From 4537b9de3063775e61454d9703df569a0e07011bdc36a1cd499fa7b9b468db6d Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 16 Jan 2024 15:07:59 +0000 Subject: [PATCH] - only one configuration again, based on upstream 'secure' policy - other upstream policies packaged in documentation OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=701 --- ImageMagick.changes | 6 ++ ImageMagick.spec | 184 ++++++-------------------------------------- 2 files changed, 31 insertions(+), 159 deletions(-) diff --git a/ImageMagick.changes b/ImageMagick.changes index 24a9512..43e897f 100644 --- a/ImageMagick.changes +++ b/ImageMagick.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jan 16 14:54:49 UTC 2024 - pgajdos@suse.com + +- only one configuration again, based on upstream 'secure' policy +- other upstream policies packaged in documentation + ------------------------------------------------------------------- Mon Jan 15 14:30:40 UTC 2024 - pgajdos@suse.com diff --git a/ImageMagick.spec b/ImageMagick.spec index 888b2c6..875d471 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -27,8 +27,6 @@ %define cwandver 10 %define cxxlibver 5 %define libspec -%{maj}_Q%{quantum_depth}HDRI -%define config_dir ImageMagick-7 -%define config_spec config-7 %define test_verbose 1 # bsc#1088463 %define urw_base35_fonts 0 @@ -98,6 +96,13 @@ BuildRequires: urw-base35-fonts BuildRequires: ghostscript-fonts-other BuildRequires: ghostscript-fonts-std %endif +Obsoletes: ImageMagick-config-7-SUSE < %{version} +Provides: ImageMagick-config-7-SUSE = %{version} +Obsoletes: ImageMagick-config-7-upstream +Obsoletes: ImageMagick-config-7-upstream-open +Obsoletes: ImageMagick-config-7-upstream-secure +Obsoletes: ImageMagick-config-7-upstream-websafe +Obsoletes: imagemagick-config-7-upstream-limited %package -n perl-PerlMagick Summary: Perl interface for ImageMagick @@ -132,10 +137,8 @@ Recommends: transfig %package -n libMagickCore%{libspec}%{clibver} Summary: C runtime library for ImageMagick Group: Productivity/Graphics/Other -Requires: imagick-%{config_spec} -Recommends: %{config_spec}-SUSE Recommends: ghostscript -Suggests: %{name}-extra = %{version} +Suggests: ImageMagick-extra = %{version} %package -n libMagickWand%{libspec}%{cwandver} Summary: C runtime library for ImageMagick @@ -144,7 +147,7 @@ Group: Productivity/Graphics/Other %package -n libMagick++%{libspec}%{cxxlibver} Summary: C++ interface runtime library for ImageMagick Group: Development/Libraries/C and C++ -Requires: %{name} +Requires: ImageMagick %package -n libMagick++-devel Summary: Development files for ImageMagick's C++ interface @@ -158,43 +161,6 @@ Summary: Document Files for ImageMagick Library Group: Documentation/HTML BuildArch: noarch -%package %{config_spec}-upstream-open -Summary: Open ImageMagick Security Policy -Group: Development/Libraries/C and C++ -Conflicts: imagick-%{config_spec} -Provides: imagick-%{config_spec} = %{version} -Obsoletes: %{config_spec}-upstream < %{version} -Provides: %{config_spec}-upstream = %{version} -BuildArch: noarch - -%package %{config_spec}-upstream-limited -Summary: Limited ImageMagick Security Policy -Group: Development/Libraries/C and C++ -Conflicts: imagick-%{config_spec} -Provides: imagick-%{config_spec} = %{version} -BuildArch: noarch - -%package %{config_spec}-upstream-secure -Summary: Secure ImageMagick Security Policy -Group: Development/Libraries/C and C++ -Conflicts: imagick-%{config_spec} -Provides: imagick-%{config_spec} = %{version} -BuildArch: noarch - -%package %{config_spec}-upstream-websafe -Summary: Web-safe ImageMagick Security Policy -Group: Development/Libraries/C and C++ -Conflicts: imagick-%{config_spec} -Provides: imagick-%{config_spec} = %{version} -BuildArch: noarch - -%package %{config_spec}-SUSE -Summary: SUSE Provided Configuration -Group: Development/Libraries/C and C++ -Conflicts: imagick-%{config_spec} -Provides: imagick-%{config_spec} = %{version} -BuildArch: noarch - %description ImageMagick is a robust collection of tools and libraries to read, write, and manipulate an image in many image formats, including