Add tcmalloc support. gs security issues.

author: Daniel Bermond 2019-10-03 13:29:27 +0000
committer: Daniel Bermond 2019-10-03 13:29:27 +0000
commit: 1b24efcf8d3238bb0e3aec6fa8f84463063a4e5a (patch)
tree: 740d0ade589347c42e63688c85006c0f5f2c0e28 /PKGBUILD
parent: b4585ebe72e1effaf202c147994c318dea3e8bf7 (diff)
download: aur-1b24efcf8d3238bb0e3aec6fa8f84463063a4e5a.tar.gz
1 files changed, 21 insertions, 25 deletions
diff --git a/PKGBUILD b/PKGBUILD
index 4f86f708c9f0..2528f53af885 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,11 @@
 # For more information about DPS being obsolete please visit:
 # http://www.x.org/releases/X11R7.7/doc/xorg-docs/graphics/dps.html
 
-# NOTE (2):
+# NOTE (2): linking to ghostscript libs (gslib) is disabled due to
+# security issues. ImageMagick will call 'gs' executable directly
+# instead. See: https://bugs.archlinux.org/task/62171
+
+# NOTE (3):
 # change font directories in build() to match yours:
 #   - deJaVu and GhostScript font directories are the default ones
 #   - Windows font directory is set according to a Wiki example
@@ -15,10 +19,10 @@ _qdepth='32'
 pkgbase=imagemagick-full-git
 pkgname=('imagemagick-full-git' 'imagemagick-full-doc-git')
 _srcname=ImageMagick
-pkgver=7.0.8.50.r15714.g84a30c031
+pkgver=7.0.8.68.r16153.g07fb0fdd5
 pkgrel=1
 arch=('x86_64')
-pkgdesc="An image viewing/manipulation program (Q${_qdepth} HDRI with all libs and features, git version)"
+pkgdesc="An image viewing/manipulation program (Q${_qdepth} HDRI with all features, git version)"
 url='https://www.imagemagick.org/'
 license=('custom')
 makedepends=(
@@ -26,19 +30,16 @@ makedepends=(
         'git' 'perl' 'jbigkit' 'opencl-headers' 'glu' 'ghostpcl' 'ghostxps'
         'zstd' 'chrpath'
         'lcms2' 'libraqm' 'liblqr' 'fftw' 'libxml2' 'fontconfig' 'freetype2' 'libxext'
-        'libx11' 'bzip2' 'zlib' 'libltdl' 'jemalloc' 'djvulibre' 'libraw' 'graphviz'
-        'openexr' 'libheif' 'openjpeg2' 'libjpeg-turbo' 'xz' 'glib2' 'pango' 'cairo'
-        'libpng' 'ghostscript' 'ming' 'librsvg' 'libtiff' 'libwebp' 'libwmf' 'ocl-icd'
-        'gsfonts' 'ttf-dejavu' 'perl'
+        'libx11' 'bzip2' 'zlib' 'libltdl' 'jemalloc' 'gperftools' 'djvulibre' 'libraw'
+        'graphviz' 'openexr' 'libheif' 'openjpeg2' 'libjpeg-turbo' 'xz' 'glib2' 'pango'
+        'cairo' 'libpng' 'ghostscript' 'ming' 'librsvg' 'libtiff' 'libwebp' 'libwmf'
+        'ocl-icd' 'gsfonts' 'ttf-dejavu' 'perl' 'gperftools'
     # AUR:
         'pstoedit-nomagick' 'autotrace-nomagick' 'flif' 'libfpx' 'libumem-git'
 )
-BUILDENV+=('!check')
 source=('git+https://github.com/ImageMagick/ImageMagick.git'
-        'imagemagick-full-security-fix.patch'
         'arch-fonts.diff')
 sha256sums=('SKIP'
-            'e2453381d283c33107194fa791d6b9b2c4c1856afb936d4fa010c05aaebe538e'
             'a85b744c61b1b563743ecb7c7adad999d7ed9a8af816650e3ab9321b2b102e73')
 
