Accepting request 1328227 from graphics

OBS-URL: https://build.opensuse.org/request/show/1328227
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ImageMagick?expand=0&rev=323

ImageMagick-7.1.2-0.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmhzpugACgkQiatj1IJ3
-N3oAxg/+LGUZrTHB3ZHWWHZuL7aTDbWTyZVeCkV7ATnx0fysNsAijQE3F1ZWRXA9
-F8thN4POBodTtLo1WT4txSe15xkgspl/zcBceREtmvnukTLMhxqeh+7puW4ymgso
-UXuwH+ACHK7eTTIMFe57R3cjJYQiVVJ3VfGpa5T9kqHUFY2QR0R1irnsIBIO0Svu
-Xhf4ruxoEmAPqNPeR4SH+XfivrMflm2OXUlTmGJz8eiCs9Q2CLi6UzXadllYN8qj
-i7nBKW6QfWRl1GktwCdNQ5V8by6LbZbH5a+ns+7txyFd73IGIzO69izR6ZTpz+0Z
-haW+TqXlvX36w/QFbKkXzNzHRq5R708uE60htURdP5nKdPsmpuXUK32shNhQv349
-V6z7NxwVVkkvvgVn9c8cXr1BAF//X0WnaXNQqEpggDBYc8wEio+JoS0WwAzoWuSL
-v/oBKQQHB57hUgwGs1TvDzEAx5rDdU/CJf60kfcwMT1ep7Xo7egvFcaXacRmUSsj
-IFWE3GXtXGrcK6QEqv90YbLSbdTW4Li8lWQVd6ZGilfoLLuTwSbVwoEYfdZxvAdy
-PYTgSHzN/v09hn3T4yvQilV2xG8HD8wHr6nnb2EBQX5Nm2ZviUdUdMo4xQeZnhZd
-UafoFf9TK8QoPSQeEYoSIwjuixBHrNuEgNKd1+Lch01K04Xdi+M=
-=cMIz
------END PGP SIGNATURE-----

ImageMagick-7.1.2-13.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:968e022c8c7ee620680bac658628ef0f582be7b8aa71b386a9a9d068ec17dbd2
+size 10805152

ImageMagick-7.1.2-13.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmludfcACgkQiatj1IJ3
+N3rRAhAAoeXH5xDosG846p3e+VAif8DiYCb1fkdHaPesq/exAQYTHHUpv0lkC0+8
+9GZQ4/0GZlMMF4IJHUxfSBCwdbVQonx3ttg87ZGICfIJ9OJsAqUHzTxwzEipxHg5
+Ow+ZmHl5bv927fiW6x0gKXuHmjyp4g2uF71PbFLUjHKhGc5swvcm4pjH7dbc7cx3
+aZV6gAbYCzbsZhmCJ59lbrAbfPewMaUPq80YtwLoBo0WRte2klZ116PjN/hVNOEb
+wWzNFu9ZVrP5xFY5SLLQELBYEop22TGcfzFicUVRGLvIcNE3Lc5oKgVHWENjd5Xa
+gde7TVKcSHVAphdBoXyW7si9ibORIk6QyqbCobzPgbARTBEjWdDSHFgwdWSkCBAO
+qnqilvqXiJYHPErMIN0FTVMuVckMWEmV2pmJlORvapTdYJv4ROd0wzPP6OAynju+
+ODHm6HAoEO2Kg2aCA3nxOfww0samtvu7XJdiPV7kTTKxz1wEIz7A+Z5vfIyYFlDH
+9wcD1hAoEABV9nkShuAjF/XGPap1a1Va0vKX/q4eG77NHjAPIcdbiBmI+XOGgSRK
+CRQdGI502QZ2A4bH7oxgax8UQgQWIVPHGBLZxJLniFwpH3IQ6BEq9miDFQGc4bSq
+b3y2MZ/R3WEVCafmOt9F6/L8OsZ3hF11e8WAoLsrUcEH9WD7d3U=
+=toTL
+-----END PGP SIGNATURE-----

