[pkgsrc/pkgsrc-2018Q2]: pkgsrc/graphics/ImageMagick Pullup ticket #5820 - req...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/843f31e0979e
branches:  pkgsrc-2018Q2
changeset: 408440:843f31e0979e
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Aug 25 19:29:35 2018 +0000

description:
Pullup ticket #5820 - requested by leot
graphics/ImageMagick: security fix

Revisions pulled up:
- graphics/ImageMagick/Makefile                                 1.246-1.247
- graphics/ImageMagick/Makefile.common                          1.175
- graphics/ImageMagick/distinfo                                 1.190-1.192
- graphics/ImageMagick/patches/patch-config_policy.xml          1.1-1.2

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Thu Aug 16 08:23:16 UTC 2018

   Modified Files:
        pkgsrc/graphics/ImageMagick: Makefile.common distinfo

   Log Message:
   ImageMagick: update to 7.0.8.10.

   2018-08-13  7.0.8-10 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-10, GIT revision 14646:48fba3256:201=
   80813

   2018-08-12  7.0.8-10 Dirk Lemstra <dirk%lem.....org@localhost>
     * Added dcraw coder (dcraw:img.cr2) that can be used to force the use of=
    the
       dcraw delegate when libraw is the default raw delegate.
     * Restored thread support for the HEIC coder.

   2018-08-08  7.0.8-10 Cristy  <quetzlzacatenango@image...>
     * ThumbnailImage function no longer reveals sensitive information (refer=
   ence
       https://github.com/ImageMagick/ImageMagick/issues/1243).

   2018-08-06  7.0.8-9 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-9, GIT revision 14618:a3663c3dc:2018=
   0805.

   2018-07-24  7.0.8-9 Cristy  <quetzlzacatenango@image...>
     * XBM coder leaves the hex image data uninitialized if hex value of the
       pixel is negative.
     * More improvements to SVG text handling.
     * New -range threshold option that combines hard and soft thresholding.

   2018-07-23  7.0.8-8 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-8, GIT revision 14583:300fdbcfd:2018=
   0723.

   2018-07-20  7.0.8-8 Cristy  <quetzlzacatenango@image...>
     * Non-HDRI ScaleLongToQuantum() private method no longer adds a half int=
   erval.
     * Fixed memset() negative-size-param (reference
       https://github.com/ImageMagick/ImageMagick/issues/1217).

   2018-07-16  7.0.8-7 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-7, GIT revision 14561:f85c23180:2018=
   0716.

   2018-07-15  7.0.8-7 Cristy  <quetzlzacatenango@image...>
     * Fixed numerous use of uninitialized values, integer overflow, memory
       exceeded, and timeouts (credit to OSS Fuzz).

   2018-07-08  7.0.8-6 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-6, GIT revision 14541:db940ccd2:2018=
   0708.

   2018-07-06  7.0.8-6 Cristy  <quetzlzacatenango@image...>
     * Improve SVG support for tspan element.
     * Add support for -fx image.extent.

   2018-07-04  7.0.8-5 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-5, GIT revision 14514:bba545bbb:2018=
   0704.

   2018-07-04  7.0.8-5 Cristy  <quetzlzacatenango@image...>
     * Fixed a few potential memory leaks
       https://github.com/ImageMagick/ImageMagick/issues).

   2018-07-02  7.0.8-4 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-4, GIT revision 14505:4613eed4a:2018=
   0702.

   2018-06-28  7.0.8-4 Cristy  <quetzlzacatenango@image...>
     * Small tweaks to compile under Cygwin.
     * Fixed numerous use of uninitialized values, integer overflow, memory
       exceeded, and timeouts (credit to OSS Fuzz).
     * Support %B property, the image file size without any decorations.

   2018-06-24  7.0.8-3 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-3, GIT revision 14489:c63c504e8:2018=
   0624.

   2018-06-24  7.0.8-3 Cristy  <quetzlzacatenango@image...>
     * Apply translate component of SVG transform rotate.

---
   Module Name: pkgsrc
   Committed By:        leot
   Date:                Wed Aug 22 13:39:24 UTC 2018

   Modified Files:
        pkgsrc/graphics/ImageMagick: Makefile distinfo
   Added Files:
        pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml

   Log Message:
   ImageMagick: Disable ghostscript coders by default in policy.xml

   Disable ghostscript coders in policy.xml as a workaround for
   VU#332928 (<https://www.kb.cert.org/vuls/id/332928>).

   Please note that apart commenting/removing lines added in policy.xml,
   the ghostscript coders can be enabled per-user by copying policy.xml
   to ~/.config/ImageMagick/policy.xml and adjusting it with the
   following lines:

     | [...]
     | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PS" />
     | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"EPS" />
     | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"PDF" />
     | <policy domain=3D"coder" rights=3D"read|write" pattern=3D"XPS" />
     | [...]

   Bump PKGREVISION

---
   Module Name: pkgsrc
   Committed By:        leot
   Date:                Thu Aug 23 14:52:23 UTC 2018

   Modified Files:
        pkgsrc/graphics/ImageMagick: Makefile distinfo
        pkgsrc/graphics/ImageMagick/patches: patch-config_policy.xml

   Log Message:
   ImageMagick: Also block PS2 and PS3 coders in policy.xml

   At least when reading PS2 and PS3 files via
   `convert PS2:<input> <output>' and `convert PS3:<input> <output>'
   gslib/ghostscript will be invoked and hence subject to VU#332928.

