Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ImageMagick for openSUSE:Factory checked in at 2025-11-11 19:19:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ImageMagick (Old) and /work/SRC/openSUSE:Factory/.ImageMagick.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ImageMagick" Tue Nov 11 19:19:35 2025 rev:318 rq:1316963 version:7.1.2.8 Changes: -------- --- /work/SRC/openSUSE:Factory/ImageMagick/ImageMagick.changes 2025-10-30 17:10:03.095227122 +0100 +++ /work/SRC/openSUSE:Factory/.ImageMagick.new.1980/ImageMagick.changes 2025-11-11 19:19:43.111406480 +0100 @@ -1,0 +2,6 @@ +Thu Nov 6 14:37:08 UTC 2025 - Dirk Stoecker <[email protected]> + +- fix policy to allow own configuration file reads (ImageMagick_policy_etc.patch) + adapt ImageMagick-configuration-SUSE.patch and reorder patch handling + +------------------------------------------------------------------- @@ -4936 +4941,0 @@ - New: ---- ImageMagick_policy_etc.patch ----------(New B)---------- New: - fix policy to allow own configuration file reads (ImageMagick_policy_etc.patch) adapt ImageMagick-configuration-SUSE.patch and reorder patch handling ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ImageMagick.spec ++++++ --- /var/tmp/diff_new_pack.hqfyOj/_old 2025-11-11 19:19:44.327457411 +0100 +++ /var/tmp/diff_new_pack.hqfyOj/_new 2025-11-11 19:19:44.331457579 +0100 @@ -46,9 +46,13 @@ Source1: baselibs.conf Source2: https://imagemagick.org/archive/releases/ImageMagick-%{source_version}.tar.xz.asc Source3: ImageMagick.keyring -# suse specific patches -Patch0: ImageMagick-configuration-SUSE.patch +# do not block read access to own config files +Patch0: ImageMagick_policy_etc.patch +# SUSE configuration +Patch1: ImageMagick-configuration-SUSE.patch +# library installation Patch2: ImageMagick-library-installable-in-parallel.patch +# disable failing tests Patch5: ImageMagick-s390x-disable-tests.patch BuildRequires: chrpath @@ -258,6 +262,10 @@ %prep %setup -q -n ImageMagick-%{source_version} +%patch -P 0 -p1 +# default policy (SUSE) +cp config/policy-secure.xml config/policy.xml +%patch -P 1 -p1 %patch -P 2 -p1 %ifarch s390x %patch -P 5 -p1 @@ -359,9 +367,6 @@ %install %make_install pkgdocdir=%{_defaultdocdir}/ImageMagick-7/ -# default policy (SUSE) -cp config/policy-secure.xml config/policy.xml -patch --fuzz=0 -p1 < %{PATCH0} cp config/policy.xml %{buildroot}%{_sysconfdir}/%{config_dir} # symlink header file relative to /usr/include/ImageMagick-7/ # so that inclusions like wand/*.h and magick/*.h work ++++++ ImageMagick-configuration-SUSE.patch ++++++ --- /var/tmp/diff_new_pack.hqfyOj/_old 2025-11-11 19:19:44.375459422 +0100 +++ /var/tmp/diff_new_pack.hqfyOj/_new 2025-11-11 19:19:44.383459757 +0100 @@ -1,5 +1,6 @@ ---- ImageMagick-7.1.1-30/config/policy.xml -+++ ImageMagick-7.1.1-30/config/policy.xml +diff -ur ImageMagick-7.1.2-8_fix/config/policy-secure.xml ImageMagick-7.1.2-8_fix2/config/policy-secure.xml +--- ImageMagick-7.1.2-8/config/policy-secure.xml 2025-11-06 15:30:11.995056081 +0100 ++++ ImageMagick-7.1.2-8_fix/config/policy-secure.xml 2025-11-06 15:46:05.605527563 +0100 @@ -62,7 +62,7 @@ <policy domain="resource" name="disk" value="1GiB"/> <!-- Set the maximum length of an image sequence. When this limit is @@ -9,7 +10,7 @@ <!-- Set the maximum width of an image. When this limit is exceeded, an exception is thrown. --> <policy domain="resource" name="width" value="8KP"/> -@@ -83,11 +83,11 @@ +@@ -85,11 +85,11 @@ <!-- Replace passphrase for secure distributed processing --> <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> --> <!