Accepting request 1112966 from graphics

- version update to 7.1.1.17 * upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-17---2023-09-19 - modified patches % ImageMagick-library-installable-in-parallel.patch (refreshed) - follow upstream, create open, limited, secure and websafe alternative configuration packages with different policy.xml - removing p7zip redundant dependency * [bsc#1200389] CVE-2022-32546 * [bsc#1211792] CVE-2023-34153 * [bsc#1211791] CVE-2023-34151 - [bsc#1209141] CVE-2023-1289 - [bsc#1207982] CVE-2022-44267 - [bsc#1207983] CVE-2022-44268 - [bsc#1203450] CVE-2022-3213 - CVE-2022-2719 [bsc#1202250] - [bsc#1199350] CVE-2022-28463 - [bsc#1200387] CVE-2022-32547 * CVE-2022-1115 [bsc#1198701] * [bsc#1200389] (CVE-2022-32546 * CVE-2022-1114 [bsc#1198700] * [bsc#1200388] CVE-2022-32545 * CVE-2022-0284 [bsc#1195563] * CVE-2021-4219 [bsc#1196337] OBS-URL: https://build.opensuse.org/request/show/1112966 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ImageMagick?expand=0&rev=279
2023-09-26 20:00:27 +00:00 · 2023-09-26 20:00:27 +00:00 · bd92242574
commit bd92242574
parent 3d82917720 909d0db650
8 changed files with 229 additions and 88 deletions
--- a/ImageMagick-7.1.1-15.tar.xz
+++ b/ImageMagick-7.1.1-15.tar.xz
--- a/ImageMagick-7.1.1-15.tar.xz.asc
+++ b/ImageMagick-7.1.1-15.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmTGad0ACgkQiatj1IJ3
 N3q70A//VACuhnStqbXC+miIR0u7kOzip6uCszmV+X5w7L4ePCdke6Hp7CoSLATo
 /BJUt+CU2K8a6exHwx4tTTtNm9ALASFfubL9aUCjKCh+83H6dnHgI5NpS2gSsNMD
 i+FRlmm0yKKYTZZqwgWkTYDWJvnHhEEtVX+C1vgAyljlusjb+bSmEVGYPdh+EXca
 rMF2bnOT3GG+MiLvI93wJAqhIGz1Zh85Ywf+wzSRaRby2z3cvH6RUMbfQXD1bOQL
 l3BT+vtEsw6+GV37iWzqhVwFMWBYNzJDZUsUN6V9HmcnLdKVpPLT9a1jDZhBBDzc
 kH5f4iaseG3jp7rz9BbXYQGMC8iRpZv+Ty3ew+EzjZ5Bt7ThxXVl/VnfofXOI6de
 m2qj2SnLF/G3BFctpfTVYO4SWiED1/aNt5k8S0KHuYRKmGzjGf3vBV0LBIMKXs4y
 VTpCm1p+RcUjHD9MKEcRpsGi6KGyLH4dZlKDwXhQ/Vcj8hg7DvvS+O2uPq/QjXPg
 Dzlp0JkdRHAIMWR7Jf1XEVe1IPfl4lrxQnQkX1SxVMQExa/vXflQR91el9ijeVTv
 2EEMx6hzzp07ZmQvFBCruY/gliPwyZdCY2/BmwHJ0hMekg9Z4p8NLcna+rtEMaBJ
 E7IjHdHcXXxwDPCNGpeiNLSdO/oi3Il+Z0nVFqw0pI3AbojUde8=
 =0QMW
 -----END PGP SIGNATURE-----
--- a/ImageMagick-7.1.1-17.tar.xz
+++ b/ImageMagick-7.1.1-17.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1178b2062569d83314feb9ce586eaf1144c5daa3da3784ea641cee6d28cec00b
 size 10222236
--- a/ImageMagick-7.1.1-17.tar.xz.asc
+++ b/ImageMagick-7.1.1-17.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmUKIgoACgkQiatj1IJ3
 N3o8dg//YEt4TKYNJVn7T7plRPKcIkMygVJssF+23l7RQMCPnvI1seFPfM+I8HNZ
 0FWSTR2AHDBMKPSb9P4Ztu6e7DrOsllx7Nu28FMj6/2uHzL1341azC72wOp/aCHo
 VDr/D8BnoYU9EAptnRxyIGgEqCpzKeu4sVlwyAx9ydoYUy1i1hGauQHNGhIXsAUm
 b7/rB7nMjbB67aTl3q7LbKQO26O4frpDmxJgEh65cL1rst5LdgQXFUM+o+Y2ZfMf
 a/4cvVcmb5KSplqn1PJUZrc6rjEeJO3w3hEYkEMxoOXLaujXzKpg6Gf540HdsHH8
 9HdNcrxwXLZsKrzrSHWaSPWihgEqGryHKH9PjF4gSLh+k0uYJRtBPRm/17tu5d/a
 Tl2CC4n5RZqkq4lB7ofYJ2O838HSrNN43j3TA2qVPBorsMxJvw/Q5xVSusn4Pt0F
 ZLkpSSnHSeKZMURT2q/ptoSkmAx9/G4FO1Pe9su5hT/5JZGewV+3rGWtyBLwpHkg
 LL3d0FkzONf7LuT1fALtZV4hr0xn3L8zBb99jHh+nKYxFrk+M7sqwnJyd9uXHt8o
 uVbuxfIiZz8J1sB+0BbTW/9zeDJDdZ+fs+13BsBFaHILaIGqdijuAZ8VZJfWUDPj
 qOm826vFF3VouRThoxSWhwN4WJ6JR+bIZKKL+Fzustzf3uZ5aKI=
 =K65O
 -----END PGP SIGNATURE-----
--- a/ImageMagick-configuration-SUSE.patch
+++ b/ImageMagick-configuration-SUSE.patch
