Accepting request 1301785 from graphics

- fixes
    CVE-2025-55298 [bsc#1248780]
    CVE-2025-57803 [bsc#1248784]
    CVE-2025-55212 [bsc#1248767]

OBS-URL: https://build.opensuse.org/request/show/1301785
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ImageMagick?expand=0&rev=314

ImageMagick-7.1.1-36.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ca2b4c0144a75b90ec49a098c33eb3b811a28f7e2cd0139ef67dc4abf830870f
-size 10776916

ImageMagick-7.1.1-36.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmak8hkACgkQiatj1IJ3
-N3r/rg/+MEk5BIzgKw64zlLB55uJEYck3ixxuDCwmlZwnQ9E6rB2+SypNXmA+EQZ
-L68yHqAtOfBFY8UruK35YbeMUbNuyFijoaPB866jbrK31PUPYBtsk0jOyYmSuVUp
-rYtySG2QkMDqGcNdeuj1jXMXnLB4bgU9vhbU1WumLfmu9tAkQ3uJnqxZo+tBSnGf
-waMpt+6M7vqh2+Prox5xwy1ofZYc6z8o7923GsHPLsRPX38iU4338fjeYVt1Nmj6
-r8Kv81HhxteDmg0P2YLyiz+Xm+SOSK83O3TdP0ujQCmibyhFbD22kGv7RrsDgzv5
-ZImoiBF8/AkIz8HRsaWsUgMsGqmPApjFv7ToOBNQ8ILUK8gnQ+MyWpo5Dgjd4pjA
-oz5Ir9bcssD/cZTMnoL1IdQEHmv04K3Ho9apGMQl+X6yOpN+lmzYvsVntbNAufbN
-vVU9JTvOuA10GO2is0PFlcmSCAxcwXaMvulqI4SczzR2Yzu409EgOqxKU1jHUeB3
-JKKl3RpZlP7Ke9EcYeBezYCL4Q9aBuke7qpjFXRFj9o/QYPXYSqFPcRHwXXeBFG0
-BRBTtV+4KD74bkvlKgzJhHCRumIKl4mXI5oJcabZkiMO/kgKuwIGMiU5Iy/eGcO7
-UlG5tFPpzOHmX6dryKUcQsgwZ/sHm1RV2Ts1AwJcKpnndZO9es4=
-=yuy4
------END PGP SIGNATURE-----

ImageMagick-7.1.2-2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d264a2698f08bad4d261bccbb63413292570e94c0ba506f8368a9fea9613542d
+size 10788164

ImageMagick-7.1.2-2.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2Ccu9R2iI+TQW0Zpiatj1IJ3N3oFAmirLi4ACgkQiatj1IJ3
+N3ou8xAAnzzqSBaD+uysz4G3dlvdIryCCkXj2e/fUhQ8CA7PVTcaQ6vSc1JQ395O
+gYj56Hx2Syrrasu+W2V4yb5NyHuDsm8BTnRuuL8LMRk6kZi0txnMlO3AMoGEKjAq
+yjBX2WjJJCkQAuOjQU5RSD5y06kJHaWgdNd7rmYez6XrdehnpmGsDMwiNF2pEaYW
+PVz3P5616ctuXHtmacmc7ecS7bmWQb7Z+9B4pSMK9m5Tk90a8YWuGhOxhzxC65M6
+gCUEFknSRvXJ65uncwa8nQ6LkfNLx2cXfY0/b+XZQuJbsAhxbzcMCo8MhHlEn/Pv
+YVzVv6JHJMyTXGsXm6F3poSJ4U1tww18dL3IoWTf76fbeppeN4YZfaO8jui6pyrW
+T2/etLyelXH/y9iDX2nraE0sopbYzdTsfyYmiSfOoapB3HRcS6vstl4dShnU/pEf
+KKBjDH+kfnNop2/H5h4lb2tolajjgY70ppOSIU3FZ/asHGffXuoj6ut5ki7mdXBG
+zY0Qq2BpATzMrotJVNqKsw95/h2WBkSv1+ODwhobGcIr87QgXa2391u/lTSbslob
+nllesc0KIoVIUpNaVM7WeWLNQa8/8znbeDYX2KjPUZAFo3+eaqsDWKv+LRVZoBpa
+lfOt1vAswc0UAwIrxWN2A45q5ICKb+kixsOW7tVFowP2pEg+4dM=
+=M+9N
+-----END PGP SIGNATURE-----

