%endif
#%%endif
#%%ifarch s390x
Patch5: ImageMagick-s390x-disable-tests.patch
#%%endif
BuildRequires: chrpath
BuildRequires: dejavu-fonts
BuildRequires: fdupes
@@ -98,104 +94,6 @@ BuildRequires: ghostscript-fonts-other
BuildRequires: ghostscript-fonts-std
%endif
%package -n perl-PerlMagick
Summary: Perl interface for ImageMagick
Group: Development/Libraries/Perl
Requires: ImageMagick = %{version}
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Requires: perl = %{perl_version}
%package devel
Summary: Development files for ImageMagick's C interface
Group: Development/Libraries/C and C++
Requires: ImageMagick = %{version}
Requires: glibc-devel
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Requires: libMagickWand%{libspec}%{cwandver} = %{version}
# bnc#741947:
Requires: pkgconfig(bzip2)
%if !%{debug_build}
%package extra
Summary: Extra codecs for the ImageMagick image viewer/converter
Group: Productivity/Graphics/Other
Requires: ImageMagick = %{version}
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Recommends: autotrace
Recommends: dcraw
Recommends: hp2xx
Recommends: libwmf
Recommends: netpbm
Recommends: transfig
%endif
%package -n libMagickCore%{libspec}%{clibver}
Summary: C runtime library for ImageMagick
Group: Productivity/Graphics/Other
Requires: imagick-config-7
Recommends: ImageMagick-config-7-SUSE
Recommends: ghostscript
Suggests: ImageMagick-extra = %{version}
Recommends: ImageMagick
%package -n libMagickWand%{libspec}%{cwandver}
Summary: C runtime library for ImageMagick
Group: Productivity/Graphics/Other
Recommends: ImageMagick
%package -n libMagick++%{libspec}%{cxxlibver}
Summary: C++ interface runtime library for ImageMagick
Group: Development/Libraries/C and C++
Recommends: ImageMagick
%package -n libMagick++-devel
Summary: Development files for ImageMagick's C++ interface
Group: Development/Libraries/C and C++
Requires: libMagick++%{libspec}%{cxxlibver} = %{version}
Requires: libstdc++-devel
Requires: pkgconfig(ImageMagick) = %{mfr_version}
%package doc
Summary: Document Files for ImageMagick Library
Group: Documentation/HTML
BuildArch: noarch
%package config-7-upstream-open
Summary: Open ImageMagick Security Policy
Group: Development/Libraries/C and C++
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: imagick-config-7
Obsoletes: config-7-upstream < %{version}
Provides: config-7-upstream = %{version}
%package config-7-upstream-limited
Summary: Limited ImageMagick Security Policy
Group: Development/Libraries/C and C++
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: imagick-config-7
%package config-7-upstream-secure
Summary: Secure ImageMagick Security Policy
Group: Development/Libraries/C and C++
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: imagick-config-7
%package config-7-upstream-websafe
Summary: Web-safe ImageMagick Security Policy
Group: Development/Libraries/C and C++
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: imagick-config-7
%package config-7-SUSE
Summary: SUSE Provided Configuration
Group: Development/Libraries/C and C++
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: imagick-config-7
%description
ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular
@@ -207,6 +105,31 @@ different image formats. Image processing operations are available from
the command line as well as through C, C++, and Perl-based programming
interfaces.
# BEGIN NIL FLAVOR
%if "%{flavor}" == ""
%package -n perl-PerlMagick
Summary: Perl interface for ImageMagick
Group: Development/Libraries/Perl
Requires: ImageMagick = %{version}
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Requires: perl = %{perl_version}
%description -n perl-PerlMagick
PerlMagick is an objected-oriented Perl interface to ImageMagick. Use
the module to read, manipulate, or write an image or image sequence
from within a Perl script. This makes it suitable for Web CGI scripts.