@ -1,29 +1,15 @@
--- ImageMagick-7.1.0-43/config/policy.xml
+--- a/config/policy-secure.xml
-+++ ImageMagick-7.1.0-43/config/policy.xml
+++ b/config/policy-secure.xml
-@@ -79,5 +79,26 @@
+@@ -92,8 +92,10 @@
-   <!-- <policy domain="cache" name="synchronize" value="true"/> -->
+   <policy domain="path" rights="none" pattern="/etc/*"/>
-   <!-- <policy domain="system" name="shred" value="1"/> -->
+   <!-- Indirect reads are not permitted. -->
-   <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
+   <policy domain="path" rights="none" pattern="@*"/>
-+
+  <!-- These image types can expose risks on read and write -->
-+  <!-- Disable insecure coders by default -->
+  <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
-+  <!-- https://bugzilla.suse.com/show_bug.cgi?id=978061 -->
+   <!-- These image types are security risks on read, but write is fine -->
-+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+-  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
-+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
-+  <policy domain="coder" rights="none" pattern="HTTPS" />
+   <!-- This policy sets the number of times to replace content of certain
-+  <policy domain="coder" rights="none" pattern="MVG" />
+        memory buffers and temporary files before they are freed or deleted. -->
-+  <policy domain="coder" rights="none" pattern="MSL" />
+   <policy domain="system" name="shred" value="1"/>
-+  <policy domain="coder" rights="none" pattern="TEXT" />
+
 +  <policy domain="coder" rights="none" pattern="SHOW" />
 +  <policy domain="coder" rights="none" pattern="WIN" />
 +  <policy domain="coder" rights="none" pattern="PLT" />
 +  <policy domain="coder" rights="write" pattern="PS" />
 +  <policy domain="coder" rights="write" pattern="PS2" />
 +  <policy domain="coder" rights="write" pattern="PS3" />
 +  <policy domain="coder" rights="write" pattern="PDF" />
 +  <policy domain="coder" rights="write" pattern="XPS" />
 +  <policy domain="coder" rights="write" pattern="EPI" />
 +  <policy domain="coder" rights="write" pattern="EPS" />
 +  <policy domain="coder" rights="write" pattern="PCL" />
 +  <policy domain="path" rights="none" pattern="@*"/>
   <policy domain="Undefined" rights="none"/>
 </policymap>
--- a/ImageMagick-library-installable-in-parallel.patch
+++ b/ImageMagick-library-installable-in-parallel.patch
@ -1,8 +1,8 @@
-Index: ImageMagick-7.1.1-15/configure
+Index: ImageMagick-7.1.1-17/configure
 ===================================================================
--- ImageMagick-7.1.1-15.orig/configure
+--- ImageMagick-7.1.1-17.orig/configure
-+++ ImageMagick-7.1.1-15/configure
+++ ImageMagick-7.1.1-17/configure
-@@ -35317,7 +35317,9 @@ fi
+@@ -34840,7 +34840,9 @@ fi
 # Subdirectory to place architecture-dependent configuration files
--- a/ImageMagick.changes
+++ b/ImageMagick.changes
@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Thu Sep 21 15:26:22 UTC 2023 - pgajdos@suse.com
 - version update to 7.1.1.17
  * upstream changelog:
  https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-17---2023-09-19
 - modified patches
  % ImageMagick-library-installable-in-parallel.patch (refreshed)
 - follow upstream, create open, limited, secure and websafe alternative
  configuration packages with different policy.xml
 - removing p7zip redundant dependency