   Pointed out by Bob Friesenhahn via oss-security@ ML (and follow up from
   VU#332928 update).

diffstat:

 graphics/ImageMagick/Makefile                        |   3 +-
 graphics/ImageMagick/Makefile.common                 |   4 +-
 graphics/ImageMagick/distinfo                        |  11 +++++----
 graphics/ImageMagick/patches/patch-config_policy.xml |  24 ++++++++++++++++++++
 4 files changed, 34 insertions(+), 8 deletions(-)

diffs (73 lines):

diff -r 7fd68e90a0c4 -r 843f31e0979e graphics/ImageMagick/Makefile
--- a/graphics/ImageMagick/Makefile     Sat Aug 25 19:26:01 2018 +0000
+++ b/graphics/ImageMagick/Makefile     Sat Aug 25 19:29:35 2018 +0000
@@ -1,5 +1,6 @@
-# $NetBSD: Makefile,v 1.244 2018/05/27 06:49:00 wiz Exp $
+# $NetBSD: Makefile,v 1.244.2.1 2018/08/25 19:29:35 bsiegert Exp $
 
+PKGREVISION=   3
 .include "Makefile.common"
 
 PKGNAME=       ImageMagick-${DISTVERSION}
diff -r 7fd68e90a0c4 -r 843f31e0979e graphics/ImageMagick/Makefile.common
--- a/graphics/ImageMagick/Makefile.common      Sat Aug 25 19:26:01 2018 +0000
+++ b/graphics/ImageMagick/Makefile.common      Sat Aug 25 19:29:35 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.174 2018/06/19 22:57:05 ryoon Exp $
+# $NetBSD: Makefile.common,v 1.174.2.1 2018/08/25 19:29:35 bsiegert Exp $
 #
 # When updating this package, please upload the distfile
 # since they disappear immediately when new releases happen,
@@ -7,7 +7,7 @@
 # used by graphics/p5-PerlMagick/Makefile
 
 IM_MAJOR_VER=          7.0.8
-IM_MINOR_VER=          2
+IM_MINOR_VER=          10
 IM_MAJOR_LIB_VER=      7
 
 .if (${IM_MINOR_VER} != NONE)
diff -r 7fd68e90a0c4 -r 843f31e0979e graphics/ImageMagick/distinfo
--- a/graphics/ImageMagick/distinfo     Sat Aug 25 19:26:01 2018 +0000
+++ b/graphics/ImageMagick/distinfo     Sat Aug 25 19:29:35 2018 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.189 2018/06/19 22:57:05 ryoon Exp $
+$NetBSD: distinfo,v 1.189.2.1 2018/08/25 19:29:35 bsiegert Exp $
 
-SHA1 (ImageMagick-7.0.8-2.tar.xz) = 45b18033646f688a01bd14136a3666c95a74bc7e
-RMD160 (ImageMagick-7.0.8-2.tar.xz) = 08395e4250451102f7c4142a8a7c369c58137ac6
-SHA512 (ImageMagick-7.0.8-2.tar.xz) = 1a0694dddbe12117341fc82e8f8c023e438f38c9cfb65bdfc4d7f9d31299df77796b4b87df641abc9a8a6670d45785d487d141e2bfbd625cd37aeab6b3a85615
-Size (ImageMagick-7.0.8-2.tar.xz) = 8617868 bytes
+SHA1 (ImageMagick-7.0.8-10.tar.xz) = c69fb5b1ec2d04711a98df8762926a37e3f13bc5
+RMD160 (ImageMagick-7.0.8-10.tar.xz) = 9e5339d7e4f2dbc42090cd8394bca5b97dc485ba
+SHA512 (ImageMagick-7.0.8-10.tar.xz) = a4869e0a9be5e04c04fcd1fce5c4141d63968ee7f1dd78d84724921f2f088bdcea8c3b3799e1ff555a2a04dec32a1fb7c4a1e6053a6185e9a36c6ae0f1b9c6ed
+Size (ImageMagick-7.0.8-10.tar.xz) = 8635496 bytes
+SHA1 (patch-config_policy.xml) = 2c446a00fc00f85ab33eae0691d4d8989a46289f
diff -r 7fd68e90a0c4 -r 843f31e0979e graphics/ImageMagick/patches/patch-config_policy.xml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/ImageMagick/patches/patch-config_policy.xml      Sat Aug 25 19:29:35 2018 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-config_policy.xml,v 1.2.2.2 2018/08/25 19:29:35 bsiegert Exp $
+
+Disable ghostscript coders by default to workaround VU#332928:
+<https://www.kb.cert.org/vuls/id/332928>
+
+--- config/policy.xml.orig     2018-08-13 11:05:28.000000000 +0000
++++ config/policy.xml
+@@ -74,4 +74,16 @@
+   <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+   <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+   <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
++
++  <!-- 
++    -- Disable ghostscript coders as suggested by VU#332928
++    --  <https://www.kb.cert.org/vuls/id/332928>
++    -->
++  <policy domain="coder" rights="none" pattern="PS" />
++  <policy domain="coder" rights="none" pattern="PS2" />
++  <policy domain="coder" rights="none" pattern="PS3" />
++  <policy domain="coder" rights="none" pattern="EPS" />
++  <policy domain="coder" rights="none" pattern="PDF" />
++  <policy domain="coder" rights="none" pattern="XPS" />
++
+ </policymap>