%package devel
Summary: Development files for ImageMagick's C interface
Group: Development/Libraries/C and C++
Requires: ImageMagick = %{version}
Requires: glibc-devel
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Requires: libMagickWand%{libspec}%{cwandver} = %{version}
# bnc#741947:
Requires: pkgconfig(bzip2)
%description devel
ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular
@@ -219,21 +142,32 @@ the command line as well as through C, C++, and Perl-based programming
interfaces.
%if !%{debug_build}
%package extra
Summary: Extra codecs for the ImageMagick image viewer/converter
Group: Productivity/Graphics/Other
Requires: ImageMagick = %{version}
Requires: libMagickCore%{libspec}%{clibver} = %{version}
Recommends: autotrace
Recommends: dcraw
Recommends: hp2xx
Recommends: libwmf
Recommends: netpbm
Recommends: transfig
%description extra
This package adds support for djvu, wmf and jpeg2000 formats and
installs optional helper applications.
ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular
formats like TIFF, JPEG, PNG, PDF, PhotoCD, and GIF. With ImageMagick,
you can create images dynamically, making it suitable for Web
applications. You can also resize, rotate, sharpen, color-reduce, or
add special effects to an image and save your completed work in many
different image formats. Image processing operations are available from
the command line as well as through C, C++, and Perl-based programming
interfaces.
%endif
%package -n libMagickCore%{libspec}%{clibver}
Summary: C runtime library for ImageMagick
Group: Productivity/Graphics/Other
Requires: imagick-config-7
Recommends: ImageMagick-config-7-SUSE
Recommends: ghostscript
Suggests: ImageMagick-extra = %{version}
Recommends: ImageMagick
%description -n libMagickCore%{libspec}%{clibver}
ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular
@@ -245,6 +179,11 @@ different image formats. Image processing operations are available from
the command line as well as through C, C++, and Perl-based programming
interfaces.
%package -n libMagickWand%{libspec}%{cwandver}
Summary: C runtime library for ImageMagick
Group: Productivity/Graphics/Other
Recommends: ImageMagick
%description -n libMagickWand%{libspec}%{cwandver}
ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular
@@ -256,10 +195,10 @@ different image formats. Image processing operations are available from
the command line as well as through C, C++, and Perl-based programming
interfaces.
%description -n perl-PerlMagick
PerlMagick is an objected-oriented Perl interface to ImageMagick. Use
the module to read, manipulate, or write an image or image sequence
from within a Perl script. This makes it suitable for Web CGI scripts.
%package -n libMagick++%{libspec}%{cxxlibver}
Summary: C++ interface runtime library for ImageMagick
Group: Development/Libraries/C and C++
Recommends: ImageMagick
%description -n libMagick++%{libspec}%{cxxlibver}
This is Magick++, the object-oriented C++ API for the ImageMagick
@@ -276,6 +215,13 @@ De-referenced copies are automatically deleted. The image objects
support value (rather than pointer) semantics so it is trivial to
support multiple generations of an image in memory at one time.
%package -n libMagick++-devel
Summary: Development files for ImageMagick's C++ interface
Group: Development/Libraries/C and C++
Requires: libMagick++%{libspec}%{cxxlibver} = %{version}
Requires: libstdc++-devel
Requires: pkgconfig(ImageMagick) = %{mfr_version}
%description -n libMagick++-devel
This is Magick++, the object-oriented C++ API for the ImageMagick
image-processing library.
@@ -291,68 +237,28 @@ De-referenced copies are automatically deleted. The image objects
support value (rather than pointer) semantics so it is trivial to
support multiple generations of an image in memory at one time.
%package doc
Summary: Document Files for ImageMagick Library
Group: Documentation/HTML
BuildArch: noarch
%description doc
HTML documentation for ImageMagick library and scene examples.
