pool/ImageMagick
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- only one configuration again, based on upstream 'secure' policy

Browse Source 
- other upstream policies packaged in documentation

OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=701
This commit is contained in:
Petr Gajdos 2024-01-16 15:07:59 +00:00 committed by Git OBS Bridge
parent 9367404cf0
commit 4537b9de30
2 changed files with 31 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ImageMagick.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Jan 16 14:54:49 UTC 2024 - pgajdos@suse.com
- only one configuration again, based on upstream 'secure' policy
- other upstream policies packaged in documentation
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jan 15 14:30:40 UTC 2024 - pgajdos@suse.com Mon Jan 15 14:30:40 UTC 2024 - pgajdos@suse.com

184
ImageMagick.spec
View File

@ -27,8 +27,6 @@
%define cwandver 10 %define cwandver 10
%define cxxlibver 5 %define cxxlibver 5
%define libspec -%{maj}_Q%{quantum_depth}HDRI %define libspec -%{maj}_Q%{quantum_depth}HDRI
%define config_dir ImageMagick-7
%define config_spec config-7
%define test_verbose 1 %define test_verbose 1
# bsc#1088463 # bsc#1088463
%define urw_base35_fonts 0 %define urw_base35_fonts 0
@ -98,6 +96,13 @@ BuildRequires: urw-base35-fonts
BuildRequires: ghostscript-fonts-other BuildRequires: ghostscript-fonts-other
BuildRequires: ghostscript-fonts-std BuildRequires: ghostscript-fonts-std
%endif %endif
Obsoletes: ImageMagick-config-7-SUSE < %{version}
Provides: ImageMagick-config-7-SUSE = %{version}
Obsoletes: ImageMagick-config-7-upstream
Obsoletes: ImageMagick-config-7-upstream-open
Obsoletes: ImageMagick-config-7-upstream-secure
Obsoletes: ImageMagick-config-7-upstream-websafe
Obsoletes: imagemagick-config-7-upstream-limited
%package -n perl-PerlMagick %package -n perl-PerlMagick
Summary: Perl interface for ImageMagick Summary: Perl interface for ImageMagick
@ -132,10 +137,8 @@ Recommends: transfig
%package -n libMagickCore%{libspec}%{clibver} %package -n libMagickCore%{libspec}%{clibver}
Summary: C runtime library for ImageMagick Summary: C runtime library for ImageMagick
Group: Productivity/Graphics/Other Group: Productivity/Graphics/Other
Requires: imagick-%{config_spec}
Recommends: %{config_spec}-SUSE
Recommends: ghostscript Recommends: ghostscript
Suggests: %{name}-extra = %{version} Suggests: ImageMagick-extra = %{version}
%package -n libMagickWand%{libspec}%{cwandver} %package -n libMagickWand%{libspec}%{cwandver}
Summary: C runtime library for ImageMagick Summary: C runtime library for ImageMagick
@ -144,7 +147,7 @@ Group: Productivity/Graphics/Other
%package -n libMagick++%{libspec}%{cxxlibver} %package -n libMagick++%{libspec}%{cxxlibver}
Summary: C++ interface runtime library for ImageMagick Summary: C++ interface runtime library for ImageMagick
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: %{name} Requires: ImageMagick
%package -n libMagick++-devel %package -n libMagick++-devel
Summary: Development files for ImageMagick's C++ interface Summary: Development files for ImageMagick's C++ interface
@ -158,43 +161,6 @@ Summary: Document Files for ImageMagick Library
Group: Documentation/HTML Group: Documentation/HTML
BuildArch: noarch BuildArch: noarch
%package %{config_spec}-upstream-open
Summary: Open ImageMagick Security Policy
Group: Development/Libraries/C and C++
Conflicts: imagick-%{config_spec}
Provides: imagick-%{config_spec} = %{version}
Obsoletes: %{config_spec}-upstream < %{version}
Provides: %{config_spec}-upstream = %{version}
BuildArch: noarch
%package %{config_spec}-upstream-limited
Summary: Limited ImageMagick Security Policy
Group: Development/Libraries/C and C++
Conflicts: imagick-%{config_spec}
Provides: imagick-%{config_spec} = %{version}
BuildArch: noarch
%package %{config_spec}-upstream-secure
Summary: Secure ImageMagick Security Policy
Group: Development/Libraries/C and C++
Conflicts: imagick-%{config_spec}
Provides: imagick-%{config_spec} = %{version}
BuildArch: noarch
%package %{config_spec}-upstream-websafe
Summary: Web-safe ImageMagick Security Policy
Group: Development/Libraries/C and C++
Conflicts: imagick-%{config_spec}
Provides: imagick-%{config_spec} = %{version}
BuildArch: noarch
%package %{config_spec}-SUSE
Summary: SUSE Provided Configuration
Group: Development/Libraries/C and C++
Conflicts: imagick-%{config_spec}
Provides: imagick-%{config_spec} = %{version}
BuildArch: noarch
%description %description
ImageMagick is a robust collection of tools and libraries to read, ImageMagick is a robust collection of tools and libraries to read,
write, and manipulate an image in many image formats, including popular write, and manipulate an image in many image formats, including popular
@ -293,59 +259,9 @@ support multiple generations of an image in memory at one time.
