From 27ecdde9e5312fe11c38c3ed037b6bfa6f53860be3ea9da763cba3a7a8c30095 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Thu, 5 May 2016 14:05:14 +0000
Subject: [PATCH] Accepting request 393905 from
 home:vitezslav_cizek:branches:graphics

- Disable insecure coders [bnc#978061]
  * ImageMagick-6.8.8-1-disable-insecure-coders.patch
  * CVE-2016-3714
  * CVE-2016-3715
  * CVE-2016-3716
  * CVE-2016-3717
  * CVE-2016-3718

OBS-URL: https://build.opensuse.org/request/show/393905
OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=251
---
 ...gick-6.8.8-1-disable-insecure-coders.patch | 20 +++++++++++++++++++
 ImageMagick.changes                           | 11 ++++++++++
 ImageMagick.spec                              |  2 ++
 3 files changed, 33 insertions(+)
 create mode 100644 ImageMagick-6.8.8-1-disable-insecure-coders.patch

diff --git a/ImageMagick-6.8.8-1-disable-insecure-coders.patch b/ImageMagick-6.8.8-1-disable-insecure-coders.patch
new file mode 100644
index 0000000..9cdbf88
--- /dev/null
+++ b/ImageMagick-6.8.8-1-disable-insecure-coders.patch
@@ -0,0 +1,20 @@
+Index: ImageMagick-6.8.8-1/config/policy.xml
+
+Disable insecure loaders by default bsc#978061
+sflees@suse.de
+
+===================================================================
+--- ImageMagick-6.8.8-1.orig/config/policy.xml
++++ ImageMagick-6.8.8-1/config/policy.xml
+@@ -56,4 +56,11 @@
+   <!-- <policy domain="resource" name="time" value="3600"/> -->
+   <!-- <policy domain="system" name="precision" value="6"/> -->
+   <policy domain="cache" name="shared-secret" value="passphrase"/>
++  <!-- Disable insecure coders by default -->
++  <!-- https://bugzilla.suse.com/show_bug.cgi?id=978061 -->
++  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++  <policy domain="coder" rights="none" pattern="URL" />
++  <policy domain="coder" rights="none" pattern="HTTPS" />
++  <policy domain="coder" rights="none" pattern="MVG" />
++  <policy domain="coder" rights="none" pattern="MSL" />
+ </policymap>
diff --git a/ImageMagick.changes b/ImageMagick.changes
index 635671a..1f93c8b 100644
--- a/ImageMagick.changes
+++ b/ImageMagick.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu May  5 13:31:42 UTC 2016 - vcizek@suse.com
+
+- Disable insecure coders [bnc#978061]
+  * ImageMagick-6.8.8-1-disable-insecure-coders.patch
+  * CVE-2016-3714
+  * CVE-2016-3715
+  * CVE-2016-3716
+  * CVE-2016-3717
+  * CVE-2016-3718
+
 -------------------------------------------------------------------
 Thu May  5 09:02:32 UTC 2016 - pgajdos@suse.com
 
diff --git a/ImageMagick.spec b/ImageMagick.spec
index dd28761..14d3234 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -92,6 +92,7 @@ Patch4:         ImageMagick-6.8.5.7-no-XPMCompliance.patch
 # bugs
 # will ask upstream if needed, or if other solution exists
 Patch11:        ImageMagick-6.8.4.0-dont-build-in-install.patch
+Patch20:        ImageMagick-6.8.8-1-disable-insecure-coders.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %package -n perl-PerlMagick
@@ -251,6 +252,7 @@ HTML documentation for ImageMagick library and scene examples.
 %patch3  -p1
 %patch4  -p1
 %patch11 -p1
+%patch20 -p1
 
 # remove executeable bits from per demos
 chmod -x PerlMagick/demo/*.pl