%description config-7-upstream-open
This policy is designed for usage in secure settings like those
protected by firewalls or within Docker containers. Within this framework,
ImageMagick enjoys broad access to resources and functionalities. This policy
provides convenient and adaptable options for image manipulation. However,
it's important to note that it might present security vulnerabilities in
less regulated conditions. Thus, organizations should thoroughly assess
the appropriateness of the open policy according to their particular use
case and security prerequisites.
%description config-7-upstream-limited
The primary objective of the limited security policy is to find a
middle ground between convenience and security. This policy involves the
deactivation of potentially hazardous functionalities, like specific coders
such as SVG or HTTP. Furthermore, it establishes several constraints on
the utilization of resources like memory, storage, and processing duration,
all of which are adjustable. This policy proves advantageous in situations
where there's a need to mitigate the potential threat of handling possibly
malicious or demanding images, all while retaining essential capabilities
for prevalent image formats.
%description config-7-upstream-secure
This stringent security policy prioritizes the implementation of
rigorous controls and restricted resource utilization to establish a
profoundly secure setting while employing ImageMagick. It deactivates
conceivably hazardous functionalities, including specific coders like
SVG or HTTP. The policy promotes the tailoring of security measures to
harmonize with the requirements of the local environment and the guidelines
of the organization. This protocol encompasses explicit particulars like
limitations on memory consumption, sanctioned pathways for reading and
writing, confines on image sequences, the utmost permissible duration of
workflows, allocation of disk space intended for image data, and even an
undisclosed passphrase for remote connections. By adopting this robust
policy, entities can elevate their overall security stance and alleviate
potential vulnerabilities.
%description config-7-upstream-websafe
This security protocol designed for web-safe usage focuses on situations
where ImageMagick is applied in publicly accessible contexts, like websites.
It deactivates the capability to read from or write to any image formats
other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
policy prohibits the execution of image filters and indirect reads, thereby
thwarting potential security breaches. By implementing these limitations,
the web-safe policy fortifies the safeguarding of systems accessible to
the public, reducing the risk of exploiting ImageMagick's capabilities
for potential attacks.
%package config-7-SUSE
Summary: SUSE Provided Configuration
Group: Development/Libraries/C and C++
Provides: imagick-config-7
Conflicts: imagick-config-7
BuildArch: noarch
%description config-7-SUSE
ImageMagick configuration as provide by SUSE. It is upstream 'secure'
ImageMagick configuration as provided by SUSE. It is upstream 'secure'
policy plus disable few other coders for reading and/or writing.
%prep
%setup -q -n ImageMagick-%{source_version}
%patch -P 2 -p1
%ifarch i586
%if %{?suse_version} < 1550
%patch -P 4 -p1
%endif
%endif
%ifarch s390x
%patch -P 5 -p1
%endif
@@ -371,6 +277,7 @@ export SHAREARCH_DIRNAME="config%{libspec}%{clibver}"
export CFLAGS="%{optflags} -O0"
export CXXFLAGS="%{optflags} -O0"
%endif
export CONFIGURE_RELATIVE_PATH=%{config_dir}
%configure \
--disable-silent-rules \
--enable-shared \
@@ -406,8 +313,8 @@ export CXXFLAGS="%{optflags} -O0"
--without-gcc-arch \
--enable-pipes=no \
--enable-reproducible-build=yes \
--disable-openmp \
--with-security-policy=open # open for %%check
--disable-openmp
%if %{asan_build}
sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \
-e 's/\(^LIBS =.*\)/\1 -lasan/' \
@@ -426,18 +333,19 @@ chmod -x PerlMagick/demo/*.pl
exit 0
%check
%ifarch i586
# do not report test issues related to 32-bit architectures upstream,
# they do not want to dedicate any time to fix them:
# https://github.com/ImageMagick/ImageMagick/issues/1215
exit 0
%endif
%if %{debug_build} || %{asan_build}
# testsuite does not succeed for some reason
# research TODO
exit 0
%endif
%ifarch i586
# do not report test issues related to 32-bit architectures upstream,
# they do not want to dedicate any time to fix them:
# https://github.com/ImageMagick/ImageMagick/issues/1215
rm PerlMagick/t/montage.t
sed -i -e 's:averageImages ::' -e 's:1..13:1..12:' Magick++/tests/tests.tap
%endif
# ensure we do not block any coder by security policy
cp config/policy-open.xml config/policy.xml
%make_build check
export MAGICK_CODER_MODULE_PATH=$PWD/coders/.libs
export MAGICK_CODER_FILTER_PATH=$PWD/filters/.libs
@@ -450,24 +358,17 @@ sed -i 's:TEST_VERBOSE=0:TEST_VERBOSE=1:' Makefile
cd ..
