From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1164681-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 1EB26138350
	for <garchives@archives.gentoo.org>; Fri, 24 Apr 2020 09:51:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5BDFAE0A6D;
	Fri, 24 Apr 2020 09:51:55 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 420E3E0A6D
	for <gentoo-commits@lists.gentoo.org>; Fri, 24 Apr 2020 09:51:55 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id E89EE34F268
	for <gentoo-commits@lists.gentoo.org>; Fri, 24 Apr 2020 09:51:53 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 37C921E3
	for <gentoo-commits@lists.gentoo.org>; Fri, 24 Apr 2020 09:51:51 +0000 (UTC)
From: "Thomas Deutschmann" <whissi@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" <whissi@gentoo.org>
Message-ID: <1587721790.c03d5059039c5b0f43c019edfb541ae396162e6f.whissi@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: media-gfx/imagemagick/
X-VCS-Repository: repo/gentoo
X-VCS-Files: media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild
X-VCS-Directories: media-gfx/imagemagick/
X-VCS-Committer: whissi
X-VCS-Committer-Name: Thomas Deutschmann
X-VCS-Revision: c03d5059039c5b0f43c019edfb541ae396162e6f
X-VCS-Branch: master
Date: Fri, 24 Apr 2020 09:51:51 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 5a67498d-40d3-452f-a89a-86642e089380
X-Archives-Hash: b178c059eadf79ec50faaa13ca294d47

commit:     c03d5059039c5b0f43c019edfb541ae396162e6f
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 24 09:48:20 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Apr 24 09:49:50 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059

media-gfx/imagemagick: restore hardening

Bug: https://bugs.gentoo.org/716674
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 ....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
similarity index 86%
rename from media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild
rename to media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
index 8f24371e266..4d2561accf7 100644
--- a/media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild
+++ b/media-gfx/imagemagick/imagemagick-7.0.10.7-r1.ebuild
@@ -83,6 +83,16 @@ S="${WORKDIR}/${MY_P}"
 src_prepare() {
 	default
 
+	# Apply hardening #664236
+	cp "${FILESDIR}"/policy-hardening.snippet "${S}" || die
+	sed -i -e '/^<policymap>$/ {
+			r policy-hardening.snippet
+			d
+		}' \
+		config/policy.xml || \
+		die "Failed to apply hardening of policy.xml"
+	einfo "policy.xml hardened"
+
 	elibtoolize # for Darwin modules
 
 	# For testsuite, see https://bugs.gentoo.org/show_bug.cgi?id=500580#c3
@@ -223,3 +233,35 @@ src_install() {
 	insinto /usr/share/${PN}
 	doins config/*icm
 }
+
+pkg_postinst() {
+	local _show_policy_xml_notice=
+
+	if [[ -z "${REPLACING_VERSIONS}" ]]; then
+		# This is a new installation
+		_show_policy_xml_notice=yes
+	else
+		local v
+		for v in ${REPLACING_VERSIONS}; do
+			if ! ver_test "${v}" -gt "7.0.8.10-r2"; then
+				# This is an upgrade
+				_show_policy_xml_notice=yes
+
+				# Show this elog only once
+				break
+			fi
+		done
+	fi
+
+	if [[ -n "${_show_policy_xml_notice}" ]]; then
+		elog "For security reasons, a policy.xml file was installed in /etc/ImageMagick-7"
+		elog "which will prevent the usage of the following coders by default:"
+		elog ""
+		elog "  - PS"
+		elog "  - PS2"
+		elog "  - PS3"
+		elog "  - EPS"
+		elog "  - PDF"
+		elog "  - XPS"
+	fi
+}