ImageMagick-configuration-SUSE.patch

@@ -1,7 +1,5 @@
-Index: ImageMagick-7.1.1-30/config/policy-secure.xml
-===================================================================
---- ImageMagick-7.1.1-30.orig/config/policy-secure.xml
-+++ ImageMagick-7.1.1-30/config/policy-secure.xml
+--- ImageMagick-7.1.1-30/config/policy.xml
++++ ImageMagick-7.1.1-30/config/policy.xml
 @@ -62,7 +62,7 @@
    <policy domain="resource" name="disk" value="1GiB"/>
    <!-- Set the maximum length of an image sequence.  When this limit is
@@ -11,26 +9,39 @@ Index: ImageMagick-7.1.1-30/config/policy-secure.xml
    <!-- Set the maximum width of an image.  When this limit is exceeded, an
         exception is thrown. -->
    <policy domain="resource" name="width" value="8KP"/>
-@@ -83,17 +83,19 @@
+@@ -83,11 +83,11 @@
    <!-- Replace passphrase for secure distributed processing -->
    <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
    <!-- Do not permit any delegates to execute. -->
 -  <policy domain="delegate" rights="none" pattern="*"/>
-+  <!--policy domain="delegate" rights="none" pattern="*"/-->
++  <!--policy domain="delegate" rights="none" pattern="*"/ -->
    <!-- Do not permit any image filters to load. -->
    <policy domain="filter" rights="none" pattern="*"/>
    <!-- Don't read/write from/to stdin/stdout. -->
 -  <policy domain="path" rights="none" pattern="-"/>
-+  <!--policy domain="path" rights="none" pattern="-"/-->
++  <!--policy domain="path" rights="none" pattern="-"/ -->
    <!-- don't read sensitive paths. -->
    <policy domain="path" rights="none" pattern="/etc/*"/>
    <!-- Indirect reads are not permitted. -->
-   <policy domain="path" rights="none" pattern="@*"/>
-+  <!-- These image types can expose risks on read and write -->
-+  <policy domain="module" rights="none" pattern="{EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT}"/>
-   <!-- These image types are security risks on read, but write is fine -->
--  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
-+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS,PDF,EPI,EPS,PCL,PS1,PS2,PS3}"/>
-   <!-- This policy sets the number of times to replace content of certain
-        memory buffers and temporary files before they are freed or deleted. -->
-   <policy domain="system" name="shred" value="1"/>
+@@ -103,4 +103,20 @@
+   <!-- Set the maximum amount of memory in bytes that are permitted for
+        allocation requests. -->
+   <policy domain="system" name="max-memory-request" value="256MiB"/>
++  <!-- Disable insecure coders by default -->
++  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++  <policy domain="coder" rights="none" pattern="URL" />
++  <policy domain="coder" rights="none" pattern="HTTPS" />
++  <policy domain="coder" rights="none" pattern="MVG" />
++  <policy domain="coder" rights="none" pattern="MSL" />
++  <policy domain="coder" rights="none" pattern="TEXT" />
++  <policy domain="coder" rights="none" pattern="SHOW" />
++  <policy domain="coder" rights="none" pattern="WIN" />
++  <policy domain="coder" rights="none" pattern="PLT" />
++  <policy domain="coder" rights="write" pattern="PS" />
++  <policy domain="coder" rights="write" pattern="PS2" />
++  <policy domain="coder" rights="write" pattern="PS3" />
++  <policy domain="coder" rights="write" pattern="PDF" />
++  <policy domain="coder" rights="write" pattern="XPS" />
++  <policy domain="coder" rights="write" pattern="PCL" />
+ </policymap>
+

ImageMagick-filter.t-disable-Contrast.patch

@@ -1,12 +0,0 @@
---- a/PerlMagick/t/filter.t.orig	2021-10-04 14:07:03.016458903 +0000
-+++ b/PerlMagick/t/filter.t	2021-10-04 14:08:31.717025766 +0000
-@@ -57,7 +57,7 @@ testFilterCompare('input.miff', "fuzz=>$
- testFilterCompare('input.miff', "fuzz=>$fuzz", 'reference/filter/Colorize.miff', 'Colorize', q/fill=>"red", blend=>"50%"/, 0.00001, 0.004);
- ++$test;
- 
--testFilterCompare('input.miff',  q//, 'reference/filter/Contrast.miff', 'Contrast', q//, 0.00001, 0.004);
-+testFilterCompare('input.miff',  q//, 'reference/filter/Contrast.miff', 'Contrast', q//, 0.0002, 0.4);
- ++$test;
- 
- testFilterCompare('input.miff',  q//, 'reference/filter/Convolve.miff', 'Convolve', q/[0.0625, 0.0625, 0.0625, 0.0625, 0.5, 0.0625, 0.0625, 0.0625, 0.0625]/, 0.1, 0.7);
-

ImageMagick-library-installable-in-parallel.patch

@@ -1,8 +1,8 @@
-Index: ImageMagick-7.1.1-31/configure
+Index: ImageMagick-7.1.2-1/configure
 ===================================================================
---- ImageMagick-7.1.1-31.orig/configure
-+++ ImageMagick-7.1.1-31/configure
-@@ -35015,7 +35015,9 @@ fi
+--- ImageMagick-7.1.2-1.orig/configure
++++ ImageMagick-7.1.2-1/configure
+@@ -37231,7 +37231,9 @@ fi
  
