Hello community, here is the log from the commit of package ImageMagick for openSUSE:Factory checked in at 2019-03-27 16:12:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ImageMagick (Old) and /work/SRC/openSUSE:Factory/.ImageMagick.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ImageMagick" Wed Mar 27 16:12:07 2019 rev:176 rq:686103 version:7.0.8.34 Changes: -------- --- /work/SRC/openSUSE:Factory/ImageMagick/ImageMagick.changes 2019-02-24 17:07:36.076560436 +0100 +++ /work/SRC/openSUSE:Factory/.ImageMagick.new.25356/ImageMagick.changes 2019-03-27 16:12:16.603654177 +0100 @@ -1,0 +2,56 @@ +Mon Mar 18 13:05:19 UTC 2019 - [email protected] + +- added temporary %pretrans to ImageMagick-config-upstream and + ImageMagick-config-SUSE [bsc#1122033comment#37] + +------------------------------------------------------------------- +Mon Mar 18 10:04:58 UTC 2019 - [email protected] + +- version update to 7.0.8.34 + * Associate one lock with each resource. + * Report exception if opening TIFF did not work out. + * Fixed numerous use of uninitialized values, integer overflow, memory + exceeded, and timeouts (credit to OSS Fuzz). + +------------------------------------------------------------------- +Wed Mar 13 07:37:36 UTC 2019 - Petr Gajdos <[email protected]> + +- update to 7.0.8-33 + * Fix SVG conversion infinite loop (reference + https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=35591). + * Initialize primitive drawing structure after resizing. + * Fix out-of-boundary LocaleLowerCase() @ + https://github.com/ImageMagick/ImageMagick/issues/1495 + * -trim is no longer sensitive to the image virtual canvas. + +------------------------------------------------------------------- +Mon Mar 4 12:53:26 UTC 2019 - [email protected] + +- update to 7.0.8-30 + * Support define to remove additional background from an image during a + trim, e.g. -define trim:percent-background=0% -trim. + * Fixed a number of issues (reference + https://github.com/ImageMagick/ImageMagick/issues). + * Fixed numerous use of uninitialized values, integer overflow, memory + exceeded, and timeouts (credit to OSS Fuzz). +- deleted patches + - ImageMagick-montage.t.patch (upstreamed) + +------------------------------------------------------------------- +Thu Feb 28 11:44:05 UTC 2019 - [email protected] + +- provide two new (conflicting) packages with configuration + [bsc#1122033]: + * ImageMagick-config-upstream + - provides configuration provided by upstream (no restrictions) + * ImageMagick-config-SUSE (preferred) + - provides configuration provided by SUSE (with security + restrictions) + and use update-alternatives for selecting configurations. +- remove code for < 1315 +- deleted patches + - ImageMagick-disable-insecure-coders.patch (renamed) +- added patches + + ImageMagick-configuration-SUSE.patch + +------------------------------------------------------------------- Old: ---- ImageMagick-7.0.8-28.tar.bz2 ImageMagick-7.0.8-28.tar.bz2.asc ImageMagick-disable-insecure-coders.patch ImageMagick-montage.t.patch New: ---- ImageMagick-7.0.8-34.tar.bz2 ImageMagick-7.0.8-34.tar.bz2.asc ImageMagick-configuration-SUSE.