ImageMagick-configuration-SUSE.patch

@@ -1,7 +1,8 @@
---- ImageMagick-7.1.1-30/config/policy.xml
-+++ ImageMagick-7.1.1-30/config/policy.xml
+diff -ur ImageMagick-7.1.2-8_fix/config/policy-secure.xml ImageMagick-7.1.2-8_fix2/config/policy-secure.xml
+--- ImageMagick-7.1.2-8/config/policy-secure.xml	2025-11-06 15:30:11.995056081 +0100
++++ ImageMagick-7.1.2-8_fix/config/policy-secure.xml	2025-11-06 15:46:05.605527563 +0100
 @@ -62,7 +62,7 @@
-   <policy domain="resource" name="disk" value="1GiB"/>
+   <policy domain="resource" name="disk" value="2GiB"/>
    <!-- Set the maximum length of an image sequence.  When this limit is
         exceeded, an exception is thrown. -->
 -  <policy domain="resource" name="list-length" value="32"/>
@@ -9,7 +10,7 @@
    <!-- Set the maximum width of an image.  When this limit is exceeded, an
         exception is thrown. -->
    <policy domain="resource" name="width" value="8KP"/>
-@@ -83,11 +83,11 @@
+@@ -85,11 +85,11 @@
    <!-- Replace passphrase for secure distributed processing -->
    <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
    <!-- Do not permit any delegates to execute. -->
@@ -22,8 +23,8 @@
 +  <!--policy domain="path" rights="none" pattern="-"/ -->
    <!-- don't read sensitive paths. -->
    <policy domain="path" rights="none" pattern="/etc/*"/>
-   <!-- Indirect reads are not permitted. -->
-@@ -103,4 +103,20 @@
+   <!-- but allow to read own data. -->
+@@ -107,4 +107,20 @@
    <!-- Set the maximum amount of memory in bytes that are permitted for
         allocation requests. -->
    <policy domain="system" name="max-memory-request" value="256MiB"/>
@@ -44,4 +45,3 @@
 +  <policy domain="coder" rights="write" pattern="XPS" />
 +  <policy domain="coder" rights="write" pattern="PCL" />
  </policymap>
-

ImageMagick-library-installable-in-parallel.patch

@@ -1,8 +1,8 @@
-Index: ImageMagick-7.1.2-0/configure
+Index: ImageMagick-7.1.2-11/configure
 ===================================================================
---- ImageMagick-7.1.2-0.orig/configure
-+++ ImageMagick-7.1.2-0/configure
-@@ -37225,7 +37225,9 @@ fi
+--- ImageMagick-7.1.2-11.orig/configure
++++ ImageMagick-7.1.2-11/configure
+@@ -37253,7 +37253,9 @@ fi
  