 -------------------------------------------------------------------
 Tue Aug 22 13:11:14 UTC 2023 - pgajdos@suse.com
@ -23,6 +35,9 @@ Tue May 30 08:33:42 UTC 2023 - pgajdos@suse.com
 - version update to 7.1.1.11
  * upstream changelog:
  https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-11---2023-05-29
 * [bsc#1200389] CVE-2022-32546
 * [bsc#1211792] CVE-2023-34153
 * [bsc#1211791] CVE-2023-34151
 -------------------------------------------------------------------
 Thu May 25 08:05:03 UTC 2023 - pgajdos@suse.com
@ -66,6 +81,7 @@ Tue Mar 14 13:30:28 UTC 2023 - pgajdos@suse.com
  https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
 - modified patches
  % ImageMagick-library-installable-in-parallel.patch (refreshed)
 - [bsc#1209141] CVE-2023-1289
 -------------------------------------------------------------------
 Mon Mar 13 08:45:26 UTC 2023 - Martin Pluskal <mpluskal@suse.com>
@ -150,6 +166,8 @@ Wed Oct 26 09:27:50 UTC 2022 - Dirk Müller <dmueller@suse.com>
  * latest automake configuration
  * fix undefined-shift in ReadTGAImage @ https://oss-fuzz.com/testcase?key=5129864151957504
  * prevent divide by zero exception
 - [bsc#1207982] CVE-2022-44267
 - [bsc#1207983] CVE-2022-44268
 -------------------------------------------------------------------
 Wed Oct 12 08:06:39 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
@ -158,6 +176,7 @@ Wed Oct 12 08:06:39 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
  upstream changelog:
  https://raw.githubusercontent.com/ImageMagick/Website/main/ChangeLog.md
 - rebae ImageMagick-library-installable-in-parallel.patch
 - [bsc#1203450] CVE-2022-3213
 -------------------------------------------------------------------
 Wed Sep 28 14:10:28 UTC 2022 - Dirk Müller <dmueller@suse.com>
@ -358,6 +377,9 @@ Tue Apr 19 13:37:18 UTC 2022 - Dirk Müller <dmueller@suse.com>
  * Fixes #4985: 4e+26 is outside the range of representable values of type
    'unsigned long' at
 - fix typo on update-alternatives call
 - CVE-2022-2719 [bsc#1202250]
 - [bsc#1199350] CVE-2022-28463
 - [bsc#1200387] CVE-2022-32547
 -------------------------------------------------------------------
 Sun Apr 17 12:36:12 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
@ -370,6 +392,8 @@ Thu Apr  7 07:29:22 UTC 2022 - pgajdos@suse.com
 - version update to 7.1.0.29
  see ChangeLog.md for details
  (https://github.com/ImageMagick/ImageMagick/blob/main/ChangeLog.md)
  * CVE-2022-1115 [bsc#1198701]
  * [bsc#1200389] (CVE-2022-32546
 -------------------------------------------------------------------
 Wed Mar 23 21:46:16 UTC 2022 - Dirk Müller <dmueller@suse.com>
@ -379,6 +403,8 @@ Wed Mar 23 21:46:16 UTC 2022 - Dirk Müller <dmueller@suse.com>
  * fix PS and EPS %%BoundingBox not being parsed
  * fix stack based buffer overflow in _TIFFVGetField (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42549)
  * fix heap buffer overflow in dcm image reading (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45640)
  * CVE-2022-1114 [bsc#1198700]
  * [bsc#1200388] CVE-2022-32545
 -------------------------------------------------------------------
 Tue Mar 15 11:34:13 UTC 2022 - pgajdos@suse.com
@ -438,6 +464,7 @@ Wed Feb  2 13:08:44 UTC 2022 - pgajdos@suse.com
    https://github.com/ImageMagick/ImageMagick/discussions/4533).