  
  # Subdirectory to place architecture-dependent configuration files

ImageMagick.changes

@@ -1,3 +1,207 @@
+-------------------------------------------------------------------
+Mon Aug 25 20:23:06 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.2.2
+  * Fix infinite loop when decoding JXL with -limit height/width by
+    @Elvyria in #8303
+  * Bump actions/checkout from 4 to 5 by @dependabot[bot] in #8304
+  * cache.c: Fix unused function warning by @Dave-Allured in #8309
+- fixes
+    CVE-2025-55298 [bsc#1248780]
+    CVE-2025-57803 [bsc#1248784]
+    CVE-2025-55212 [bsc#1248767]
+
+-------------------------------------------------------------------
+Wed Aug 20 09:11:08 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.1
+  * Add support for Simple File Format Family (SF3) images by @Shinmera in #8243
+  * Fix validation issues in SF3 by @Shinmera in #8252
+  * Fix compressed exr reading by @Hadsen in #8285
+  * Use OpenMP in ashlar by @yerlotic in #8288
+  * Bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #8296
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch
+- removed patches
+  - ImageMagick-filename-placeholder-regression-1.patch (upstreamed)
+  - ImageMagick-filename-placeholder-regression-2.patch (upstreamed)
+  - ImageMagick-filename-placeholder-regression-3.patch (upstreamed)
+- fixes
+   CVE-2025-55160 [bsc#1248079], CVE-2025-55004 [bsc#1248076]
+   CVE-2025-55154 [bsc#1248078], CVE-2025-55005 [bsc#1248077]
+
+-------------------------------------------------------------------
+Tue Aug  5 10:55:19 UTC 2025 - pgajdos@suse.com
+
+- added patches [bsc#1247475]
+  + ImageMagick-filename-placeholder-regression-1.patch
+  + ImageMagick-filename-placeholder-regression-2.patch
+  + ImageMagick-filename-placeholder-regression-3.patch
+
+-------------------------------------------------------------------
+Tue Jul 15 11:36:19 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.2.0
+  * magick-config.h: Remove redundant block by @ferdnyc in #8076
+  * Remove generated 'magick.sh' from repo by @ferdnyc in #8075
+  * JXL: Preserve ICC profile for lossless encoding by @ferdnyc in #8074
+  * Support ICN file extension for old Windows icons by @bitplane in #8107
+  * fix build when libjpeg is not in its default location by @mmomtchev in #8172
+  * Change 'Mac OS X' to 'macOS' in descriptions and comments by @gy-mate in #8224
+  * Fix NULL pointer dereference in XWarning by @moon044 in #8230
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch (refreshed)
+- fixes: CVE-2025-53101 [bsc#1246529]
+         CVE-2025-53014 [bsc#1246530]
+         CVE-2025-53015 [bsc#1246531]
+         CVE-2025-53019 [bsc#1246534]
+
+-------------------------------------------------------------------
+Mon May 26 09:10:06 UTC 2025 - pgajdos@suse.com
+
+- fix config policies [bsc#1243622]
+- modified patches
+  % ImageMagick-configuration-SUSE.patch (refreshed)
+
+-------------------------------------------------------------------
+Thu May 15 20:20:16 UTC 2025 - pgajdos@suse.com
+
+- drop update-alternatives usage, configuration alternative packages
+  now conflict
+- modified patches
+  % ImageMagick-configuration-SUSE.patch (refreshed)
+- added sources
+  + _multibuild
+- remove ImageMagick-filter.t-disable-Contrast.patch needed for i586
+  testing
+
+-------------------------------------------------------------------
+Tue Apr  1 11:44:59 UTC 2025 - pgajdos@suse.com
+
+- version update to 7.1.1.47
+  * try pngalpha if png16malpha not available by @remicollet in #8034
+  * Fix statistic.c GetImageRange initializer by @mtasaka in #8010
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch (refreshed)
+
+-------------------------------------------------------------------
+Sun Feb 23 20:52:21 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.1.44
+  * Bump azure/trusted-signing-action from 0.5.0 to 0.5.1 in #7895
+  * Enable any dither method such as Floyd-Steinberg for Magick::Image::map()
+    in #7937
+  * Magick++ Documentation Verification in #7906
+  * fix type casting in statistic.c in #7982
+- removed patched (upstreamed)
+  - ImageMagick-0-1-are-special-cases-for-pow.patch
+  - ImageMagick-check-for-pow-zero.patch
+  - ImageMagick-gamma-should-call-GammaImage.patch
+
+-------------------------------------------------------------------
+Mon Jan 20 13:34:51 UTC 2025 - pgajdos@suse.com
+
+- fix [bsc#1235113]:
+  https://github.com/ImageMagick/Usage/issues/8
+  https://github.com/ImageMagick/Usage/issues/9
+- added patches
+  fix https://github.com/ImageMagick/ImageMagick/commit/be3b73da674520ad3eab52ade2a3cda62af66d15
+  + ImageMagick-0-1-are-special-cases-for-pow.patch
+  fix https://github.com/ImageMagick/ImageMagick/commit/1afa38ae2fa87cf4eb48040e47d410aa729ce21e
+  + ImageMagick-check-for-pow-zero.patch
+  fix https://github.com/ImageMagick/ImageMagick/commit/056ccdbeac41c9b24b625e0139cd25a4cdffb22a
+  + ImageMagick-gamma-should-call-GammaImage.patch
+
+-------------------------------------------------------------------
+Mon Dec 23 14:47:14 UTC 2024 - pgajdos@suse.com
+
+- version update to 7.1.1.43
+  * no upstream changelog found
+
+-------------------------------------------------------------------
+Sun Nov 17 10:27:30 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.1.41
+  * Fix compiler identification with Clang on Darwin in #7773
+  * revert map changes breaking ABI in #7768
+
+-------------------------------------------------------------------
+Mon Nov 11 19:59:52 UTC 2024 - Yann BOYER <yann.boyer742@gmail.com>
+
+- version update to 7.1.1.40
+  * .cut (Dr Halo) reading when run count in header #7734
+  * Bump azure/trusted-signing-action from 0.4.0 to 0.5.0 #7725
+  * Implement Magic Kernel Sharp 2013 and 2021 #7701
+  * don't process TIFF image if there is an exception
+  * Corrected check for indexed channels in PSD files.
+  * export exception when undo resource limit exceeded
+
+-------------------------------------------------------------------
+Sun Oct  6 20:27:31 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 7.1.1.39
+  * Add missing Threshold command to command array of Region of Interest mode #7606
+  * uhdr.c: update uhdr coder for gainmap metadata configuration #7635
+  * uhdr: fix language choice in autoconf #7663
+
+-------------------------------------------------------------------
+Fri Sep 13 15:38:48 UTC 2024 - pgajdos@suse.com
+
+- version update to 7.1.1.38
+  * properly set image byte order 40f6599
+  * set max colormap size for remap 1ffe565
+  * beta release 250b748
+  * deprecate the -respect-paranthesis option 4e7d789
+  * Build fixes. b80c509
+  * save IPTC + ICC profiles are profiles, not properties 25d5335
+  * update copyright year 4caf7d1
+  * Patch to fix reading of the ICC profile. 18377f9
+  * prepping framework to interact with X11 clipboard b20dda3
+  * Build fix. 20a5af3
+  * More build fixes. c36fdf0
+  * Another attempt to silence the warnings. 600708c
+  * Use SetImageProfilePrivate to avoid duplicate allocations. f246eab
+  * support clipboard delegate 39a135a
+  * restore clipboard.c 1070b17
+  * improved rounding 27a0a9c
+  * don't allow negative scenes 8fda05a
+  * eliminate compiler warnings 878daf9
+- modified patches
+  % ImageMagick-library-installable-in-parallel.patch (refreshed)
+
+-------------------------------------------------------------------
+Tue Aug 27 08:21:42 UTC 2024 - pgajdos@suse.com
+
+- version update to 7.1.1.37
+  * Bump azure/trusted-signing-action from 0.3.20 to 0.4.0 #7518
+  * Silence warning and fix HEIC_COMPUTE_NUMERIC_VERSION definition when heic delegate is disabled. #7516
+  * protect macro arguments with parens 86cb2b1
+  * eliminate compiler warnings d90d8b4
+  * correct copyright year 115271e
+  * Ignore multiple exif and xmp profiles for the same jxl frame and fix reading those profiles per frame. c301208
+  * read/write in chunks fff3058
+  * optimize fwrite() arguments ada6785
+  * Renamed Output folder to Artifacts. 2a69677
+  * cancel interactive window selection with right button press ea2a2db
+  * cosmetic 712bde4
+  * eliminate compiler warning 9a9a25c
+  * eliminate compiler warning 0bd1687
+  * Make images mandatory in the issue template. c01fd37
+  * Added extra header detection for avif files. 9fc0590
+  * allow SeekBlob() to set an offset beyond the end of the blob 27c3f99
+  * be less forgiving for invalid image indexes 25db2e5
+  * Fixed problem with empty macros (#7562) 9fda5f2
+  * Added missing null checks for RequestOpenCLDevice. f85448e
+  * Added missing null check for AcquireOpenCLCommandQueue. 295e9c8
+  * persist app1 jpeg profile (ImageMagick/ImageMagick#4713) f0357c7
+  * Fixed build error. b3dd431
+  * Remove some of the dependencies for the macos-13 build. d0bce95
+  * parentheses is the plural of parenthesis 1fac80a
+  * distribute quantization error for -dither FloydSteinberg -depth 5b2825b
+  * release 8a0da9f
+  * properly set image byte order 40f6599
+  * set max colormap size for remap 1ffe565
+
 -------------------------------------------------------------------
 Sat Aug  3 18:26:29 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 