%install
%make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-%{maj}/
# configuration magic
mv -t %{buildroot}%{_sysconfdir}/ImageMagick* %{buildroot}%{_datadir}/ImageMagick*/*.xml
for policy in open limited secure websafe; do
cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream-$policy}
cp config/policy-$policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}-upstream-$policy
done
mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-SUSE}
cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE
patch --fuzz=0 --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0}
mkdir -p %{buildroot}%{_sysconfdir}/alternatives/
ln -sf %{_sysconfdir}/alternatives/%{config_dir} %{buildroot}%{_sysconfdir}/%{config_dir}
%make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-7/
# default policy (SUSE)
cp config/policy-secure.xml config/policy.xml
patch --fuzz=0 -p1 < %{PATCH0}
cp config/policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}
# symlink header file relative to /usr/include/ImageMagick-7/
# so that inclusions like wand/*.h and magick/*.h work
ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-%{maj}/magick
ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-%{maj}/wand
ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-7/magick
ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-7/wand
# these will be included via %%doc
rm -r %{buildroot}%{_datadir}/doc/ImageMagick-%{maj}/
rm -r %{buildroot}%{_datadir}/doc/ImageMagick-7/
rm %{buildroot}%{_libdir}/*.la
# remove RPATH from perl module
perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so')
@@ -477,8 +378,8 @@ chmod 555 $perl_module
# remove %%{buildroot} from distributed file
sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/config%{libspec}%{clibver}/configure.xml
#remove duplicates
%fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-%{maj}
%fdupes -s %{buildroot}%{_includedir}/ImageMagick-%{maj}
%fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-7
%fdupes -s %{buildroot}%{_includedir}/ImageMagick-7
%fdupes -s %{buildroot}%{_libdir}/pkgconfig
%perl_process_packlist
@@ -489,96 +390,14 @@ sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/con
%post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
%postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
%pretrans config-7-upstream-open -p <lua>
-- this %pretrans to be removed soon [bug#1122033#37]
path = "%{_sysconfdir}/%{config_dir}"
st = posix.stat(path)
if st and st.type == "directory" then
os.remove(path .. ".rpmmoved")
os.rename(path, path .. ".rpmmoved")
end
%pretrans config-7-upstream-limited -p <lua>
-- this %pretrans to be removed soon [bug#1122033#c37]
path = "%{_sysconfdir}/%{config_dir}"
st = posix.stat(path)
if st and st.type == "directory" then
os.remove(path .. ".rpmmoved")
os.rename(path, path .. ".rpmmoved")
end
%pretrans config-7-upstream-secure -p <lua>
-- this %pretrans to be removed soon [bug#1122033#c37]
path = "%{_sysconfdir}/%{config_dir}"
st = posix.stat(path)
if st and st.type == "directory" then
os.remove(path .. ".rpmmoved")
os.rename(path, path .. ".rpmmoved")
end
%pretrans config-7-SUSE -p <lua>
-- this %pretrans to be removed soon [bug#1122033#c37]
path = "%{_sysconfdir}/%{config_dir}"
st = posix.stat(path)
if st and st.type == "directory" then
os.remove(path .. ".rpmmoved")
os.rename(path, path .. ".rpmmoved")
end
%pretrans config-7-upstream-websafe -p <lua>
-- this %pretrans to be removed soon [bug#1122033#c37]
path = "%{_sysconfdir}/%{config_dir}"
st = posix.stat(path)
if st and st.type == "directory" then
os.remove(path .. ".rpmmoved")
os.rename(path, path .. ".rpmmoved")
end