  * Add support for formatted text (reference
    https://github.com/ImageMagick/ImageMagick/discussions/4515).
  * CVE-2022-0284 [bsc#1195563]
 -------------------------------------------------------------------
 Thu Dec 30 09:38:20 UTC 2021 - Dirk Müller <dmueller@suse.com>
@ -446,6 +473,7 @@ Thu Dec 30 09:38:20 UTC 2021 - Dirk Müller <dmueller@suse.com>
  * support -integral option.
  * possible DoS for certain SVG constructs (reference
    https://github.com/ImageMagick/ImageMagick/issues/4626).
  * CVE-2021-4219 [bsc#1196337]
 -------------------------------------------------------------------
 Tue Dec 21 23:12:27 UTC 2021 - Dirk Müller <dmueller@suse.com>
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -20,7 +20,7 @@
 %define asan_build     0
 %define maj            7
 %define mfr_version    %{maj}.1.1
-%define mfr_revision   15
+%define mfr_revision   17
 %define quantum_depth  16
 %define source_version %{mfr_version}-%{mfr_revision}
 %define clibver        10
@ -84,11 +84,6 @@ BuildRequires:  pkgconfig(libwebpmux)
 BuildRequires:  pkgconfig(libxml-2.0)
 BuildRequires:  pkgconfig(lqr-1)
 BuildRequires:  pkgconfig(pango)
 %if 0%{?suse_version} > 1500
 BuildRequires:  p7zip-full
 %else
 BuildRequires:  p7zip
 %endif
 %if %{with djvu}
 BuildRequires:  pkgconfig(ddjvuapi)
 %endif
@ -162,15 +157,38 @@ Summary:        Document Files for ImageMagick Library
 Group:          Documentation/HTML
 BuildArch:      noarch
-%package %{config_spec}-upstream
+%package %{config_spec}-upstream-open
-Summary:        Upstream Configuration Files
+Summary:        Open ImageMagick Security Policy
 Group:          Development/Libraries/C and C++
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Provides:       imagick-%{config_spec}
 Obsoletes:      %{config_spec}-upstream < %{version}
 Provides:       %{config_spec}-upstream = %{version}
 %package %{config_spec}-upstream-limited
 Summary:        Limited ImageMagick Security Policy
 Group:          Development/Libraries/C and C++
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Provides:       imagick-%{config_spec}
 %package %{config_spec}-upstream-secure
 Summary:        Secure ImageMagick Security Policy
 Group:          Development/Libraries/C and C++
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Provides:       imagick-%{config_spec}
 %package %{config_spec}-upstream-websafe
 Summary:        Web-safe ImageMagick Security Policy
 Group:          Development/Libraries/C and C++
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Provides:       imagick-%{config_spec}
 %package %{config_spec}-SUSE
-Summary:        Upstream Configuration Files
+Summary:        SUSE Provided Configuration
 Group:          Development/Libraries/C and C++
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
@ -274,20 +292,56 @@ support multiple generations of an image in memory at one time.
 %description doc
 HTML documentation for ImageMagick library and scene examples.
-%description %{config_spec}-upstream
+%description %{config_spec}-upstream-open
-ImageMagick configuration as supplied by upstream. It does not
+This policy is designed for usage in secure settings like those
-provide any security restrictions. ImageMagick will be vulnerable
+protected by firewalls or within Docker containers. Within this framework,
-for example by ImageTragick or PS/PDF coder issues. It should
+ImageMagick enjoys broad access to resources and functionalities. This policy
-be used in trusted environment. Version or maintenance updates
+provides convenient and adaptable options for image manipulation. However,
-will not overwrite user changes in system configuration.
