Petr Gajdos
719d7c838b
adapt ImageMagick-configuration-SUSE.patch and reorder patch handling See also https://bugzilla.opensuse.org/show_bug.cgi?id=1246065 for the same issue in 15.6 and the new report for 16.0 https://bugzilla.opensuse.org/show_bug.cgi?id=1253110 OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=784
49 lines
2.9 KiB
Diff
49 lines
2.9 KiB
Diff
diff -ur ImageMagick-7.1.2-8/config/policy-limited.xml ImageMagick-7.1.2-8_fix/config/policy-limited.xml
|
|
--- ImageMagick-7.1.2-8/config/policy-limited.xml 2025-10-26 12:54:38.000000000 +0100
|
|
+++ ImageMagick-7.1.2-8_fix/config/policy-limited.xml 2025-11-06 15:30:05.385948863 +0100
|
|
@@ -82,6 +82,8 @@
|
|
<!-- <policy domain="path" rights="none" pattern="-"/> -->
|
|
<!-- don't read sensitive paths. -->
|
|
<policy domain="path" rights="none" pattern="/etc/*"/>
|
|
+ <!-- but allow to read own data. -->
|
|
+ <policy domain="path" rights="read" pattern="/etc/IM*"/>
|
|
<!-- Indirect reads are not permitted. -->
|
|
<policy domain="path" rights="none" pattern="@*"/>
|
|
<!-- These image types are security risks on read, but write is fine -->
|
|
diff -ur ImageMagick-7.1.2-8/config/policy-open.xml ImageMagick-7.1.2-8_fix/config/policy-open.xml
|
|
--- ImageMagick-7.1.2-8/config/policy-open.xml 2025-10-26 12:54:38.000000000 +0100
|
|
+++ ImageMagick-7.1.2-8_fix/config/policy-open.xml 2025-11-06 15:30:28.217319267 +0100
|
|
@@ -137,6 +137,8 @@
|
|
<!-- <policy domain="path" rights="none" pattern="-"/> -->
|
|
<!-- don't read sensitive paths. -->
|
|
<!-- <policy domain="path" rights="none" pattern="/etc/*"/> -->
|
|
+ <!-- but allow to read own data. -->
|
|
+ <!-- <policy domain="path" rights="read" pattern="/etc/IM*"/> -->
|
|
<!-- Indirect reads are not permitted. -->
|
|
<!-- <policy domain="path" rights="none" pattern="@*"/> -->
|
|
<!-- These image types are security risks on read, but write is fine -->
|
|
diff -ur ImageMagick-7.1.2-8/config/policy-secure.xml ImageMagick-7.1.2-8_fix/config/policy-secure.xml
|
|
--- ImageMagick-7.1.2-8/config/policy-secure.xml 2025-10-26 12:54:38.000000000 +0100
|
|
+++ ImageMagick-7.1.2-8_fix/config/policy-secure.xml 2025-11-06 15:30:11.995056081 +0100
|
|
@@ -92,6 +92,8 @@
|
|
<policy domain="path" rights="none" pattern="-"/>
|
|
<!-- don't read sensitive paths. -->
|
|
<policy domain="path" rights="none" pattern="/etc/*"/>
|
|
+ <!-- but allow to read own data. -->
|
|
+ <policy domain="path" rights="read" pattern="/etc/IM*"/>
|
|
<!-- Indirect reads are not permitted. -->
|
|
<policy domain="path" rights="none" pattern="@*"/>
|
|
<!-- These image types are security risks on read, but write is fine -->
|
|
diff -ur ImageMagick-7.1.2-8/config/policy-websafe.xml ImageMagick-7.1.2-8_fix/config/policy-websafe.xml
|
|
--- ImageMagick-7.1.2-8/config/policy-websafe.xml 2025-10-26 12:54:38.000000000 +0100
|
|
+++ ImageMagick-7.1.2-8_fix/config/policy-websafe.xml 2025-11-06 15:29:57.094814346 +0100
|
|
@@ -88,6 +88,8 @@
|
|
<policy domain="path" rights="none" pattern="-"/>
|
|
<!-- don't read sensitive paths. -->
|
|
<policy domain="path" rights="none" pattern="/etc/*"/>
|
|
+ <!-- but allow to read own data. -->
|
|
+ <policy domain="path" rights="read" pattern="/etc/IM*"/>
|
|
<!-- Indirect reads are not permitted. -->
|
|
<policy domain="path" rights="none" pattern="@*"/>
|
|
<!-- Deny all image modules and specifically exempt reading or writing
|