ImageMagick/ImageMagick-configuration-SUSE.patch

Index: ImageMagick-7.1.1-30/config/policy-secure.xml
===================================================================
--- ImageMagick-7.1.1-30.orig/config/policy-secure.xml
+++ ImageMagick-7.1.1-30/config/policy-secure.xml
@@ -62,7 +62,7 @@
   <policy domain="resource" name="disk" value="1GiB"/>
   <!-- Set the maximum length of an image sequence.  When this limit is
        exceeded, an exception is thrown. -->
-  <policy domain="resource" name="list-length" value="32"/>
+  <policy domain="resource" name="list-length" value="128"/>
   <!-- Set the maximum width of an image.  When this limit is exceeded, an
        exception is thrown. -->
   <policy domain="resource" name="width" value="8KP"/>
@@ -83,17 +83,19 @@
   <!-- Replace passphrase for secure distributed processing -->
   <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
   <!-- Do not permit any delegates to execute. -->
-  <policy domain="delegate" rights="none" pattern="*"/>
+  <!--policy domain="delegate" rights="none" pattern="*"/-->
   <!-- Do not permit any image filters to load. -->
   <policy domain="filter" rights="none" pattern="*"/>
   <!-- Don't read/write from/to stdin/stdout. -->
-  <policy domain="path" rights="none" pattern="-"/>
+  <!--policy domain="path" rights="none" pattern="-"/-->
   <!-- don't read sensitive paths. -->
   <policy domain="path" rights="none" pattern="/etc/*"/>
   <!-- Indirect reads are not permitted. -->
   <policy domain="path" rights="none" pattern="@*"/>
+  <!-- These image types can expose risks on read and write -->
+  <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
   <!-- These image types are security risks on read, but write is fine -->
-  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
   <!-- This policy sets the number of times to replace content of certain
        memory buffers and temporary files before they are freed or deleted. -->
   <policy domain="system" name="shred" value="1"/>
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=722 2024-04-15 10:20:07 +00:00			`Index: ImageMagick-7.1.1-30/config/policy-secure.xml`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=714 2024-03-21 08:40:43 +00:00			`===================================================================`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=722 2024-04-15 10:20:07 +00:00			`--- ImageMagick-7.1.1-30.orig/config/policy-secure.xml`
			`+++ ImageMagick-7.1.1-30/config/policy-secure.xml`
			`@@ -62,7 +62,7 @@`
			`<policy domain="resource" name="disk" value="1GiB"/>`
			`<!-- Set the maximum length of an image sequence. When this limit is`
			`exceeded, an exception is thrown. -->`
			`- <policy domain="resource" name="list-length" value="32"/>`
			`+ <policy domain="resource" name="list-length" value="128"/>`
			`<!-- Set the maximum width of an image. When this limit is exceeded, an`
			`exception is thrown. -->`
			`<policy domain="resource" name="width" value="8KP"/>`
Accepting request 1160619 from home:pgajdos - allow stdin/stdout - modified patches % ImageMagick-configuration-SUSE.patch OBS-URL: https://build.opensuse.org/request/show/1160619 OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=716 2024-03-22 10:34:12 +00:00			`@@ -83,17 +83,19 @@`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=714 2024-03-21 08:40:43 +00:00			`<!-- Replace passphrase for secure distributed processing -->`
			`<!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->`
Accepting request 1160619 from home:pgajdos - allow stdin/stdout - modified patches % ImageMagick-configuration-SUSE.patch OBS-URL: https://build.opensuse.org/request/show/1160619 OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=716 2024-03-22 10:34:12 +00:00			`<!-- Do not permit any delegates to execute. -->`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=714 2024-03-21 08:40:43 +00:00			`- <policy domain="delegate" rights="none" pattern="*"/>`
Accepting request 1160619 from home:pgajdos - allow stdin/stdout - modified patches % ImageMagick-configuration-SUSE.patch OBS-URL: https://build.opensuse.org/request/show/1160619 OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=716 2024-03-22 10:34:12 +00:00			`+ <!--policy domain="delegate" rights="none" pattern="*"/-->`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=714 2024-03-21 08:40:43 +00:00			`<!-- Do not permit any image filters to load. -->`
			`<policy domain="filter" rights="none" pattern="*"/>`
			`<!-- Don't read/write from/to stdin/stdout. -->`
Accepting request 1160619 from home:pgajdos - allow stdin/stdout - modified patches % ImageMagick-configuration-SUSE.patch OBS-URL: https://build.opensuse.org/request/show/1160619 OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=716 2024-03-22 10:34:12 +00:00			`- <policy domain="path" rights="none" pattern="-"/>`
			`+ <!--policy domain="path" rights="none" pattern="-"/-->`
			`<!-- don't read sensitive paths. -->`
- version update to 7.1.1.17 * upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-17---2023-09-19 - modified patches % ImageMagick-library-installable-in-parallel.patch (refreshed) - follow upstream, create open, limited, secure and websafe alternative configuration packages with different policy.xml * CVE-2022-1115 [bsc#1198701] * CVE-2022-1114 [bsc#1198700] * CVE-2022-0284 [bsc#1195563] * CVE-2021-4219 [bsc#1196337] OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=666 2023-09-22 07:51:12 +00:00			`<policy domain="path" rights="none" pattern="/etc/*"/>`
			`<!-- Indirect reads are not permitted. -->`
			`<policy domain="path" rights="none" pattern="@*"/>`
			`+ <!-- These image types can expose risks on read and write -->`
			`+ <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>`
			`<!-- These image types are security risks on read, but write is fine -->`
			`- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>`
checkin OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=711 2024-03-04 11:55:41 +00:00			`+ <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>`
- version update to 7.1.1.17 * upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-17---2023-09-19 - modified patches % ImageMagick-library-installable-in-parallel.patch (refreshed) - follow upstream, create open, limited, secure and websafe alternative configuration packages with different policy.xml * CVE-2022-1115 [bsc#1198701] * CVE-2022-1114 [bsc#1198700] * CVE-2022-0284 [bsc#1195563] * CVE-2021-4219 [bsc#1196337] OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=666 2023-09-22 07:51:12 +00:00			`<!-- This policy sets the number of times to replace content of certain`
			`memory buffers and temporary files before they are freed or deleted. -->`
			`<policy domain="system" name="shred" value="1"/>`