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ImageMagick.spec ++++++ --- /var/tmp/diff_new_pack.70vK9o/_old 2019-03-27 16:12:18.343653734 +0100 +++ /var/tmp/diff_new_pack.70vK9o/_new 2019-03-27 16:12:18.375653725 +0100 @@ -20,13 +20,15 @@ %define asan_build 0 %define maj 7 %define mfr_version %{maj}.0.8 -%define mfr_revision 28 +%define mfr_revision 34 %define quantum_depth 16 %define source_version %{mfr_version}-%{mfr_revision} %define clibver 6 %define cwandver 6 %define cxxlibver 4 %define libspec -%{maj}_Q%{quantum_depth}HDRI +%define config_dir ImageMagick-7 +%define config_spec config-7 # bsc#1088463 %define urw_base35_fonts 0 @@ -42,13 +44,11 @@ Source2: https://www.imagemagick.org/download/ImageMagick-%{mfr_version}-%{mfr_revision}.tar.bz2.asc Source3: ImageMagick.keyring # suse specific patches -Patch0: ImageMagick-disable-insecure-coders.patch +Patch0: ImageMagick-configuration-SUSE.patch Patch2: ImageMagick-library-installable-in-parallel.patch #%%ifarch s390x s390 ppc64 ppc Patch3: ImageMagick-s390-disable-tests.patch #%%endif -# https://github.com/ImageMagick/ImageMagick/issues/1484 -Patch4: ImageMagick-montage.t.patch BuildRequires: chrpath BuildRequires: fdupes BuildRequires: gcc-c++ @@ -169,7 +169,9 @@ Summary: C runtime library for ImageMagick Group: Productivity/Graphics/Other Recommends: ghostscript -Suggests: ImageMagick-extra = %{version} +Suggests: %{name}-extra = %{version} +Requires: imagick-%{config_spec} +Recommends: %{config_spec}-SUSE %package -n libMagickWand%{libspec}%{cwandver} Summary: C runtime library for ImageMagick @@ -178,7 +180,7 @@ %package -n libMagick++%{libspec}%{cxxlibver} Summary: C++ interface runtime library for ImageMagick Group: Development/Libraries/C and C++ -Requires: ImageMagick +Requires: %{name} %package -n libMagick++-devel Summary: Development files for ImageMagick's C++ interface @@ -188,7 +190,7 @@ %if 0%{?suse_version} >= 1315 Requires: pkgconfig(ImageMagick) = %{mfr_version} %else -Requires: ImageMagick-devel = %{version} +Requires: %{name}-devel = %{version} %endif %package doc @@ -198,6 +200,20 @@ BuildArch: noarch %endif +%package %{config_spec}-upstream +Summary: Upstream Configuration Files +Group: Development/Libraries/C and C++ +Provides: imagick-%{config_spec} +Requires(post): update-alternatives +Requires(postun): update-alternatives + +%package %{config_spec}-SUSE +Summary: Upstream Configuration Files +Group: Development/Libraries/C and C++ +Provides: imagick-%{config_spec} +Requires(post): update-alternatives +Requires(postun): update-alternatives + %description ImageMagick is a robust collection of tools and libraries to read, write, and manipulate an image in many image formats, including popular @@ -296,14 +312,28 @@ %description doc HTML documentation for ImageMagick library and scene examples. +%description %{config_spec}-upstream +ImageMagick configuration as supplied by upstream. It does not +provide any security restrictions. ImageMagick will be vulnerable +for example by ImageTragick or PS/PDF coder issues. It should +be used in trusted environment. Version or maintenance updates +will not overwrite user changes in system configuration. + +%description %{config_spec}-SUSE +ImageMagick configuration as provide by SUSE. It is more security +aware than config-upstream variant. It does disable some coders, +that are insecure by design to prevent user to use them +inadvertently. Configuration can be subject of change by future +version and maintenance updates and system changes will not be +preserved. + + %prep %setup -q -n ImageMagick-%{source_version} -%patch0 -p1 %patch2 -p1 %ifarch s390x s390 ppc ppc64 %patch3 -p1 %endif -%patch4 -p1 -R %build # bsc#1088463 @@ -315,7 +345,6 @@ # make library binary package parallel installable export MODULES_DIRNAME="modules%{libspec}%{clibver}" export