CVS commit: pkgsrc/graphics/ImageMagick6

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Thu Aug 23 14:54:21 UTC 2018

Modified Files:
        pkgsrc/graphics/ImageMagick6: Makefile distinfo
        pkgsrc/graphics/ImageMagick6/patches: patch-config_policy.xml

Log Message:
ImageMagick6: Also block PS2 and PS3 coders in policy.xml

At least when reading PS2 and PS3 files via
`convert PS2:<input> <output>' and `convert PS3:<input> <output>'
gslib/ghostscript will be invoked and hence subject to VU#332928.

Pointed out by Bob Friesenhahn via oss-security@ ML (and follow up from
VU#332928 update).


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/graphics/ImageMagick6/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/graphics/ImageMagick6/distinfo
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/ImageMagick6/Makefile
diff -u pkgsrc/graphics/ImageMagick6/Makefile:1.18 pkgsrc/graphics/ImageMagick6/Makefile:1.19
--- pkgsrc/graphics/ImageMagick6/Makefile:1.18  Wed Aug 22 13:38:00 2018
+++ pkgsrc/graphics/ImageMagick6/Makefile       Thu Aug 23 14:54:21 2018
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.18 2018/08/22 13:38:00 leot Exp $
+# $NetBSD: Makefile,v 1.19 2018/08/23 14:54:21 leot Exp $
 
-PKGREVISION= 4
+PKGREVISION=   5
 .include "Makefile.common"
 
 PKGNAME=       ImageMagick6-${DISTVERSION}

Index: pkgsrc/graphics/ImageMagick6/distinfo
diff -u pkgsrc/graphics/ImageMagick6/distinfo:1.10 pkgsrc/graphics/ImageMagick6/distinfo:1.11
--- pkgsrc/graphics/ImageMagick6/distinfo:1.10  Wed Aug 22 13:38:00 2018
+++ pkgsrc/graphics/ImageMagick6/distinfo       Thu Aug 23 14:54:21 2018
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.10 2018/08/22 13:38:00 leot Exp $
+$NetBSD: distinfo,v 1.11 2018/08/23 14:54:21 leot Exp $
 
 SHA1 (ImageMagick-6.9.9-38.tar.xz) = 2dc6b3c415b342efb7ab64d18bb801c7f1881212
 RMD160 (ImageMagick-6.9.9-38.tar.xz) = 50008946057cde9fc7a6d0149414e870a2a351b0
 SHA512 (ImageMagick-6.9.9-38.tar.xz) = 78ecb605d2ea529603bab723c284be9c03a7d370814bbe708c2c34e0b91f75c1a0c193a5a2ea8f3583019d3610ac08d0d28671d8fdb2df2478865d9ab7417b91
 Size (ImageMagick-6.9.9-38.tar.xz) = 8913864 bytes
 SHA1 (patch-Makefile.in) = bb747b5e062f2a59e307289b5b33861dd5f96ab0
-SHA1 (patch-config_policy.xml) = 2b7e37cc8fedb0d06502ba1d7e65a5aea9d6ec96
+SHA1 (patch-config_policy.xml) = 2c446a00fc00f85ab33eae0691d4d8989a46289f

Index: pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml
diff -u pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml:1.1 pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml:1.2
--- pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml:1.1    Wed Aug 22 13:38:00 2018
+++ pkgsrc/graphics/ImageMagick6/patches/patch-config_policy.xml        Thu Aug 23 14:54:21 2018
@@ -1,11 +1,11 @@
-$NetBSD: patch-config_policy.xml,v 1.1 2018/08/22 13:38:00 leot Exp $
+$NetBSD: patch-config_policy.xml,v 1.2 2018/08/23 14:54:21 leot Exp $
 
 Disable ghostscript coders by default to workaround VU#332928:
 <https://www.kb.cert.org/vuls/id/332928>
 
 --- config/policy.xml.orig     2018-08-13 11:05:28.000000000 +0000
 +++ config/policy.xml
-@@ -74,4 +74,14 @@
+@@ -74,4 +74,16 @@
    <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
    <!-- <policy domain="cache" name="synchronize" value="True"/> -->
    <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
@@ -15,6 +15,8 @@ Disable ghostscript coders by default to
 +    --  <https://www.kb.cert.org/vuls/id/332928>
 +    -->
 +  <policy domain="coder" rights="none" pattern="PS" />
++  <policy domain="coder" rights="none" pattern="PS2" />
++  <policy domain="coder" rights="none" pattern="PS3" />
 +  <policy domain="coder" rights="none" pattern="EPS" />
 +  <policy domain="coder" rights="none" pattern="PDF" />
 +  <policy domain="coder" rights="none" pattern="XPS" />