popular @@ -293,59 +259,9 @@ support multiple generations of an image in memory at one time. %description doc HTML documentation for ImageMagick library and scene examples. -%description %{config_spec}-upstream-open -This policy is designed for usage in secure settings like those -protected by firewalls or within Docker containers. Within this framework, -ImageMagick enjoys broad access to resources and functionalities. This policy -provides convenient and adaptable options for image manipulation. However, -it's important to note that it might present security vulnerabilities in -less regulated conditions. Thus, organizations should thoroughly assess -the appropriateness of the open policy according to their particular use -case and security prerequisites. - -%description %{config_spec}-upstream-limited -The primary objective of the limited security policy is to find a -middle ground between convenience and security. This policy involves the -deactivation of potentially hazardous functionalities, like specific coders -such as SVG or HTTP. Furthermore, it establishes several constraints on -the utilization of resources like memory, storage, and processing duration, -all of which are adjustable. This policy proves advantageous in situations -where there's a need to mitigate the potential threat of handling possibly -malicious or demanding images, all while retaining essential capabilities -for prevalent image formats. - -%description %{config_spec}-upstream-secure -This stringent security policy prioritizes the implementation of -rigorous controls and restricted resource utilization to establish a -profoundly secure setting while employing ImageMagick. It deactivates -conceivably hazardous functionalities, including specific coders like -SVG or HTTP. The policy promotes the tailoring of security measures to -harmonize with the requirements of the local environment and the guidelines -of the organization. This protocol encompasses explicit particulars like -limitations on memory consumption, sanctioned pathways for reading and -writing, confines on image sequences, the utmost permissible duration of -workflows, allocation of disk space intended for image data, and even an -undisclosed passphrase for remote connections. By adopting this robust -policy, entities can elevate their overall security stance and alleviate -potential vulnerabilities. - -%description %{config_spec}-upstream-websafe -This security protocol designed for web-safe usage focuses on situations -where ImageMagick is applied in publicly accessible contexts, like websites. -It deactivates the capability to read from or write to any image formats -other than web-safe formats like GIF, JPEG, and PNG. Additionally, this -policy prohibits the execution of image filters and indirect reads, thereby -thwarting potential security breaches. By implementing these limitations, -the web-safe policy fortifies the safeguarding of systems accessible to -the public, reducing the risk of exploiting ImageMagick's capabilities -for potential attacks. - -%description %{config_spec}-SUSE -ImageMagick configuration as provide by SUSE. It is upstream 'secure' -policy plus disable few other coders for reading and/or writing. - %prep %setup -q -n ImageMagick-%{source_version} +%patch0 -p1 %patch2 -p1 %ifarch i586 %if %{?suse_version} < 1550 @@ -405,7 +321,8 @@ export CXXFLAGS="%{optflags} -O0" --without-gcc-arch \ --enable-pipes=no \ --enable-reproducible-build=yes \ - --disable-openmp + --disable-openmp \ + --with-security-policy=open # open for %check %if %{asan_build} sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \ -e 's/\(^LIBS =.