+it's important to note that it might present security vulnerabilities in
 less regulated conditions. Thus, organizations should thoroughly assess
 the appropriateness of the open policy according to their particular use
 case and security prerequisites.
 %description %{config_spec}-upstream-limited
 The primary objective of the limited security policy is to find a
 middle ground between convenience and security. This policy involves the
 deactivation of potentially hazardous functionalities, like specific coders
 such as SVG or HTTP. Furthermore, it establishes several constraints on
 the utilization of resources like memory, storage, and processing duration,
 all of which are adjustable. This policy proves advantageous in situations
 where there's a need to mitigate the potential threat of handling possibly
 malicious or demanding images, all while retaining essential capabilities
 for prevalent image formats.
 %description %{config_spec}-upstream-secure
 This stringent security policy prioritizes the implementation of
 rigorous controls and restricted resource utilization to establish a
 profoundly secure setting while employing ImageMagick. It deactivates
 conceivably hazardous functionalities, including specific coders like
 SVG or HTTP. The policy promotes the tailoring of security measures to
 harmonize with the requirements of the local environment and the guidelines
 of the organization. This protocol encompasses explicit particulars like
 limitations on memory consumption, sanctioned pathways for reading and
 writing, confines on image sequences, the utmost permissible duration of
 workflows, allocation of disk space intended for image data, and even an
 undisclosed passphrase for remote connections. By adopting this robust
 policy, entities can elevate their overall security stance and alleviate
 potential vulnerabilities.
 %description %{config_spec}-upstream-websafe
 This security protocol designed for web-safe usage focuses on situations
 where ImageMagick is applied in publicly accessible contexts, like websites.
 It deactivates the capability to read from or write to any image formats
 other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
 policy prohibits the execution of image filters and indirect reads, thereby
 thwarting potential security breaches. By implementing these limitations,
 the web-safe policy fortifies the safeguarding of systems accessible to
 the public, reducing the risk of exploiting ImageMagick's capabilities
 for potential attacks.
 %description %{config_spec}-SUSE
-ImageMagick configuration as provide by SUSE. It is more security
+ImageMagick configuration as provide by SUSE. It is upstream 'secure'
-aware than config-upstream variant. It does disable some coders,
+policy plus disable few other coders for reading and/or writing.
 that are insecure by design to prevent user to use them
 inadvertently. Configuration can be subject of change by future
 version and maintenance updates and system changes will not be
 preserved.
 %prep
 %setup -q -n ImageMagick-%{source_version}
@ -363,9 +417,9 @@ cp -r Magick++/demo Magick++/examples
 cp -r PerlMagick/demo PerlMagick/examples
 # other improvements
 chmod -x PerlMagick/demo/*.pl
 exit 0
 %check
 exit 0
 %if %{debug_build} || %{asan_build}
 # testsuite does not succeed for some reason
 # research TODO
@ -390,8 +444,12 @@ cd ..