-- Do not permit any delegates to execute. --> @@ -22,8 +23,8 @@ + <!--policy domain="path" rights="none" pattern="-"/ --> <!-- don't read sensitive paths. --> <policy domain="path" rights="none" pattern="/etc/*"/> - <!-- Indirect reads are not permitted. --> -@@ -103,4 +103,20 @@ + <!-- but allow to read own data. --> +@@ -107,4 +107,20 @@ <!-- Set the maximum amount of memory in bytes that are permitted for allocation requests. --> <policy domain="system" name="max-memory-request" value="256MiB"/> @@ -45,4 +46,3 @@ + <policy domain="coder" rights="write" pattern="PCL" /> </policymap> - ++++++ ImageMagick_policy_etc.patch ++++++ diff -ur ImageMagick-7.1.2-8/config/policy-limited.xml ImageMagick-7.1.2-8_fix/config/policy-limited.xml --- ImageMagick-7.1.2-8/config/policy-limited.xml 2025-10-26 12:54:38.000000000 +0100 +++ ImageMagick-7.1.2-8_fix/config/policy-limited.xml 2025-11-06 15:30:05.385948863 +0100 @@ -82,6 +82,8 @@ <!-- <policy domain="path" rights="none" pattern="-"/> --> <!-- don't read sensitive paths. --> <policy domain="path" rights="none" pattern="/etc/*"/> + <!-- but allow to read own data. --> + <policy domain="path" rights="read" pattern="/etc/IM*"/> <!-- Indirect reads are not permitted. --> <policy domain="path" rights="none" pattern="@*"/> <!-- These image types are security risks on read, but write is fine --> diff -ur ImageMagick-7.1.2-8/config/policy-open.xml ImageMagick-7.1.2-8_fix/config/policy-open.xml --- ImageMagick-7.1.2-8/config/policy-open.xml 2025-10-26 12:54:38.000000000 +0100 +++ ImageMagick-7.1.2-8_fix/config/policy-open.xml 2025-11-06 15:30:28.217319267 +0100 @@ -137,6 +137,8 @@ <!-- <policy domain="path" rights="none" pattern="-"/> --> <!-- don't read sensitive paths. --> <!-- <policy domain="path" rights="none" pattern="/etc/*"/> --> + <!-- but allow to read own data. --> + <!-- <policy domain="path" rights="read" pattern="/etc/IM*"/> --> <!-- Indirect reads are not permitted. --> <!-- <policy domain="path" rights="none" pattern="@*"/> --> <!-- These image types are security risks on read, but write is fine --> diff -ur ImageMagick-7.1.2-8/config/policy-secure.xml ImageMagick-7.1.2-8_fix/config/policy-secure.xml --- ImageMagick-7.1.2-8/config/policy-secure.xml 2025-10-26 12:54:38.000000000 +0100 +++ ImageMagick-7.1.2-8_fix/config/policy-secure.xml 2025-11-06 15:30:11.995056081 +0100 @@ -92,6 +92,8 @@ <policy domain="path" rights="none" pattern="-"/> <!-- don't read sensitive paths. --> <policy domain="path" rights="none" pattern="/etc/*"/> + <!-- but allow to read own data. --> + <policy domain="path" rights="read" pattern="/etc/IM*"/> <!-- Indirect reads are not permitted. --> <policy domain="path" rights="none" pattern="@*"/> <!-- These image types are security risks on read, but write is fine --> diff -ur ImageMagick-7.1.2-8/config/policy-websafe.xml ImageMagick-7.1.2-8_fix/config/policy-websafe.xml --- ImageMagick-7.1.2-8/config/policy-websafe.xml 2025-10-26 12:54:38.000000000 +0100 +++ ImageMagick-7.1.2-8_fix/config/policy-websafe.xml 2025-11-06 15:29:57.094814346 +0100 @@ -88,6 +88,8 @@ <policy domain="path" rights="none" pattern="-"/> <!-- don't read sensitive paths. --> <policy domain="path" rights="none" pattern="/etc/*"/> + <!-- but allow to read own data. --> + <policy domain="path" rights="read" pattern="/etc/IM*"/> <!-- Indirect reads are not permitted. --> <policy domain="path" rights="none" pattern="@*"/> <!-- Deny all image modules and specifically exempt reading or writing