SHAREARCH_DIRNAME="config%{libspec}%{clibver}" -export CONFIGURE_RELATIVE_PATH="ImageMagick%{libspec}%{clibver}" %if %{debug_build} export CFLAGS="%{optflags} -O0" export CXXFLAGS="%{optflags} -O0" @@ -367,9 +396,6 @@ # mostly because */demo is used later with %check # polutting dir with .libs etc. cp -r Magick++/demo Magick++/examples -%if 0%{?suse_version} < 1315 -rm -r Magick++/examples/.deps -%endif cp -r PerlMagick/demo PerlMagick/examples # other improvements chmod -x PerlMagick/demo/*.pl @@ -408,13 +434,19 @@ DESTDIR=%{buildroot} \ pkgdocdir=%{_defaultdocdir}/%{name}-%{maj}/ %endif +# configuration magic +mv -t %{buildroot}%{_sysconfdir}/%{name}* %{buildroot}%{_datadir}/%{name}*/*.xml +mv %{buildroot}%{_sysconfdir}/%{config_dir}{,-upstream} +cp -r %{buildroot}%{_sysconfdir}/%{config_dir}{-upstream,-SUSE} +patch --dir %{buildroot}%{_sysconfdir}/%{config_dir}-SUSE < %{PATCH0} +mkdir -p %{buildroot}%{_sysconfdir}/alternatives/ +ln -sf %{_sysconfdir}/alternatives/%{config_dir} %{buildroot}%{_sysconfdir}/%{config_dir} # symlink header file relative to /usr/include/ImageMagick-7/ # so that inclusions like wand/*.h and magick/*.h work ln -s ./MagickCore %{buildroot}%{_includedir}/%{name}-%{maj}/magick ln -s ./MagickWand %{buildroot}%{_includedir}/%{name}-%{maj}/wand # these will be included via %doc rm -r %{buildroot}%{_datadir}/doc/%{name}-%{maj}/ -mv -t %{buildroot}%{_sysconfdir}/%{name}* %{buildroot}%{_datadir}/%{name}*/*.xml rm %{buildroot}%{_libdir}/*.la # remove RPATH from perl module perl_module=$(find %{buildroot}%{_prefix}/lib/perl5 -name '*.so') @@ -436,10 +468,41 @@ %post -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig %postun -n libMagick++%{libspec}%{cxxlibver} -p /sbin/ldconfig +%pretrans %{config_spec}-upstream -p <lua> +-- this %pretrans to be removed soon [bug#1122033#c37] +path = "%{_sysconfdir}/%{config_dir}" +st = posix.stat(path) +if st and st.type == "directory" then + os.remove(path .. ".rpmmoved") + os.rename(path, path .. ".rpmmoved") +end + +%post %{config_spec}-upstream +%{_sbindir}/update-alternatives --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-upstream 1 + +%postun %{config_spec}-upstream +if [ ! -d %{_sysconfdir}/%{config_dir}-upstream ] ; then + %{_sbindir}/update-alternatives --remove %{config_dir} %{_sysconfdir}/%{config_dir}-upstream +fi + +%pretrans %{config_spec}-SUSE -p <lua> +-- this %pretrans to be removed soon [bug#1122033#c37] +path = "%{_sysconfdir}/%{config_dir}" +st = posix.stat(path) +if st and st.type == "directory" then + os.remove(path .. ".rpmmoved") + os.rename(path, path .. ".rpmmoved") +end + +%post %{config_spec}-SUSE +%{_sbindir}/update-alternatives --install %{_sysconfdir}/%{config_dir} %{config_dir} %{_sysconfdir}/%{config_dir}-SUSE 10 + +%postun %{config_spec}-SUSE +if [ ! -d %{_sysconfdir}/%{config_dir}-SUSE ] ; then + %{_sbindir}/update-alternatives --remove %{config_dir} %{_sysconfdir}/%{config_dir}-SUSE +fi + %files -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %license LICENSE %doc ChangeLog NEWS.txt %{_bindir}/[^MW]* @@ -447,14 +510,9 @@ %exclude %{_mandir}/man1/*-config.1%{ext_man} %files -n libMagickCore%{libspec}%{clibver} -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %license LICENSE %doc ChangeLog NEWS.txt %{_libdir}/libMagickCore*.so.%{clibver}* -%dir %{_sysconfdir}/ImageMagick* -%config %{_sysconfdir}/ImageMagick*/* %dir %{_libdir}/ImageMagick* %if !