ImageMagick.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ImageMagick
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,23 +16,25 @@
 #
 
 
+%global flavor          @BUILD_FLAVOR@%{nil}
+
 %define debug_build    0
 %define asan_build     0
-%define maj            7
-%define mfr_version    %{maj}.1.1
-%define mfr_revision   36
+%define mfr_version    7.1.2
+%define mfr_revision   2
 %define quantum_depth  16
 %define source_version %{mfr_version}-%{mfr_revision}
 %define clibver        10
 %define cwandver       10
 %define cxxlibver      5
-%define libspec        -%{maj}_Q%{quantum_depth}HDRI
-%define config_dir     ImageMagick-7
+%define libspec        -7_Q%{quantum_depth}HDRI
+%define config_dir     IM-7
 %define test_verbose   1
-# bsc#1088463
+# bsc#1088463, https://github.com/ImageMagick/ImageMagick/issues/8261
 %define urw_base35_fonts 0
 # do/don't pull djvulibre dependency
 %bcond_without djvu
+
 Name:           ImageMagick
 Version:        %{mfr_version}.%{mfr_revision}
 Release:        0
@@ -40,21 +42,15 @@ Summary:        Viewer and Converter for Images
 License:        ImageMagick
 Group:          Productivity/Graphics/Other
 URL:            https://imagemagick.org/
-Source0:        https://imagemagick.org/archive/releases/ImageMagick-%{mfr_version}-%{mfr_revision}.tar.xz
+Source0:        https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz
 Source1:        baselibs.conf
-Source2:        https://imagemagick.org/archive/releases/ImageMagick-%{mfr_version}-%{mfr_revision}.tar.xz.asc
+Source2:        https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz.asc
 Source3:        ImageMagick.keyring
 # suse specific patches
 Patch0:         ImageMagick-configuration-SUSE.patch
 Patch2:         ImageMagick-library-installable-in-parallel.patch
-#%%ifarch i586
-#%%if %%{?suse_version} < 1550
-Patch4:         ImageMagick-filter.t-disable-Contrast.patch
-#%%endif
-#%%endif
-#%%ifarch s390x
 Patch5:         ImageMagick-s390x-disable-tests.patch
-#%%endif
+
 BuildRequires:  chrpath
 BuildRequires:  dejavu-fonts
 BuildRequires:  fdupes
@@ -98,104 +94,6 @@ BuildRequires:  ghostscript-fonts-other
 BuildRequires:  ghostscript-fonts-std
 %endif
 
-%package -n perl-PerlMagick
-Summary:        Perl interface for ImageMagick
-Group:          Development/Libraries/Perl
-Requires:       ImageMagick = %{version}
-Requires:       libMagickCore%{libspec}%{clibver} = %{version}
-Requires:       perl = %{perl_version}
-
-%package devel
-Summary:        Development files for ImageMagick's C interface
-Group:          Development/Libraries/C and C++
-Requires:       ImageMagick = %{version}
-Requires:       glibc-devel
-Requires:       libMagickCore%{libspec}%{clibver} = %{version}
-Requires:       libMagickWand%{libspec}%{cwandver} = %{version}
-# bnc#741947:
-Requires:       pkgconfig(bzip2)
-%if !%{debug_build}
-%package extra
-Summary:        Extra codecs for the ImageMagick image viewer/converter
-Group:          Productivity/Graphics/Other
-Requires:       ImageMagick = %{version}
-Requires:       libMagickCore%{libspec}%{clibver} = %{version}
-Recommends:     autotrace
-Recommends:     dcraw
-Recommends:     hp2xx
-Recommends:     libwmf
-Recommends:     netpbm
-Recommends:     transfig
-%endif
-
-%package -n libMagickCore%{libspec}%{clibver}
-Summary:        C runtime library for ImageMagick
-Group:          Productivity/Graphics/Other
-Requires:       imagick-config-7
-Recommends:     ImageMagick-config-7-SUSE
-Recommends:     ghostscript
-Suggests:       ImageMagick-extra = %{version}
-Recommends:     ImageMagick
-
-%package -n libMagickWand%{libspec}%{cwandver}
-Summary:        C runtime library for ImageMagick
-Group:          Productivity/Graphics/Other
-Recommends:     ImageMagick
-
-%package -n libMagick++%{libspec}%{cxxlibver}
-Summary:        C++ interface runtime library for ImageMagick
-Group:          Development/Libraries/C and C++
-Recommends:     ImageMagick
-
-%package -n libMagick++-devel
-Summary:        Development files for ImageMagick's C++ interface
-Group:          Development/Libraries/C and C++
-Requires:       libMagick++%{libspec}%{cxxlibver} = %{version}
-Requires:       libstdc++-devel
-Requires:       pkgconfig(ImageMagick) = %{mfr_version}
-
-%package doc
-Summary:        Document Files for ImageMagick Library
-Group:          Documentation/HTML
-BuildArch:      noarch
-
-%package config-7-upstream-open
-Summary:        Open ImageMagick Security Policy
-Group:          Development/Libraries/C and C++
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-Provides:       imagick-config-7
-Obsoletes:      config-7-upstream < %{version}
-Provides:       config-7-upstream = %{version}
-
-%package config-7-upstream-limited
-Summary:        Limited ImageMagick Security Policy
-Group:          Development/Libraries/C and C++
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-Provides:       imagick-config-7
-
-%package config-7-upstream-secure
-Summary:        Secure ImageMagick Security Policy
-Group:          Development/Libraries/C and C++
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-Provides:       imagick-config-7
-
-%package config-7-upstream-websafe
-Summary:        Web-safe ImageMagick Security Policy
-Group:          Development/Libraries/C and C++
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-Provides:       imagick-config-7
-
-%package config-7-SUSE
-Summary:        SUSE Provided Configuration
-Group:          Development/Libraries/C and C++
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-Provides:       imagick-config-7
-
 %description
 ImageMagick is a robust collection of tools and libraries to read,
 write, and manipulate an image in many image formats, including popular
@@ -207,6 +105,31 @@ different image formats. Image processing operations are available from
 the command line as well as through C, C++, and Perl-based programming
 interfaces.
 
