From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8CEBA138350 for ; Fri, 24 Apr 2020 09:51:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B690CE0A60; Fri, 24 Apr 2020 09:51:54 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 989BBE0A60 for ; Fri, 24 Apr 2020 09:51:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 706F134F236 for ; Fri, 24 Apr 2020 09:51:53 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 512781EB for ; Fri, 24 Apr 2020 09:51:51 +0000 (UTC) From: "Thomas Deutschmann" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" Message-ID: <1587721791.3a7675dea3b1f6267beda622d1b0d6b3e5a3f145.whissi@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: media-gfx/imagemagick/ X-VCS-Repository: repo/gentoo X-VCS-Files: media-gfx/imagemagick/imagemagick-9999.ebuild X-VCS-Directories: media-gfx/imagemagick/ X-VCS-Committer: whissi X-VCS-Committer-Name: Thomas Deutschmann X-VCS-Revision: 3a7675dea3b1f6267beda622d1b0d6b3e5a3f145 X-VCS-Branch: master Date: Fri, 24 Apr 2020 09:51:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 983eb1a7-ce1b-4595-a3fc-3210a874a3b5 X-Archives-Hash: a23e007e5b32e862fe5edad46e0336a2 commit: 3a7675dea3b1f6267beda622d1b0d6b3e5a3f145 Author: Thomas Deutschmann gentoo org> AuthorDate: Fri Apr 24 09:49:15 2020 +0000 Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Apr 24 09:49:51 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7675de Revert "media-gfx/imagemagick: Hardening is not needed for a long time" This reverts commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe. Signed-off-by: Thomas Deutschmann gentoo.org> media-gfx/imagemagick/imagemagick-9999.ebuild | 42 +++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/media-gfx/imagemagick/imagemagick-9999.ebuild b/media-gfx/imagemagick/imagemagick-9999.ebuild index 8f24371e266..4d2561accf7 100644 --- a/media-gfx/imagemagick/imagemagick-9999.ebuild +++ b/media-gfx/imagemagick/imagemagick-9999.ebuild @@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}" src_prepare() { default + # Apply hardening #664236 + cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die + sed -i -e '/^$/ { + r policy-hardening.snippet + d + }' \ + config/policy.xml || \ + die "Failed to apply hardening of policy.xml" + einfo "policy.xml hardened" + elibtoolize # for Darwin modules # For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3 @@ -223,3 +233,35 @@ src_install() { insinto /usr/share/${PN} doins config/*icm } + +pkg_postinst() { + local _show_policy_xml_notice= + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + _show_policy_xml_notice=yes + else + local v + for v in ${REPLACING_VERSIONS}; do + if ! ver_test "${v}" -gt "7.0.8.10-r2"; then + # This is an upgrade + _show_policy_xml_notice=yes + + # Show this elog only once + break + fi + done + fi + + if [[ -n "${_show_policy_xml_notice}" ]]; then + elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7" + elog "which will prevent the usage of the following coders by default:" + elog "" + elog " - PS" + elog " - PS2" + elog " - PS3" + elog " - EPS" + elog " - PDF" + elog " - XPS" + fi +}