%post config-7-upstream-open
%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-open 1
%postun config-7-upstream-open
if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
%{_sbindir}/update-alternatives --quiet --remove %{config_dir} %{_sysconfdir}/%{config_dir}-upstream
fi
%post config-7-upstream-limited
%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-limited 5
%postun config-7-upstream-limited
if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
%{_sbindir}/update-alternatives --quiet --remove %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-limited
fi
%post config-7-upstream-secure
%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-secure 10
%postun config-7-upstream-secure
if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
%{_sbindir}/update-alternatives --quiet --remove %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-secure
fi
%post config-7-SUSE
%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-SUSE 15
%postun config-7-SUSE
if [ ! -d %{_sysconfdir}/%{config_dir}-SUSE ] ; then
%{_sbindir}/update-alternatives --quiet --remove %{config_dir} %{_sysconfdir}/%{config_dir}-SUSE
fi
%post config-7-upstream-websafe
%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-websafe 20
%postun config-7-upstream-websafe
if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
%{_sbindir}/update-alternatives --quiet --remove %{config_dir} %{_sysconfdir}/%{config_dir}-upstream-websafe
fi
%files
%license LICENSE
%{_bindir}/[^MW]*
%{_mandir}/man1/*
%exclude %{_mandir}/man1/*-config.1%{ext_man}
%{_datadir}/ImageMagick-7
%{_sysconfdir}/%{config_dir}
%exclude %{_sysconfdir}/%{config_dir}/policy.xml
%files -n libMagickCore%{libspec}%{clibver}
%license LICENSE
@@ -650,36 +469,149 @@ fi
%{_mandir}/man1/Magick++-config.1%{?ext_man}
%files doc
%{_defaultdocdir}/ImageMagick-%{maj}
%files config-7-upstream-open
%dir %{_sysconfdir}/ImageMagick*-upstream-open/
%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-open/*
%{_sysconfdir}/%{config_dir}
%ghost %{_sysconfdir}/alternatives/%{config_dir}
%files config-7-upstream-limited
%dir %{_sysconfdir}/ImageMagick*-upstream-limited/
%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-limited/*
%{_sysconfdir}/%{config_dir}
%ghost %{_sysconfdir}/alternatives/%{config_dir}
%files config-7-upstream-secure
%dir %{_sysconfdir}/ImageMagick*-upstream-secure/
%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-secure/*
%{_sysconfdir}/%{config_dir}
%ghost %{_sysconfdir}/alternatives/%{config_dir}
%{_defaultdocdir}/ImageMagick-7
%files config-7-SUSE
%dir %{_sysconfdir}/ImageMagick*-SUSE/
%config %{_sysconfdir}/ImageMagick*-SUSE/*
%{_sysconfdir}/%{config_dir}
%ghost %{_sysconfdir}/alternatives/%{config_dir}
%{_sysconfdir}/%{config_dir}/policy.xml
%endif
# END NIL FLAVOR
%if "%{flavor}" == "config_open"
%package config-7-upstream-open
Summary: Open ImageMagick Security Policy
Group: Development/Libraries/C and C++
Provides: imagick-config-7
Obsoletes: config-7-upstream < %{version}
Provides: config-7-upstream = %{version}
Conflicts: imagick-config-7
BuildArch: noarch
%description config-7-upstream-open
This policy is designed for usage in secure settings like those
protected by firewalls or within Docker containers. Within this framework,
ImageMagick enjoys broad access to resources and functionalities. This policy
provides convenient and adaptable options for image manipulation. However,
it's important to note that it might present security vulnerabilities in
less regulated conditions. Thus, organizations should thoroughly assess
the appropriateness of the open policy according to their particular use
case and security prerequisites.