+# BEGIN NIL FLAVOR
+%if "%{flavor}" == ""
+
+%package -n perl-PerlMagick
+Summary:        Perl interface for ImageMagick
+Group:          Development/Libraries/Perl
+Requires:       ImageMagick = %{version}
+Requires:       libMagickCore%{libspec}%{clibver} = %{version}
+Requires:       perl = %{perl_version}
+
+%description -n perl-PerlMagick
+PerlMagick is an objected-oriented Perl interface to ImageMagick. Use
+the module to read, manipulate, or write an image or image sequence
+from within a Perl script. This makes it suitable for Web CGI scripts.
+
+%package devel
+Summary:        Development files for ImageMagick's C interface
+Group:          Development/Libraries/C and C++
+Requires:       ImageMagick = %{version}
+Requires:       glibc-devel
+Requires:       libMagickCore%{libspec}%{clibver} = %{version}
+Requires:       libMagickWand%{libspec}%{cwandver} = %{version}
+# bnc#741947:
+Requires:       pkgconfig(bzip2)
+
 %description devel
 ImageMagick is a robust collection of tools and libraries to read,
 write, and manipulate an image in many image formats, including popular
@@ -219,21 +142,32 @@ the command line as well as through C, C++, and Perl-based programming
 interfaces.
 
 %if !%{debug_build}
+%package extra
+Summary:        Extra codecs for the ImageMagick image viewer/converter
+Group:          Productivity/Graphics/Other
+Requires:       ImageMagick = %{version}
+Requires:       libMagickCore%{libspec}%{clibver} = %{version}
+Recommends:     autotrace
+Recommends:     dcraw
+Recommends:     hp2xx
+Recommends:     libwmf
+Recommends:     netpbm
+Recommends:     transfig
+
 %description extra
 This package adds support for djvu, wmf and jpeg2000 formats and
 installs optional helper applications.
-
-ImageMagick is a robust collection of tools and libraries to read,
-write, and manipulate an image in many image formats, including popular
-formats like TIFF, JPEG, PNG, PDF, PhotoCD, and GIF. With ImageMagick,
-you can create images dynamically, making it suitable for Web
-applications. You can also resize, rotate, sharpen, color-reduce, or
-add special effects to an image and save your completed work in many
-different image formats. Image processing operations are available from
-the command line as well as through C, C++, and Perl-based programming
-interfaces.
 %endif
 
+%package -n libMagickCore%{libspec}%{clibver}
+Summary:        C runtime library for ImageMagick
+Group:          Productivity/Graphics/Other
+Requires:       imagick-config-7
+Recommends:     ImageMagick-config-7-SUSE
+Recommends:     ghostscript
+Suggests:       ImageMagick-extra = %{version}
+Recommends:     ImageMagick
+
 %description -n libMagickCore%{libspec}%{clibver}
 ImageMagick is a robust collection of tools and libraries to read,
 write, and manipulate an image in many image formats, including popular
@@ -245,6 +179,11 @@ different image formats. Image processing operations are available from
 the command line as well as through C, C++, and Perl-based programming
 interfaces.
 
+%package -n libMagickWand%{libspec}%{cwandver}
+Summary:        C runtime library for ImageMagick
+Group:          Productivity/Graphics/Other
+Recommends:     ImageMagick
+
 %description -n libMagickWand%{libspec}%{cwandver}
 ImageMagick is a robust collection of tools and libraries to read,
 write, and manipulate an image in many image formats, including popular
@@ -256,10 +195,10 @@ different image formats. Image processing operations are available from
 the command line as well as through C, C++, and Perl-based programming
 interfaces.
 
-%description -n perl-PerlMagick
-PerlMagick is an objected-oriented Perl interface to ImageMagick. Use
-the module to read, manipulate, or write an image or image sequence
-from within a Perl script. This makes it suitable for Web CGI scripts.
+%package -n libMagick++%{libspec}%{cxxlibver}
+Summary:        C++ interface runtime library for ImageMagick
+Group:          Development/Libraries/C and C++
+Recommends:     ImageMagick
 
 %description -n libMagick++%{libspec}%{cxxlibver}
 This is Magick++, the object-oriented C++ API for the ImageMagick
@@ -276,6 +215,13 @@ De-referenced copies are automatically deleted. The image objects
 support value (rather than pointer) semantics so it is trivial to
 support multiple generations of an image in memory at one time.
 