 %make_install pkgdocdir=%{_defaultdocdir}/%{name}-%{maj}/
 # configuration magic
 mv -t %{buildroot}%{_sysconfdir}/%{name}* %{buildroot}%{_datadir}/%{name}*/*.xml
-mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream}
+for policy in open limited secure websafe; do
-cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{-upstream,-SUSE}
+  cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream-$policy}
  cp config/policy-$policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}-upstream-$policy
 done
 mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-SUSE}
 cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE
 patch --fuzz=0 --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0}
 mkdir -p  %{buildroot}%{_sysconfdir}/alternatives/
 ln -sf %{_sysconfdir}/alternatives/%{config_dir} %{buildroot}%{_sysconfdir}/%{config_dir}
@ -421,7 +479,32 @@ sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/con
 %postun -n libMagickWand%{libspec}%{cwandver} -p /sbin/ldconfig
 %post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
 %postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
-%pretrans %{config_spec}-upstream -p <lua>
+
 %post %{config_spec}-upstream-open
 %{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-open  1
 %postun %{config_spec}-upstream-open
 if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream
 fi
 %post %{config_spec}-upstream-limited
 %{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-limited  5
 %postun %{config_spec}-upstream-limited
 if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-limited
 fi
 %post %{config_spec}-upstream-secure
 %{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-secure  10
 %postun %{config_spec}-upstream-secure
 if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-secure
 fi
 %pretrans %{config_spec}-upstream-open -p <lua>
 -- this %pretrans to be removed soon [bug#1122033#c37]
 path = "%{_sysconfdir}/%{config_dir}"
 st = posix.stat(path)
@ -430,13 +513,22 @@ if st and st.type == "directory" then
  os.rename(path, path .. ".rpmmoved")
 end
-%post %{config_spec}-upstream
+%pretrans %{config_spec}-upstream-limited -p <lua>
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream  1
+-- this %pretrans to be removed soon [bug#1122033#c37]
-
+path = "%{_sysconfdir}/%{config_dir}"
-%postun %{config_spec}-upstream
+st = posix.stat(path)
-if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
+if st and st.type == "directory" then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream
+  os.remove(path .. ".rpmmoved")
-fi
+  os.rename(path, path .. ".rpmmoved")
 end
 %pretrans %{config_spec}-upstream-secure -p <lua>
 -- this %pretrans to be removed soon [bug#1122033#c37]
 path = "%{_sysconfdir}/%{config_dir}"
 st = posix.stat(path)
 if st and st.type == "directory" then
  os.remove(path .. ".rpmmoved")
  os.rename(path, path .. ".rpmmoved")
 end
 %pretrans %{config_spec}-SUSE -p <lua>
 -- this %pretrans to be removed soon [bug#1122033#c37]
@ -447,14 +539,31 @@ if st and st.type == "directory" then
  os.rename(path, path .. ".rpmmoved")
 end
 %pretrans %{config_spec}-upstream-websafe -p <lua>
 -- this %pretrans to be removed soon [bug#1122033#c37]
 path = "%{_sysconfdir}/%{config_dir}"
 st = posix.stat(path)
 if st and st.type == "directory" then
  os.remove(path .. ".rpmmoved")
  os.rename(path, path .. ".rpmmoved")
 end
 %post %{config_spec}-SUSE
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-SUSE      10
+%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-SUSE      15
 %postun %{config_spec}-SUSE
 if [ ! -d %{_sysconfdir}/%{config_dir}-SUSE ] ; then
    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-SUSE
 fi
 %post %{config_spec}-upstream-websafe
 %{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-websafe  20
 %postun %{config_spec}-upstream-websafe
 if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-websafe
 fi
 %files
 %license LICENSE
 %doc NEWS.txt
@ -534,9 +643,21 @@ fi
 %files doc
 %{_defaultdocdir}/%{name}-%{maj}
-%files %{config_spec}-upstream
+%files %{config_spec}-upstream-open
-%dir %{_sysconfdir}/ImageMagick*-upstream/
+%dir %{_sysconfdir}/ImageMagick*-upstream-open/
-%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream/*
+%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-open/*
 %{_sysconfdir}/%{config_dir}
 %ghost %{_sysconfdir}/alternatives/%{config_dir}
 %files %{config_spec}-upstream-limited
 %dir %{_sysconfdir}/ImageMagick*-upstream-limited/
 %config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-limited/*
 %{_sysconfdir}/%{config_dir}
 %ghost %{_sysconfdir}/alternatives/%{config_dir}
 %files %{config_spec}-upstream-secure
 %dir %{_sysconfdir}/ImageMagick*-upstream-secure/
 %config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-secure/*
 %{_sysconfdir}/%{config_dir}
 %ghost %{_sysconfdir}/alternatives/%{config_dir}
@ -546,4 +667,10 @@ fi
 %{_sysconfdir}/%{config_dir}
 %ghost %{_sysconfdir}/alternatives/%{config_dir}
 %files %{config_spec}-upstream-websafe
 %dir %{_sysconfdir}/ImageMagick*-upstream-websafe/
 %config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-websafe/*
 %{_sysconfdir}/%{config_dir}
 %ghost %{_sysconfdir}/alternatives/%{config_dir}
 %changelog