%prep
%setup -q -n ImageMagick-%{source_version}
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
cp config/policy-open.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
%files config-7-upstream-open
%dir %{_sysconfdir}/%{config_dir}
%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
%endif
%if "%{flavor}" == "config_limited"
%package config-7-upstream-limited
Summary: Limited ImageMagick Security Policy
Group: Development/Libraries/C and C++
Provides: imagick-config-7
Conflicts: imagick-config-7
BuildArch: noarch
%description config-7-upstream-limited
The primary objective of the limited security policy is to find a
middle ground between convenience and security. This policy involves the
deactivation of potentially hazardous functionalities, like specific coders
such as SVG or HTTP. Furthermore, it establishes several constraints on
the utilization of resources like memory, storage, and processing duration,
all of which are adjustable. This policy proves advantageous in situations
where there's a need to mitigate the potential threat of handling possibly
malicious or demanding images, all while retaining essential capabilities
for prevalent image formats.
%prep
%setup -q -n ImageMagick-%{source_version}
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
cp config/policy-limited.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
%files config-7-upstream-limited
%dir %{_sysconfdir}/%{config_dir}
%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
%endif
%if "%{flavor}" == "config_secure"
%package config-7-upstream-secure
Summary: Secure ImageMagick Security Policy
Group: Development/Libraries/C and C++
Provides: imagick-config-7
Conflicts: imagick-config-7
BuildArch: noarch
%description config-7-upstream-secure
This stringent security policy prioritizes the implementation of
rigorous controls and restricted resource utilization to establish a
profoundly secure setting while employing ImageMagick. It deactivates
conceivably hazardous functionalities, including specific coders like
SVG or HTTP. The policy promotes the tailoring of security measures to
harmonize with the requirements of the local environment and the guidelines
of the organization. This protocol encompasses explicit particulars like
limitations on memory consumption, sanctioned pathways for reading and
writing, confines on image sequences, the utmost permissible duration of
workflows, allocation of disk space intended for image data, and even an
undisclosed passphrase for remote connections. By adopting this robust
policy, entities can elevate their overall security stance and alleviate
potential vulnerabilities.
%prep
%setup -q -n ImageMagick-%{source_version}
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
%files config-7-upstream-secure
%dir %{_sysconfdir}/%{config_dir}
%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
%endif
%if "%{flavor}" == "config_websafe"
%package config-7-upstream-websafe
Summary: Web-safe ImageMagick Security Policy
Group: Development/Libraries/C and C++
Provides: imagick-config-7
Conflicts: imagick-config-7
BuildArch: noarch
%description config-7-upstream-websafe
This security protocol designed for web-safe usage focuses on situations
where ImageMagick is applied in publicly accessible contexts, like websites.
It deactivates the capability to read from or write to any image formats
other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
policy prohibits the execution of image filters and indirect reads, thereby
thwarting potential security breaches. By implementing these limitations,
the web-safe policy fortifies the safeguarding of systems accessible to
the public, reducing the risk of exploiting ImageMagick's capabilities
for potential attacks.
%prep
%setup -q -n ImageMagick-%{source_version}
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
cp config/policy-websafe.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
%files config-7-upstream-websafe
%dir %{_sysconfdir}/ImageMagick*-upstream-websafe/
%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-websafe/*
%{_sysconfdir}/%{config_dir}
%ghost %{_sysconfdir}/alternatives/%{config_dir}
%dir %{_sysconfdir}/%{config_dir}
%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
%endif
%changelog

6
_multibuild Normal file
View File

@@ -0,0 +1,6 @@
<multibuild>
<package>config_open</package>
<package>config_limited</package>
<package>config_secure</package>
<package>config_websafe</package>
</multibuild>