+%package -n libMagick++-devel
+Summary:        Development files for ImageMagick's C++ interface
+Group:          Development/Libraries/C and C++
+Requires:       libMagick++%{libspec}%{cxxlibver} = %{version}
+Requires:       libstdc++-devel
+Requires:       pkgconfig(ImageMagick) = %{mfr_version}
+
 %description -n libMagick++-devel
 This is Magick++, the object-oriented C++ API for the ImageMagick
 image-processing library.
@@ -291,68 +237,28 @@ De-referenced copies are automatically deleted. The image objects
 support value (rather than pointer) semantics so it is trivial to
 support multiple generations of an image in memory at one time.
 
+%package doc
+Summary:        Document Files for ImageMagick Library
+Group:          Documentation/HTML
+BuildArch:      noarch
+
 %description doc
 HTML documentation for ImageMagick library and scene examples.
 
-%description config-7-upstream-open
-This policy is designed for usage in secure settings like those
-protected by firewalls or within Docker containers. Within this framework,
-ImageMagick enjoys broad access to resources and functionalities. This policy
-provides convenient and adaptable options for image manipulation. However,
-it's important to note that it might present security vulnerabilities in
-less regulated conditions. Thus, organizations should thoroughly assess
-the appropriateness of the open policy according to their particular use
-case and security prerequisites.
-
-%description config-7-upstream-limited
-The primary objective of the limited security policy is to find a
-middle ground between convenience and security. This policy involves the
-deactivation of potentially hazardous functionalities, like specific coders
-such as SVG or HTTP. Furthermore, it establishes several constraints on
-the utilization of resources like memory, storage, and processing duration,
-all of which are adjustable. This policy proves advantageous in situations
-where there's a need to mitigate the potential threat of handling possibly
-malicious or demanding images, all while retaining essential capabilities
-for prevalent image formats.
-
-%description config-7-upstream-secure
-This stringent security policy prioritizes the implementation of
-rigorous controls and restricted resource utilization to establish a
-profoundly secure setting while employing ImageMagick. It deactivates
-conceivably hazardous functionalities, including specific coders like
-SVG or HTTP. The policy promotes the tailoring of security measures to
-harmonize with the requirements of the local environment and the guidelines
-of the organization. This protocol encompasses explicit particulars like
-limitations on memory consumption, sanctioned pathways for reading and
-writing, confines on image sequences, the utmost permissible duration of
-workflows, allocation of disk space intended for image data, and even an
-undisclosed passphrase for remote connections. By adopting this robust
-policy, entities can elevate their overall security stance and alleviate
-potential vulnerabilities.
-
-%description config-7-upstream-websafe
-This security protocol designed for web-safe usage focuses on situations
-where ImageMagick is applied in publicly accessible contexts, like websites.
-It deactivates the capability to read from or write to any image formats
-other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
-policy prohibits the execution of image filters and indirect reads, thereby
-thwarting potential security breaches. By implementing these limitations,
-the web-safe policy fortifies the safeguarding of systems accessible to
-the public, reducing the risk of exploiting ImageMagick's capabilities
-for potential attacks.
+%package config-7-SUSE
+Summary:        SUSE Provided Configuration
+Group:          Development/Libraries/C and C++
+Provides:       imagick-config-7
+Conflicts:      imagick-config-7
+BuildArch:      noarch
 
 %description config-7-SUSE
-ImageMagick configuration as provide by SUSE. It is upstream 'secure'
+ImageMagick configuration as provided by SUSE. It is upstream 'secure'
 policy plus disable few other coders for reading and/or writing.
 
 %prep
 %setup -q -n ImageMagick-%{source_version}
 %patch -P 2 -p1
-%ifarch i586
-%if %{?suse_version} < 1550
-%patch -P 4 -p1
-%endif
-%endif
 %ifarch s390x
 %patch -P 5 -p1
 %endif
@@ -371,6 +277,7 @@ export SHAREARCH_DIRNAME="config%{libspec}%{clibver}"
 export CFLAGS="%{optflags} -O0"
 export CXXFLAGS="%{optflags} -O0"
 %endif
+export CONFIGURE_RELATIVE_PATH=%{config_dir}
 %configure \
   --disable-silent-rules \
   --enable-shared \
@@ -406,8 +313,8 @@ export CXXFLAGS="%{optflags} -O0"
   --without-gcc-arch \
   --enable-pipes=no \
   --enable-reproducible-build=yes \
-  --disable-openmp \
-  --with-security-policy=open # open for %%check
+  --disable-openmp
+
 %if %{asan_build}
 sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \
        -e 's/\(^LIBS =.*\)/\1 -lasan/' \
@@ -426,18 +333,19 @@ chmod -x PerlMagick/demo/*.pl
 exit 0
 
 %check
+%ifarch i586
+# do not report test issues related to 32-bit architectures upstream,
+# they do not want to dedicate any time to fix them:
+# https://github.com/ImageMagick/ImageMagick/issues/1215
+exit 0
+%endif
 %if %{debug_build} || %{asan_build}
 # testsuite does not succeed for some reason
 # research TODO
 exit 0
 %endif
-%ifarch i586
-# do not report test issues related to 32-bit architectures upstream,
-# they do not want to dedicate any time to fix them:
-# https://github.com/ImageMagick/ImageMagick/issues/1215
-rm PerlMagick/t/montage.t
-sed -i -e 's:averageImages ::' -e 's:1..13:1..12:' Magick++/tests/tests.tap
-%endif
+# ensure we do not block any coder by security policy
+cp config/policy-open.xml config/policy.xml
 %make_build check
 export MAGICK_CODER_MODULE_PATH=$PWD/coders/.libs
 export MAGICK_CODER_FILTER_PATH=$PWD/filters/.libs
@@ -450,26 +358,18 @@ sed -i 's:TEST_VERBOSE=0:TEST_VERBOSE=1:' Makefile
 cd ..
 