%description doc %description doc
HTML documentation for ImageMagick library and scene examples. HTML documentation for ImageMagick library and scene examples.
%description %{config_spec}-upstream-open
This policy is designed for usage in secure settings like those
protected by firewalls or within Docker containers. Within this framework,
ImageMagick enjoys broad access to resources and functionalities. This policy
provides convenient and adaptable options for image manipulation. However,
it's important to note that it might present security vulnerabilities in
less regulated conditions. Thus, organizations should thoroughly assess
the appropriateness of the open policy according to their particular use
case and security prerequisites.
%description %{config_spec}-upstream-limited
The primary objective of the limited security policy is to find a
middle ground between convenience and security. This policy involves the
deactivation of potentially hazardous functionalities, like specific coders
such as SVG or HTTP. Furthermore, it establishes several constraints on
the utilization of resources like memory, storage, and processing duration,
all of which are adjustable. This policy proves advantageous in situations
where there's a need to mitigate the potential threat of handling possibly
malicious or demanding images, all while retaining essential capabilities
for prevalent image formats.
%description %{config_spec}-upstream-secure
This stringent security policy prioritizes the implementation of
rigorous controls and restricted resource utilization to establish a
profoundly secure setting while employing ImageMagick. It deactivates
conceivably hazardous functionalities, including specific coders like
SVG or HTTP. The policy promotes the tailoring of security measures to
harmonize with the requirements of the local environment and the guidelines
of the organization. This protocol encompasses explicit particulars like
limitations on memory consumption, sanctioned pathways for reading and
writing, confines on image sequences, the utmost permissible duration of
workflows, allocation of disk space intended for image data, and even an
undisclosed passphrase for remote connections. By adopting this robust
policy, entities can elevate their overall security stance and alleviate
potential vulnerabilities.
%description %{config_spec}-upstream-websafe
This security protocol designed for web-safe usage focuses on situations
where ImageMagick is applied in publicly accessible contexts, like websites.
It deactivates the capability to read from or write to any image formats
other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
policy prohibits the execution of image filters and indirect reads, thereby
thwarting potential security breaches. By implementing these limitations,
the web-safe policy fortifies the safeguarding of systems accessible to
the public, reducing the risk of exploiting ImageMagick's capabilities
for potential attacks.
%description %{config_spec}-SUSE
ImageMagick configuration as provide by SUSE. It is upstream 'secure'
policy plus disable few other coders for reading and/or writing.
%prep %prep
%setup -q -n ImageMagick-%{source_version} %setup -q -n ImageMagick-%{source_version}
%patch0 -p1
%patch2 -p1 %patch2 -p1
%ifarch i586 %ifarch i586
%if %{?suse_version} < 1550 %if %{?suse_version} < 1550
@ -405,7 +321,8 @@ export CXXFLAGS="%{optflags} -O0"
--without-gcc-arch \ --without-gcc-arch \
--enable-pipes=no \ --enable-pipes=no \
--enable-reproducible-build=yes \ --enable-reproducible-build=yes \
--disable-openmp --disable-openmp \
--with-security-policy=open # open for %check
%if %{asan_build} %if %{asan_build}
sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \ sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \
-e 's/\(^LIBS =.*\)/\1 -lasan/' \ -e 's/\(^LIBS =.*\)/\1 -lasan/' \
@ -448,23 +365,13 @@ sed -i 's:TEST_VERBOSE=0:TEST_VERBOSE=1:' Makefile
cd .. cd ..