  
  # Subdirectory to place architecture-dependent configuration files

ImageMagick.changes

@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Mon Jan 19 18:33:04 UTC 2026 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.2.13
+  * no upstream changelog, see
+    https://github.com/ImageMagick/ImageMagick/compare/7.1.2-12..7.1.2-13
+- modified patches
+  * ImageMagick-configuration-SUSE.patch (refreshed)
+
+-------------------------------------------------------------------
+Tue Jan  6 09:32:47 UTC 2026 - Petr Gajdos <pgajdos@suse.com>
+
+- version update to 7.1.2.12
+  * no upstream changelog, see
+    https://github.com/ImageMagick/ImageMagick/compare/7.1.2-11..7.1.2-12
+  * fixes CVE-2025-68618 [bsc#1255821]
+          CVE-2025-68950 [bsc#1255822]
+          CVE-2025-69204 [bsc#1255823]
+
+-------------------------------------------------------------------
+Mon Dec 22 08:39:43 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
+
+- version update to 7.1.2.11
+  * no upstream changelog, see
+    https://github.com/ImageMagick/ImageMagick/compare/7.1.2-10..7.1.2-11
+- modified patches
+  * ImageMagick-library-installable-in-parallel.patch (refreshed)
+
+-------------------------------------------------------------------
+Sun Dec  7 15:06:32 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.2.10
+  * no upstream changelog, see
+    https://github.com/ImageMagick/ImageMagick/compare/7.1.2-8..7.1.2-10
+- fixes CVE-2025-65955 [bsc#1254435]
+        CVE-2025-66628 [bsc#1254820]
+
+-------------------------------------------------------------------
+Thu Nov  6 14:37:08 UTC 2025 - Dirk Stoecker <opensuse@dstoecker.de>
+
+- fix policy to allow own configuration file reads (ImageMagick_policy_etc.patch)
+  adapt ImageMagick-configuration-SUSE.patch and reorder patch handling
+
+-------------------------------------------------------------------
+Wed Oct 29 14:15:50 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.8
+  * fixes GHSA-wpp4-vqfq-v4hp (CVE-2025-62594 [bsc#1252749])
+
+-------------------------------------------------------------------
+Mon Oct 20 10:33:08 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.7
+  * fixes GHSA-9pp9-cfwx-54rm (CVE-2025-62171 [bsc#1252282])
+  * otherwise no upstream changelog, see
+    https://github.com/ImageMagick/ImageMagick/compare/7.1.2-2..7.1.2-7
+
+-------------------------------------------------------------------
+Tue Sep  9 12:37:21 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.3
+  * fixes GHSA-23hg-53q6-hqfg CVE-2025-57807 [bsc#1249362]
+  * Close the blob so we can re-open it again (#8327)
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch (refreshed)
+
+-------------------------------------------------------------------
+Mon Aug 25 20:23:06 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.2.2
+  * Fix infinite loop when decoding JXL with -limit height/width by
+    @Elvyria in #8303
+  * Bump actions/checkout from 4 to 5 by @dependabot[bot] in #8304
+  * cache.c: Fix unused function warning by @Dave-Allured in #8309
+- fixes
+    CVE-2025-55298 [bsc#1248780]
+    CVE-2025-57803 [bsc#1248784]
+    CVE-2025-55212 [bsc#1248767]
+
+-------------------------------------------------------------------
+Wed Aug 20 09:11:08 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.1
+  * Add support for Simple File Format Family (SF3) images by @Shinmera in #8243
+  * Fix validation issues in SF3 by @Shinmera in #8252
+  * Fix compressed exr reading by @Hadsen in #8285
+  * Use OpenMP in ashlar by @yerlotic in #8288
+  * Bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #8296
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch
+- removed patches
+  - ImageMagick-filename-placeholder-regression-1.patch (upstreamed)
+  - ImageMagick-filename-placeholder-regression-2.patch (upstreamed)
+  - ImageMagick-filename-placeholder-regression-3.patch (upstreamed)
+- fixes
+   CVE-2025-55160 [bsc#1248079], CVE-2025-55004 [bsc#1248076]
+   CVE-2025-55154 [bsc#1248078], CVE-2025-55005 [bsc#1248077]
+
+-------------------------------------------------------------------
+Tue Aug  5 10:55:19 UTC 2025 - pgajdos@suse.com
+
+- added patches [bsc#1247475]
+  + ImageMagick-filename-placeholder-regression-1.patch
+  + ImageMagick-filename-placeholder-regression-2.patch
+  + ImageMagick-filename-placeholder-regression-3.patch
+
 -------------------------------------------------------------------
 Tue Jul 15 11:36:19 UTC 2025 - pgajdos@suse.com
 
@@ -4870,4 +4976,3 @@ Tue Nov 11 16:08:36 MET 1997 - ro@suse.de
 Mon Nov  3 17:49:58 MET 1997 - ro@suse.de
 
 - ready for autobuild
-

ImageMagick.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ImageMagick
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 %define debug_build    0
 %define asan_build     0
 %define mfr_version    7.1.2
-%define mfr_revision   0
+%define mfr_revision   13
 %define quantum_depth  16
 %define source_version %{mfr_version}-%{mfr_revision}
 %define clibver        10
@@ -30,7 +30,7 @@
 %define libspec        -7_Q%{quantum_depth}HDRI
 %define config_dir     IM-7
 %define test_verbose   1
-# bsc#1088463
+# bsc#1088463, https://github.com/ImageMagick/ImageMagick/issues/8261
 %define urw_base35_fonts 0
 # do/don't pull djvulibre dependency
 %bcond_without djvu
@@ -46,9 +46,13 @@ Source0:        https://imagemagick.org/archive/releases/ImageMagick-%{source_ve
 Source1:        baselibs.conf
 Source2:        https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz.asc
 Source3:        ImageMagick.keyring
-# suse specific patches
-Patch0:         ImageMagick-configuration-SUSE.patch
+# do not block read access to own config files
+Patch0:         ImageMagick_policy_etc.patch
+# SUSE configuration
+Patch1:         ImageMagick-configuration-SUSE.patch
+# library installation
 Patch2:         ImageMagick-library-installable-in-parallel.patch
+# disable failing tests
 Patch5:         ImageMagick-s390x-disable-tests.patch
 
 BuildRequires:  chrpath
@@ -258,6 +262,10 @@ policy plus disable few other coders for reading and/or writing.
 