 %install
-%make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-%{maj}/
-# configuration magic
-mv -t %{buildroot}%{_sysconfdir}/ImageMagick* %{buildroot}%{_datadir}/ImageMagick*/*.xml
-for policy in open limited secure websafe; do
-  cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream-$policy}
-  cp config/policy-$policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}-upstream-$policy
-done
-mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-SUSE}
-cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE
-patch --fuzz=0 --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0}
-mkdir -p  %{buildroot}%{_sysconfdir}/alternatives/
-ln -sf %{_sysconfdir}/alternatives/%{config_dir} %{buildroot}%{_sysconfdir}/%{config_dir}
+%make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-7/
+# default policy (SUSE)
+cp config/policy-secure.xml config/policy.xml
+patch --fuzz=0 -p1 < %{PATCH0}
+cp config/policy.xml %{buildroot}%{_sysconfdir}/%{config_dir}
 # symlink header file relative to /usr/include/ImageMagick-7/
 # so that inclusions like wand/*.h and magick/*.h work
-ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-%{maj}/magick
-ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-%{maj}/wand
+ln -s ./MagickCore %{buildroot}%{_includedir}/ImageMagick-7/magick
+ln -s ./MagickWand %{buildroot}%{_includedir}/ImageMagick-7/wand
 # these will be included via %%doc
-rm -r %{buildroot}%{_datadir}/doc/ImageMagick-%{maj}/
+rm -r %{buildroot}%{_datadir}/doc/ImageMagick-7/
 rm %{buildroot}%{_libdir}/*.la
-rm -r %{buildroot}/usr/lib/perl5/*linux-thread-multi*/
 # remove RPATH from perl module
 perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so')
 chmod 755 $perl_module
@@ -478,8 +378,8 @@ chmod 555 $perl_module
 # remove %%{buildroot} from distributed file
 sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/config%{libspec}%{clibver}/configure.xml
 #remove duplicates
-%fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-%{maj}
-%fdupes -s %{buildroot}%{_includedir}/ImageMagick-%{maj}
+%fdupes -s %{buildroot}%{_defaultdocdir}/ImageMagick-7
+%fdupes -s %{buildroot}%{_includedir}/ImageMagick-7
 %fdupes -s %{buildroot}%{_libdir}/pkgconfig
 %perl_process_packlist
 
@@ -490,96 +390,14 @@ sed -i 's:%{buildroot}::' %{buildroot}/%{_libdir}/ImageMagick-%{mfr_version}/con
 %post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
 %postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig
 
-%pretrans config-7-upstream-open -p <lua>
--- this %pretrans to be removed soon [bug#1122033#c37]
-path = "%{_sysconfdir}/%{config_dir}"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  os.remove(path .. ".rpmmoved")
-  os.rename(path, path .. ".rpmmoved")
-end
-
-%pretrans config-7-upstream-limited -p <lua>
--- this %pretrans to be removed soon [bug#1122033#c37]
-path = "%{_sysconfdir}/%{config_dir}"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  os.remove(path .. ".rpmmoved")
-  os.rename(path, path .. ".rpmmoved")
-end
-
-%pretrans config-7-upstream-secure -p <lua>
--- this %pretrans to be removed soon [bug#1122033#c37]
-path = "%{_sysconfdir}/%{config_dir}"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  os.remove(path .. ".rpmmoved")
-  os.rename(path, path .. ".rpmmoved")
-end
-
-%pretrans config-7-SUSE -p <lua>
--- this %pretrans to be removed soon [bug#1122033#c37]
-path = "%{_sysconfdir}/%{config_dir}"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  os.remove(path .. ".rpmmoved")
-  os.rename(path, path .. ".rpmmoved")
-end
-
-%pretrans config-7-upstream-websafe -p <lua>
--- this %pretrans to be removed soon [bug#1122033#c37]
-path = "%{_sysconfdir}/%{config_dir}"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  os.remove(path .. ".rpmmoved")
-  os.rename(path, path .. ".rpmmoved")
-end
-
-%post config-7-upstream-open
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-open  1
-
-%postun config-7-upstream-open
-if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream
-fi
-
-%post config-7-upstream-limited
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-limited  5
-
-%postun config-7-upstream-limited
-if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-limited
-fi
-
-%post config-7-upstream-secure
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-secure  10
-
-%postun config-7-upstream-secure
-if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-secure
-fi
-
-%post config-7-SUSE
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-SUSE      15
-
-%postun config-7-SUSE
-if [ ! -d %{_sysconfdir}/%{config_dir}-SUSE ] ; then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-SUSE
-fi
-
-%post config-7-upstream-websafe
-%{_sbindir}/update-alternatives --quiet --install %{_sysconfdir}/%{config_dir}  %{config_dir}   %{_sysconfdir}/%{config_dir}-upstream-websafe  20
-
-%postun config-7-upstream-websafe
-if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then
-    %{_sbindir}/update-alternatives --quiet --remove %{config_dir}  %{_sysconfdir}/%{config_dir}-upstream-websafe
-fi
-
 %files
 %license LICENSE
 %{_bindir}/[^MW]*
 %{_mandir}/man1/*
 %exclude %{_mandir}/man1/*-config.1%{ext_man}
+%{_datadir}/ImageMagick-7
+%{_sysconfdir}/%{config_dir}
+%exclude %{_sysconfdir}/%{config_dir}/policy.xml
 
 %files -n libMagickCore%{libspec}%{clibver}
 %license LICENSE
@@ -651,36 +469,149 @@ fi
 %{_mandir}/man1/Magick++-config.1%{?ext_man}
 
