fixup! component/imagemagick: version up 7.1.1-20, including security fixes.

5c23a16d · Kazuhiko Shiozaki · 4e9fdd76 · 4e9fdd76 · 5c23a16d · 5c23a16d
Commit 5c23a16d authored Oct 10, 2023 by Kazuhiko Shiozaki
3 changed files
--- a/component/imagemagick/allow_svg_in_limited_policy.patch
+++ b/component/imagemagick/allow_svg_in_limited_policy.patch
--- ImageMagick-7.1.1-20.orig/config/policy-limited.xml	2023-10-08 23:05:13.000000000 +0200
-+++ ImageMagick-7.1.1-20/config/policy-limited.xml	2023-10-10 09:33:34.880236626 +0200
-@@ -20,7 +20,7 @@
-   The primary objective of the limited security policy is to find a
-   middle ground between convenience and security. This policy involves the
-   deactivation of potentially hazardous functionalities, like specific coders
-  such as SVG or HTTP. Furthermore, it establishes several constraints on
-+  such as HTTP. Furthermore, it establishes several constraints on
-   the utilization of resources like memory, storage, and processing duration,
-   all of which are adjustable. This policy proves advantageous in situations
-   where there's a need to mitigate the potential threat of handling possibly
-@@ -85,7 +85,7 @@
-   <!-- Indirect reads are not permitted. -->
-   <policy domain="path" rights="none" pattern="@*"/>
-   <!-- These image types are security risks on read, but write is fine -->
-  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/>
-+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,URL,XPS}"/>
-   <!-- This policy sets the number of times to replace content of certain
-        memory buffers and temporary files before they are freed or deleted. -->
-   <!-- <policy domain="system" name="shred" value="1"/> -->
--- a/component/imagemagick/buildout.cfg
+++ b/component/imagemagick/buildout.cfg
@@ -66,11 +66,10 @@ configure-options =
  --with-bzlib=${bzip2:location}
  --with-zlib=${zlib:location}
  --with-frozenpaths
-  --with-security-policy=limited
 patch-options = -p1
 patches =
  ${:_profile_base_location_}/imagemagick-7.1.1-20-no-gsx-gsc-probe.patch#98762d1977e5bce2e12954818a671eb9
-  ${:_profile_base_location_}/allow_svg_in_limited_policy.patch#d79216fd31d974c0b7e6c1da12d50f22
+  ${:_profile_base_location_}/safe_policy.patch#0226c51e276f397b5900815c17dcf117
 environment =
  PATH=${freetype:location}/bin:${ghostscript:location}/bin:${inkscape:location}/bin:${libxml2:location}/bin:${patch:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
  PKG_CONFIG_PATH=${:pkg_config_depends}

--- a/component/imagemagick/safe_policy.patch
+++ b/component/imagemagick/safe_policy.patch
+--- ImageMagick-7.1.1-20.orig/config/policy-open.xml	2023-10-08 23:05:13.000000000 +0200
+++ ImageMagick-7.1.1-20/config/policy-open.xml	2023-10-10 18:29:06.846344247 +0200
+@@ -84,41 +84,41 @@
+ <policymap>
+   <policy domain="Undefined" rights="none"/>
+   <!-- Set maximum parallel threads. -->
+-  <!-- <policy domain="resource" name="thread" value="2"/> -->
+  <policy domain="resource" name="thread" value="2"/>
+   <!-- Set maximum time in seconds. When this limit is exceeded, an exception
+        is thrown and processing stops. -->
+-  <!-- <policy domain="resource" name="time" value="120"/> -->
+  <policy domain="resource" name="time" value="120"/>
+   <!-- Set maximum number of open pixel cache files. When this limit is
+        exceeded, any subsequent pixels cached to disk are closed and reopened
+        on demand. -->
+-  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <policy domain="resource" name="file" value="768"/>
+   <!-- Set maximum amount of memory in bytes to allocate for the pixel cache
+        from the heap. When this limit is exceeded, the image pixels are cached
+        to memory-mapped disk. -->
+-  <!-- <policy domain="resource" name="memory" value="256MiB"/> -->
+  <policy domain="resource" name="memory" value="256MiB"/>
+   <!-- Set maximum amount of memory map in bytes to allocate for the pixel
+        cache. When this limit is exceeded, the image pixels are cached to
+        disk. -->
+-  <!-- <policy domain="resource" name="map" value="512MiB"/> -->
+  <policy domain="resource" name="map" value="512MiB"/>
+   <!-- Set the maximum width * height of an image that can reside in the pixel
+        cache memory. Images that exceed the area limit are cached to disk. -->
+-  <!-- <policy domain="resource" name="area" value="16KP"/> -->
+  <policy domain="resource" name="area" value="16KP"/>
+   <!-- Set maximum amount of disk space in bytes permitted for use by the pixel
+        cache. When this limit is exceeded, the pixel cache is not be created
+        and an exception is thrown. -->
+-  <!-- <policy domain="resource" name="disk" value="1GiB"/> -->
+  <policy domain="resource" name="disk" value="1GiB"/>
+   <!-- Set the maximum length of an image sequence.  When this limit is
+        exceeded, an exception is thrown. -->
+-  <!-- <policy domain="resource" name="list-length" value="32"/> -->
+  <policy domain="resource" name="list-length" value="32"/>
+   <!-- Set the maximum width of an image.  When this limit is exceeded, an
+        exception is thrown. -->
+-  <!-- <policy domain="resource" name="width" value="8KP"/> -->
+  <policy domain="resource" name="width" value="8KP"/>
+   <!-- Set the maximum height of an image.  When this limit is exceeded, an
+        exception is thrown. -->
+-  <!-- <policy domain="resource" name="height" value="8KP"/> -->
+  <policy domain="resource" name="height" value="8KP"/>
+   <!-- Periodically yield the CPU for at least the time specified in
+        milliseconds. -->
+-  <!-- <policy domain="resource" name="throttle" value="2"/> -->
+  <policy domain="resource" name="throttle" value="2"/>
+   <!-- Do not create temporary files in the default shared directories, instead
+        specify a private area to store only ImageMagick temporary files. -->
+   <!-- <policy domain="resource" name="temporary-path" value="/magick/tmp/"/> -->
+@@ -138,7 +138,7 @@
+   <!-- don't read sensitive paths. -->
+   <!-- <policy domain="path" rights="none" pattern="/etc/*"/> -->
+   <!-- Indirect reads are not permitted. -->
+-  <!-- <policy domain="path" rights="none" pattern="@*"/> -->
+  <policy domain="path" rights="none" pattern="@*"/>
+   <!-- These image types are security risks on read, but write is fine -->
+   <!-- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/> -->
+   <!-- This policy sets the number of times to replace content of certain
+@@ -150,4 +150,5 @@
+   <!-- Set the maximum amount of memory in bytes that are permitted for
+        allocation requests. -->
+   <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <policy domain="coder" rights="none" pattern="{EPHEMERAL,HTTPS,MSL,MVG,PLT,SHOW,TEXT,URL,WIN}" />
+ </policymap>