 %prep
 %setup -q -n ImageMagick-%{source_version}
+%patch -P 0 -p1
+# default policy (SUSE)
+cp config/policy-secure.xml config/policy.xml
+%patch -P 1 -p1
 %patch -P 2 -p1
 %ifarch s390x
 %patch -P 5 -p1
@@ -359,9 +367,6 @@ cd ..
 
 %install
 %make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-7/
-# default policy (SUSE)
-cp config/policy-secure.xml config/policy.xml
-patch --fuzz=0 -p1 < %{PATCH0}
 cp config/policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}
 # symlink header file relative to /usr/include/ImageMagick-7/
 # so that inclusions like wand/*.h and magick/*.h work

ImageMagick_policy_etc.patch

@@ -0,0 +1,48 @@
+diff -ur ImageMagick-7.1.2-8/config/policy-limited.xml ImageMagick-7.1.2-8_fix/config/policy-limited.xml
+--- ImageMagick-7.1.2-8/config/policy-limited.xml	2025-10-26 12:54:38.000000000 +0100
++++ ImageMagick-7.1.2-8_fix/config/policy-limited.xml	2025-11-06 15:30:05.385948863 +0100
+@@ -82,6 +82,8 @@
+   <!-- <policy domain="path" rights="none" pattern="-"/> -->
+   <!-- don't read sensitive paths. -->
+   <policy domain="path" rights="none" pattern="/etc/*"/>
++  <!-- but allow to read own data. -->
++  <policy domain="path" rights="read" pattern="/etc/IM*"/>
+   <!-- Indirect reads are not permitted. -->
+   <policy domain="path" rights="none" pattern="@*"/>
+   <!-- These image types are security risks on read, but write is fine -->
+diff -ur ImageMagick-7.1.2-8/config/policy-open.xml ImageMagick-7.1.2-8_fix/config/policy-open.xml
+--- ImageMagick-7.1.2-8/config/policy-open.xml	2025-10-26 12:54:38.000000000 +0100
++++ ImageMagick-7.1.2-8_fix/config/policy-open.xml	2025-11-06 15:30:28.217319267 +0100
+@@ -137,6 +137,8 @@
+   <!-- <policy domain="path" rights="none" pattern="-"/> -->
+   <!-- don't read sensitive paths. -->
+   <!-- <policy domain="path" rights="none" pattern="/etc/*"/> -->
++  <!-- but allow to read own data. -->
++  <!-- <policy domain="path" rights="read" pattern="/etc/IM*"/> -->
+   <!-- Indirect reads are not permitted. -->
+   <!-- <policy domain="path" rights="none" pattern="@*"/> -->
+   <!-- These image types are security risks on read, but write is fine -->
+diff -ur ImageMagick-7.1.2-8/config/policy-secure.xml ImageMagick-7.1.2-8_fix/config/policy-secure.xml
+--- ImageMagick-7.1.2-8/config/policy-secure.xml	2025-10-26 12:54:38.000000000 +0100
++++ ImageMagick-7.1.2-8_fix/config/policy-secure.xml	2025-11-06 15:30:11.995056081 +0100
+@@ -92,6 +92,8 @@
+   <policy domain="path" rights="none" pattern="-"/>
+   <!-- don't read sensitive paths. -->
+   <policy domain="path" rights="none" pattern="/etc/*"/>
++  <!-- but allow to read own data. -->
++  <policy domain="path" rights="read" pattern="/etc/IM*"/>
+   <!-- Indirect reads are not permitted. -->
+   <policy domain="path" rights="none" pattern="@*"/>
+   <!-- These image types are security risks on read, but write is fine -->
+diff -ur ImageMagick-7.1.2-8/config/policy-websafe.xml ImageMagick-7.1.2-8_fix/config/policy-websafe.xml
+--- ImageMagick-7.1.2-8/config/policy-websafe.xml	2025-10-26 12:54:38.000000000 +0100
++++ ImageMagick-7.1.2-8_fix/config/policy-websafe.xml	2025-11-06 15:29:57.094814346 +0100
+@@ -88,6 +88,8 @@
+   <policy domain="path" rights="none" pattern="-"/>
+   <!-- don't read sensitive paths. -->
+   <policy domain="path" rights="none" pattern="/etc/*"/>
++  <!-- but allow to read own data. -->
++  <policy domain="path" rights="read" pattern="/etc/IM*"/>
+   <!-- Indirect reads are not permitted. -->
+   <policy domain="path" rights="none" pattern="@*"/>
+   <!-- Deny all image modules and specifically exempt reading or writing