Petr Gajdos
071beafdd0
OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=714
26 lines
1.5 KiB
Diff
26 lines
1.5 KiB
Diff
Index: ImageMagick-7.1.1-29/config/policy-secure.xml
|
|
===================================================================
|
|
--- ImageMagick-7.1.1-29.orig/config/policy-secure.xml
|
|
+++ ImageMagick-7.1.1-29/config/policy-secure.xml
|
|
@@ -82,8 +82,6 @@
|
|
<policy domain="cache" name="synchronize" value="true"/>
|
|
<!-- Replace passphrase for secure distributed processing -->
|
|
<!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
|
|
- <!-- Do not permit any delegates to execute. -->
|
|
- <policy domain="delegate" rights="none" pattern="*"/>
|
|
<!-- Do not permit any image filters to load. -->
|
|
<policy domain="filter" rights="none" pattern="*"/>
|
|
<!-- Don't read/write from/to stdin/stdout. -->
|
|
@@ -92,8 +90,10 @@
|
|
<policy domain="path" rights="none" pattern="/etc/*"/>
|
|
<!-- Indirect reads are not permitted. -->
|
|
<policy domain="path" rights="none" pattern="@*"/>
|
|
+ <!-- These image types can expose risks on read and write -->
|
|
+ <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
|
|
<!-- These image types are security risks on read, but write is fine -->
|
|
- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
|
|
+ <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
|
|
<!-- This policy sets the number of times to replace content of certain
|
|
memory buffers and temporary files before they are freed or deleted. -->
|
|
<policy domain="system" name="shred" value="1"/>
|