*\)/\1 -lasan/' \ @@ -448,23 +365,13 @@ sed -i 's:TEST_VERBOSE=0:TEST_VERBOSE=1:' Makefile cd .. %install -%make_install pkgdocdir=%{_defaultdocdir}/%{name}-%{maj}/ -# configuration magic -mv -t %{buildroot}%{_sysconfdir}/%{name}* %{buildroot}%{_datadir}/%{name}*/*.xml -for policy in open limited secure websafe; do - cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream-$policy} - cp config/policy-$policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}-upstream-$policy/policy.xml -done -mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-SUSE} -cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE -patch --fuzz=0 --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0} -ln -sf %{config_dir}-SUSE %{buildroot}%{_sysconfdir}/%{config_dir} -# symlink header file relative to /usr/include/ImageMagick-7/ -# so that inclusions like wand/*.h and magick/*.h work -ln -s ./MagickCore %{buildroot}%{_includedir}/%{name}-%{maj}/magick -ln -s ./MagickWand %{buildroot}%{_includedir}/%{name}-%{maj}/wand +%make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-%{maj}/ +# suse modified secure policy as a default +cp config/policy-secure.xml %{buildroot}/etc/ImageMagick-%{maj}/policy.xml +ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-%{maj}/magick +ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-%{maj}/wand # these will be included via %%doc -rm -r %{buildroot}%{_datadir}/doc/%{name}-%{maj}/ +rm -r %{buildroot}%{_datadir}/doc/ImageMagick-%{maj}/ rm %{buildroot}%{_libdir}/*.la # remove RPATH from perl module perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so') @@ -474,8 +381,8 @@ chmod 555 $perl_module # remove %%{buildroot} from distributed file sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/config%{libspec}%{clibver}/configure.xml #remove duplicates -%fdupes -s %{buildroot}%{_defaultdocdir}/%{name}-%{maj} -%fdupes -s %{buildroot}%{_includedir}/%{name}-%{maj} +%fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-%{maj} +%fdupes -s %{buildroot}%{_includedir}/ImageMagick-%{maj} %fdupes -s %{buildroot}%{_libdir}/pkgconfig %perl_process_packlist @@ -486,32 +393,16 @@ sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/con %post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig %postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig -%post %{config_spec}-SUSE -rm -f %{_sysconfdir}/%{config_dir} -ln -sf %{config_dir}-SUSE %{_sysconfdir}/%{config_dir} - -%post %{config_spec}-upstream-limited -rm -f %{_sysconfdir}/%{config_dir} -ln -sf %{config_dir}-upstream-limited %{_sysconfdir}/%{config_dir} - -%post %{config_spec}-upstream-open -rm -f %{_sysconfdir}/%{config_dir} -ln -sf %{config_dir}-upstream-open %{_sysconfdir}/%{config_dir} - -%post %{config_spec}-upstream-secure -rm -f %{_sysconfdir}/%{config_dir} -ln -sf %{config_dir}-upstream-secure %{_sysconfdir}/%{config_dir} - -%post %{config_spec}-upstream-websafe -rm -f %{_sysconfdir}/%{config_dir} -ln -sf %{config_dir}-upstream-websafe %{_sysconfdir}/%{config_dir} - %files %license LICENSE %doc NEWS.txt +%doc config/policy-{open,limited,secure,websafe}.xml %{_bindir}/[^MW]* %{_mandir}/man1/* %exclude %{_mandir}/man1/*-config.1%{ext_man} +%dir %{_sysconfdir}/ImageMagick-%{maj} +%config(noreplace) %{_sysconfdir}/ImageMagick-%{maj}/* +%{_datadir}/ImageMagick-%{maj} %files -n libMagickCore%{libspec}%{clibver} %license LICENSE @@ -583,31 +474,6 @@ ln -sf %{config_dir}-upstream-websafe %{_sysconfdir}/%{config_dir} %{_mandir}/man1/Magick++-config.1%{?ext_man} %files doc -%{_defaultdocdir}/%{name}-%{maj} - -%files %{config_spec}-upstream-open -%dir %{_sysconfdir}/%{config_dir}-upstream-open/ -%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-open/* -%ghost %{_sysconfdir}/%{config_dir} - -%files %{config_spec}-upstream-limited -%dir %{_sysconfdir}/%{config_dir}-upstream-limited/ -%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-limited/* -%ghost %{_sysconfdir}/%{config_dir} - -%files %{config_spec}-upstream-secure -%dir %{_sysconfdir}/%{config_dir}-upstream-secure/ -%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-secure/* -%ghost %{_sysconfdir}/%{config_dir} - -%files %{config_spec}-SUSE -%dir %{_sysconfdir}/%{config_dir}-SUSE/ -%config %{_sysconfdir}/%{config_dir}-SUSE/* -%ghost %{_sysconfdir}/%{config_dir} - -%files %{config_spec}-upstream-websafe -%dir %{_sysconfdir}/%{config_dir}-upstream-websafe/ -%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-websafe/* -%ghost %{_sysconfdir}/%{config_dir} +%{_defaultdocdir}/ImageMagick-%{maj} %changelog