%{debug_build} %dir %{_libdir}/ImageMagick*/modules* @@ -471,16 +529,10 @@ %{_libdir}/ImageMagick*/config* %files -n libMagickWand%{libspec}%{cwandver} -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %{_libdir}/libMagickWand*.so.%{cwandver}* %if !%{debug_build} %files extra -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %{_libdir}/ImageMagick*/modules*/*/wmf.so # don't remove la files, see bnc#579798 %if 0%{?suse_version} > 1315 @@ -492,9 +544,6 @@ %endif %files devel -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %{_libdir}/libMagickCore*.so %{_libdir}/libMagickWand*.so %dir %{_includedir}/ImageMagick* @@ -511,28 +560,16 @@ %exclude %{_mandir}/man1/Magick++-config.1%{ext_man} %files -n perl-PerlMagick -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %doc PerlMagick/README.txt %doc PerlMagick/examples %{_mandir}/man3/* %{perl_vendorarch}/auto/Image %{perl_vendorarch}/Image -%if 0%{?suse_version} < 1315 -%{_localstatedir}/adm/perl-modules/ImageMagick -%endif %files -n libMagick++%{libspec}%{cxxlibver} -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %{_libdir}/libMagick++*.so.%{cxxlibver}* %files -n libMagick++-devel -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %doc Magick++/examples %doc Magick++/NEWS Magick++/README Magick++/AUTHORS %{_libdir}/libMagick++*.so @@ -543,9 +580,18 @@ %{_mandir}/man1/Magick++-config.1%{ext_man} %files doc -%if 0%{?suse_version} < 1315 -%defattr(-,root,root) -%endif %{_defaultdocdir}/%{name}-%{maj} +%files %{config_spec}-upstream +%dir %{_sysconfdir}/ImageMagick*-upstream/ +%config(noreplace) %{_sysconfdir}/ImageMagick*-upstream/* +%{_sysconfdir}/%{config_dir} +%ghost %{_sysconfdir}/alternatives/%{config_dir} + +%files %{config_spec}-SUSE +%dir %{_sysconfdir}/ImageMagick*-SUSE/ +%config %{_sysconfdir}/ImageMagick*-SUSE/* +%{_sysconfdir}/%{config_dir} +%ghost %{_sysconfdir}/alternatives/%{config_dir} + %changelog ++++++ ImageMagick-7.0.8-28.tar.bz2 -> ImageMagick-7.0.8-34.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/ImageMagick/ImageMagick-7.0.8-28.tar.bz2 /work/SRC/openSUSE:Factory/.ImageMagick.new.25356/ImageMagick-7.0.8-34.tar.bz2 differ: char 11, line 1 ++++++ ImageMagick-configuration-SUSE.patch ++++++ Index: policy.xml =================================================================== --- policy.xml 2018-10-01 13:13:51.008702622 +0200 +++ policy.xml 2018-10-01 13:22:06.174722426 +0200 @@ -75,4 +75,21 @@ <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> <!-- <policy domain="cache" name="synchronize" value="True"/> --> <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> + <!-- Disable insecure coders by default --> + <!-- https://bugzilla.suse.com/show_bug.cgi?id=978061 --> + <policy domain="coder" rights="none" pattern="EPHEMERAL" /> + <policy domain="coder" rights="none" pattern="URL" /> + <policy domain="coder" rights="none" pattern="HTTPS" /> + <policy domain="coder" rights="none" pattern="MVG" /> + <policy domain="coder" rights="none" pattern="MSL" /> + <policy domain="coder" rights="none" pattern="TEXT" /> + <policy domain="coder" rights="none" pattern="SHOW" /> + <policy domain="coder" rights="none" pattern="WIN" /> + <policy domain="coder" rights="none" pattern="PLT" /> + <policy domain="coder" rights="write" pattern="PS" /> + <policy domain="coder" rights="write" pattern="PS2" /> + <policy domain="coder" rights="write" pattern="PS3" /> + <policy domain="coder" rights="write" pattern="PDF" /> + <policy domain="coder" rights="write" pattern="XPS" /> + <policy domain="coder" rights="write" pattern="EPS" /> </policymap>