 prepare() {
@@ -46,13 +47,6 @@ prepare() {
     
     mkdir -p docpkg/usr/share
     
-    # 1) workaround for ghostscript security issues:
-    #      https://bugs.archlinux.org/task/59778
-    # 2) security fix:
-    #      https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
-    #      https://imagetragick.com/
-    patch -Np1 -i "${srcdir}/imagemagick-full-security-fix.patch"
-    
     # fix up typemaps to match Arch Linux packages, where possible
     patch -Np1 -i "${srcdir}/arch-fonts.diff"
     
@@ -97,6 +91,7 @@ build() {
         --with-perl \
         --with-perl-options='INSTALLDIRS=vendor' \
         --with-jemalloc \
+        --with-tcmalloc \
         --with-umem \
         --with-bzlib \
         --with-x \
@@ -111,7 +106,7 @@ build() {
         --with-fontconfig \
         --with-freetype \
         --with-raqm \
-        --with-gslib \
+        --without-gslib \
         --with-gvc \
         --with-heic \
         --with-jbig \
@@ -146,10 +141,8 @@ build() {
 
 check() (
    cd "$_srcname"
-   
    ulimit -n 4096
-   sed -e '/validate-formats/d' -i Makefile # these fail due to the security patch
-   
+   sed -e '/validate-formats/d' -i Makefile
    make check
 )
 
@@ -159,10 +152,10 @@ package_imagemagick-full-git() {
     depends=(
         # official repositories:
             'lcms2' 'libraqm' 'liblqr' 'fftw' 'libxml2' 'fontconfig' 'freetype2' 'libxext'
-            'libx11' 'bzip2' 'zlib' 'libltdl' 'jemalloc' 'djvulibre' 'libraw' 'graphviz'
-            'openexr' 'libheif' 'openjpeg2' 'libjpeg-turbo' 'xz' 'glib2' 'pango' 'cairo'
-            'libpng' 'ghostscript' 'ming' 'librsvg' 'libtiff' 'libwebp' 'libwmf' 'ocl-icd'
-            'gsfonts' 'ttf-dejavu' 'perl'
+            'libx11' 'bzip2' 'zlib' 'libltdl' 'jemalloc' 'gperftools' 'djvulibre' 'libraw'
+            'graphviz' 'openexr' 'libheif' 'openjpeg2' 'libjpeg-turbo' 'xz' 'glib2' 'pango'
+            'cairo' 'libpng' 'ghostscript' 'ming' 'librsvg' 'libtiff' 'libwebp' 'libwmf'
+            'ocl-icd' 'gsfonts' 'ttf-dejavu' 'perl'
         # AUR:
             'pstoedit-nomagick' 'autotrace-nomagick' 'flif' 'libfpx' 'libumem-git'
     )
@@ -185,6 +178,9 @@ package_imagemagick-full-git() {
     # split docs
     mv "${pkgdir}/usr/share/doc" docpkg/usr/share/
     
+    # harden security policy: https://bugs.archlinux.org/task/62785
+    sed -e '/<\/policymap>/i \ \ <policy domain="delegate" rights="none" pattern="gs" \/>' -i "${pkgdir}/etc/ImageMagick-7/policy.xml"
+    
     install -D -m644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}"
     install -D -m644 NOTICE  -t "${pkgdir}/usr/share/licenses/${pkgname}"
 }
author	Daniel Bermond	2019-10-03 13:29:27 +0000
committer	Daniel Bermond	2019-10-03 13:29:27 +0000
commit	1b24efcf8d3238bb0e3aec6fa8f84463063a4e5a (patch)
tree	740d0ade589347c42e63688c85006c0f5f2c0e28 /PKGBUILD
parent	b4585ebe72e1effaf202c147994c318dea3e8bf7 (diff)
download	aur-1b24efcf8d3238bb0e3aec6fa8f84463063a4e5a.tar.gz