Petr Gajdos
66a4daed16
* upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-17---2023-09-19 - modified patches % ImageMagick-library-installable-in-parallel.patch (refreshed) - follow upstream, create open, limited, secure and websafe alternative configuration packages with different policy.xml * CVE-2022-1115 [bsc#1198701] * CVE-2022-1114 [bsc#1198700] * CVE-2022-0284 [bsc#1195563] * CVE-2021-4219 [bsc#1196337] OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=666
16 lines
876 B
Diff
16 lines
876 B
Diff
--- a/config/policy-secure.xml
|
|
+++ b/config/policy-secure.xml
|
|
@@ -92,8 +92,10 @@
|
|
<policy domain="path" rights="none" pattern="/etc/*"/>
|
|
<!-- Indirect reads are not permitted. -->
|
|
<policy domain="path" rights="none" pattern="@*"/>
|
|
+ <!-- These image types can expose risks on read and write -->
|
|
+ <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
|
|
<!-- These image types are security risks on read, but write is fine -->
|
|
- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
|
|
+ <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
|
|
<!-- This policy sets the number of times to replace content of certain
|
|
memory buffers and temporary files before they are freed or deleted. -->
|
|
<policy domain="system" name="shred" value="1"/>
|
|
|