%install %install
%make_install pkgdocdir=%{_defaultdocdir}/%{name}-%{maj}/ %make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-%{maj}/
# configuration magic # suse modified secure policy as a default
mv -t %{buildroot}%{_sysconfdir}/%{name}* %{buildroot}%{_datadir}/%{name}*/*.xml cp config/policy-secure.xml %{buildroot}/etc/ImageMagick-%{maj}/policy.xml
for policy in open limited secure websafe; do ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-%{maj}/magick
cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream-$policy} ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-%{maj}/wand
cp config/policy-$policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}-upstream-$policy/policy.xml
done
mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-SUSE}
cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE
patch --fuzz=0 --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0}
ln -sf %{config_dir}-SUSE %{buildroot}%{_sysconfdir}/%{config_dir}
# symlink header file relative to /usr/include/ImageMagick-7/
# so that inclusions like wand/*.h and magick/*.h work
ln -s ./MagickCore %{buildroot}%{_includedir}/%{name}-%{maj}/magick
ln -s ./MagickWand %{buildroot}%{_includedir}/%{name}-%{maj}/wand
# these will be included via %%doc # these will be included via %%doc
rm -r %{buildroot}%{_datadir}/doc/%{name}-%{maj}/ rm -r %{buildroot}%{_datadir}/doc/ImageMagick-%{maj}/
rm %{buildroot}%{_libdir}/*.la rm %{buildroot}%{_libdir}/*.la
# remove RPATH from perl module # remove RPATH from perl module
perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so') perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so')
@ -474,8 +381,8 @@ chmod 555 $perl_module
# remove %%{buildroot} from distributed file # remove %%{buildroot} from distributed file
sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/config%{libspec}%{clibver}/configure.xml sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/config%{libspec}%{clibver}/configure.xml
#remove duplicates #remove duplicates
%fdupes -s %{buildroot}%{_defaultdocdir}/%{name}-%{maj} %fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-%{maj}
%fdupes -s %{buildroot}%{_includedir}/%{name}-%{maj} %fdupes -s %{buildroot}%{_includedir}/ImageMagick-%{maj}
%fdupes -s %{buildroot}%{_libdir}/pkgconfig %fdupes -s %{buildroot}%{_libdir}/pkgconfig
%perl_process_packlist %perl_process_packlist
@ -486,32 +393,16 @@ sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/con
%post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig %post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
%postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig %postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
%post %{config_spec}-SUSE
rm -f %{_sysconfdir}/%{config_dir}
ln -sf %{config_dir}-SUSE %{_sysconfdir}/%{config_dir}
%post %{config_spec}-upstream-limited
rm -f %{_sysconfdir}/%{config_dir}
ln -sf %{config_dir}-upstream-limited %{_sysconfdir}/%{config_dir}
%post %{config_spec}-upstream-open
rm -f %{_sysconfdir}/%{config_dir}
ln -sf %{config_dir}-upstream-open %{_sysconfdir}/%{config_dir}
%post %{config_spec}-upstream-secure
rm -f %{_sysconfdir}/%{config_dir}
ln -sf %{config_dir}-upstream-secure %{_sysconfdir}/%{config_dir}
%post %{config_spec}-upstream-websafe
rm -f %{_sysconfdir}/%{config_dir}
ln -sf %{config_dir}-upstream-websafe %{_sysconfdir}/%{config_dir}
%files %files
%license LICENSE %license LICENSE
%doc NEWS.txt %doc NEWS.txt
%doc config/policy-{open,limited,secure,websafe}.xml
%{_bindir}/[^MW]* %{_bindir}/[^MW]*
%{_mandir}/man1/* %{_mandir}/man1/*
%exclude %{_mandir}/man1/*-config.1%{ext_man} %exclude %{_mandir}/man1/*-config.1%{ext_man}
%dir %{_sysconfdir}/ImageMagick-%{maj}
%config(noreplace) %{_sysconfdir}/ImageMagick-%{maj}/*
%{_datadir}/ImageMagick-%{maj}
%files -n libMagickCore%{libspec}%{clibver} %files -n libMagickCore%{libspec}%{clibver}
%license LICENSE %license LICENSE
@ -583,31 +474,6 @@ ln -sf %{config_dir}-upstream-websafe %{_sysconfdir}/%{config_dir}
%{_mandir}/man1/Magick++-config.1%{?ext_man} %{_mandir}/man1/Magick++-config.1%{?ext_man}
%files doc %files doc
%{_defaultdocdir}/%{name}-%{maj} %{_defaultdocdir}/ImageMagick-%{maj}
%files %{config_spec}-upstream-open
%dir %{_sysconfdir}/%{config_dir}-upstream-open/
%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-open/*
%ghost %{_sysconfdir}/%{config_dir}
%files %{config_spec}-upstream-limited
%dir %{_sysconfdir}/%{config_dir}-upstream-limited/
%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-limited/*
%ghost %{_sysconfdir}/%{config_dir}
%files %{config_spec}-upstream-secure
%dir %{_sysconfdir}/%{config_dir}-upstream-secure/
%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-secure/*
%ghost %{_sysconfdir}/%{config_dir}
%files %{config_spec}-SUSE
%dir %{_sysconfdir}/%{config_dir}-SUSE/
%config %{_sysconfdir}/%{config_dir}-SUSE/*
%ghost %{_sysconfdir}/%{config_dir}
%files %{config_spec}-upstream-websafe
%dir %{_sysconfdir}/%{config_dir}-upstream-websafe/
%config(noreplace) %{_sysconfdir}/%{config_dir}-upstream-websafe/*
%ghost %{_sysconfdir}/%{config_dir}
%changelog %changelog