 %files doc
-%{_defaultdocdir}/ImageMagick-%{maj}
-
-%files config-7-upstream-open
-%dir %{_sysconfdir}/ImageMagick*-upstream-open/
-%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-open/*
-%{_sysconfdir}/%{config_dir}
-%ghost %{_sysconfdir}/alternatives/%{config_dir}
-
-%files config-7-upstream-limited
-%dir %{_sysconfdir}/ImageMagick*-upstream-limited/
-%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-limited/*
-%{_sysconfdir}/%{config_dir}
-%ghost %{_sysconfdir}/alternatives/%{config_dir}
-
-%files config-7-upstream-secure
-%dir %{_sysconfdir}/ImageMagick*-upstream-secure/
-%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-secure/*
-%{_sysconfdir}/%{config_dir}
-%ghost %{_sysconfdir}/alternatives/%{config_dir}
+%{_defaultdocdir}/ImageMagick-7
 
 %files config-7-SUSE
-%dir %{_sysconfdir}/ImageMagick*-SUSE/
-%config %{_sysconfdir}/ImageMagick*-SUSE/*
-%{_sysconfdir}/%{config_dir}
-%ghost %{_sysconfdir}/alternatives/%{config_dir}
+%{_sysconfdir}/%{config_dir}/policy.xml
+
+%endif
+# END NIL FLAVOR
+
+%if "%{flavor}" == "config_open"
+%package config-7-upstream-open
+Summary:        Open ImageMagick Security Policy
+Group:          Development/Libraries/C and C++
+Provides:       imagick-config-7
+Obsoletes:      config-7-upstream < %{version}
+Provides:       config-7-upstream = %{version}
+Conflicts:      imagick-config-7
+BuildArch:      noarch
+
+%description config-7-upstream-open
+This policy is designed for usage in secure settings like those
+protected by firewalls or within Docker containers. Within this framework,
+ImageMagick enjoys broad access to resources and functionalities. This policy
+provides convenient and adaptable options for image manipulation. However,
+it's important to note that it might present security vulnerabilities in
+less regulated conditions. Thus, organizations should thoroughly assess
+the appropriateness of the open policy according to their particular use
+case and security prerequisites.
+
+%prep
+%setup -q -n ImageMagick-%{source_version}
+
+%build
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
+cp config/policy-open.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
+
+%files config-7-upstream-open
+%dir %{_sysconfdir}/%{config_dir}
+%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
+%endif
+
+%if "%{flavor}" == "config_limited"
+%package config-7-upstream-limited
+Summary:        Limited ImageMagick Security Policy
+Group:          Development/Libraries/C and C++
+Provides:       imagick-config-7
+Conflicts:      imagick-config-7
+BuildArch:      noarch
+
+%description config-7-upstream-limited
+The primary objective of the limited security policy is to find a
+middle ground between convenience and security. This policy involves the
+deactivation of potentially hazardous functionalities, like specific coders
+such as SVG or HTTP. Furthermore, it establishes several constraints on
+the utilization of resources like memory, storage, and processing duration,
+all of which are adjustable. This policy proves advantageous in situations
+where there's a need to mitigate the potential threat of handling possibly
+malicious or demanding images, all while retaining essential capabilities
+for prevalent image formats.
+
+%prep
+%setup -q -n ImageMagick-%{source_version}
+
+%build
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
+cp config/policy-limited.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
+
+%files config-7-upstream-limited
+%dir %{_sysconfdir}/%{config_dir}
+%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
+%endif
+
+%if "%{flavor}" == "config_secure"
+%package config-7-upstream-secure
+Summary:        Secure ImageMagick Security Policy
+Group:          Development/Libraries/C and C++
+Provides:       imagick-config-7
+Conflicts:      imagick-config-7
+BuildArch:      noarch
+
+%description config-7-upstream-secure
+This stringent security policy prioritizes the implementation of
+rigorous controls and restricted resource utilization to establish a
+profoundly secure setting while employing ImageMagick. It deactivates
+conceivably hazardous functionalities, including specific coders like
+SVG or HTTP. The policy promotes the tailoring of security measures to
+harmonize with the requirements of the local environment and the guidelines
+of the organization. This protocol encompasses explicit particulars like
+limitations on memory consumption, sanctioned pathways for reading and
+writing, confines on image sequences, the utmost permissible duration of
+workflows, allocation of disk space intended for image data, and even an
+undisclosed passphrase for remote connections. By adopting this robust
+policy, entities can elevate their overall security stance and alleviate
+potential vulnerabilities.
+
+%prep
+%setup -q -n ImageMagick-%{source_version}
+
+%build
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
+cp config/policy-secure.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
+
+%files config-7-upstream-secure
+%dir %{_sysconfdir}/%{config_dir}
+%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
+%endif
+
+%if "%{flavor}" == "config_websafe"
+%package config-7-upstream-websafe
+Summary:        Web-safe ImageMagick Security Policy
+Group:          Development/Libraries/C and C++
+Provides:       imagick-config-7
+Conflicts:      imagick-config-7
+BuildArch:      noarch
+
+%description config-7-upstream-websafe
+This security protocol designed for web-safe usage focuses on situations
+where ImageMagick is applied in publicly accessible contexts, like websites.
+It deactivates the capability to read from or write to any image formats
+other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
+policy prohibits the execution of image filters and indirect reads, thereby
+thwarting potential security breaches. By implementing these limitations,
+the web-safe policy fortifies the safeguarding of systems accessible to
+the public, reducing the risk of exploiting ImageMagick's capabilities
+for potential attacks.
+
+%prep
+%setup -q -n ImageMagick-%{source_version}
+
+%build
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/%{config_dir}/
+cp config/policy-websafe.xml %{buildroot}%{_sysconfdir}/%{config_dir}/policy.xml
 
 %files config-7-upstream-websafe
-%dir %{_sysconfdir}/ImageMagick*-upstream-websafe/
-%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream-websafe/*
-%{_sysconfdir}/%{config_dir}
-%ghost %{_sysconfdir}/alternatives/%{config_dir}
+%dir %{_sysconfdir}/%{config_dir}
+%config(noreplace) %{_sysconfdir}/%{config_dir}/policy.xml
+%endif
 
 %changelog

_multibuild

@@ -0,0 +1,6 @@
+<multibuild>
+  <package>config_open</package>
+  <package>config_limited</package>
+  <package>config_secure</package>
+  <package>config_websafe</package>
+</multibuild>