Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-07 05:25:35 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/source/l/imagemagick/imagemagick.SlackBuild
Patrick J Volkerding 1e755d579a Tue Oct 1 18:01:38 UTC 2024 
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
a/kernel-firmware-20241001_95bfe08-noarch-1.txz:  Upgraded.
a/kernel-generic-6.10.12-x86_64-1.txz:  Upgraded.
a/pkgtools-15.1-noarch-12.txz:  Rebuilt.
  makepkg: when looking for ELF objects with --remove-rpaths or
  --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
  of the directory or filename.
  Also warn about /tmp rpaths after the package is built.
ap/cups-2.4.11-x86_64-1.txz:  Upgraded.
ap/cups-browsed-2.0.1-x86_64-2.txz:  Rebuilt.
  Mitigate security issue that could lead to a denial of service or
  the execution of arbitrary code.
  Rebuilt with --with-browseremoteprotocols=none to disable incoming
  connections, since this daemon has been shown to be insecure. If you
  actually use cups-browsed, be sure to install the new
  /etc/cups/cups-browsed.conf.new containing this line:
  BrowseRemoteProtocols none
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-47176
  (* Security fix *)
d/kernel-headers-6.10.12-x86-1.txz:  Upgraded.
d/llvm-18.1.8-x86_64-3.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
d/luajit-2.1.1727621189-x86_64-1.txz:  Upgraded.
d/ruby-3.3.5-x86_64-2.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
k/kernel-source-6.10.12-noarch-1.txz:  Upgraded.
kde/kimageformats-5.116.0-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
kde/kio-extras-23.08.5-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
kde/krita-5.2.5-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
kde/libindi-2.1.0-x86_64-1.txz:  Upgraded.
l/cryfs-0.10.3-x86_64-13.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
l/espeak-ng-1.51.1-x86_64-2.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
l/ffmpeg-7.1-x86_64-1.txz:  Upgraded.
l/gegl-0.4.48-x86_64-3.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
l/gst-plugins-bad-free-1.24.8-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
l/imagemagick-7.1.1_38-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
l/libgsf-1.14.53-x86_64-1.txz:  Upgraded.
l/librsvg-2.58.5-x86_64-1.txz:  Upgraded.
l/libvncserver-0.9.14-x86_64-3.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
l/mozjs128-128.3.0esr-x86_64-1.txz:  Upgraded.
l/netpbm-11.08.00-x86_64-1.txz:  Upgraded.
l/opencv-4.10.0-x86_64-3.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
l/openexr-3.3.0-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
l/python-glad2-2.0.8-x86_64-1.txz:  Upgraded.
l/python-pyproject-hooks-1.2.0-x86_64-1.txz:  Upgraded.
l/spirv-llvm-translator-18.1.4-x86_64-2.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
l/woff2-20231106_0f4d304-x86_64-2.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
n/openobex-1.7.2-x86_64-6.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
x/marisa-0.2.6-x86_64-11.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
xap/gimp-2.10.38-x86_64-2.txz:  Rebuilt.
  Recompiled against openexr-3.3.0.
xap/mozilla-firefox-128.3.0esr-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-47
    https://www.cve.org/CVERecord?id=CVE-2024-9392
    https://www.cve.org/CVERecord?id=CVE-2024-9393
    https://www.cve.org/CVERecord?id=CVE-2024-9394
    https://www.cve.org/CVERecord?id=CVE-2024-8900
    https://www.cve.org/CVERecord?id=CVE-2024-9396
    https://www.cve.org/CVERecord?id=CVE-2024-9397
    https://www.cve.org/CVERecord?id=CVE-2024-9398
    https://www.cve.org/CVERecord?id=CVE-2024-9399
    https://www.cve.org/CVERecord?id=CVE-2024-9400
    https://www.cve.org/CVERecord?id=CVE-2024-9401
    https://www.cve.org/CVERecord?id=CVE-2024-9402
  (* Security fix *)
xap/xlockmore-5.80-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
testing/packages/kernel-generic-6.11.1-x86_64-1.txz:  Upgraded.
testing/packages/kernel-headers-6.11.1-x86-1.txz:  Upgraded.
testing/packages/kernel-source-6.11.1-noarch-1.txz:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
2024-10-01 22:04:37 +02:00

223 lines
7.2 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2023 Patrick J. Volkerding, Sebeka, MN, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=imagemagick
BUILD=${BUILD:-2}
# NOTE: This is to cope with ImageMagick version numbers such as 5.4.7-4,
# which occur fairly often (but not always). If these numbers are all the same,
# then this is not one of those versions.
# This is a bit messy, so we'll explain it well. :-)
# This is the version number used in the source tarball filename
FILEVER=$(echo ImageMagick-*.tar.?z | cut -f 2- -d - | rev | cut -f 3- -d . | rev)
# This is the base version number, which is needed to cd into the source tree.
# Normally this is the same as $FILEVER, but allow setting it here if needed.
BASEVER=$FILEVER
# This is the version number used in the package, where a version number cannot
# contain a '-'. We'll try to autogenerate this one.
PKGVER=$(echo $FILEVER | tr - _)
# Default security policy to install as policy.xml:
POLICY=${POLICY:-limited}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) export ARCH=i686 ;;
arm*) export ARCH=arm ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) export ARCH=$( uname -m ) ;;
esac
fi
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PKGNAM-$PKGVER-$ARCH-$BUILD.txz"
exit 0
fi
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
if [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=pentium4 -mtune=generic"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -march=x86-64 -mtune=generic -fPIC"
LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
TMP=${TMP:-/tmp}
PKG=$TMP/package-imagemagick
rm -rf $PKG
mkdir -p $TMP $PKG
# --with-x or not --with-x, that is the question. It seems many other
# distributions don't compile with X support, but it's been traditional
# here. I am moving the prefix to /usr (instead of /usr/X11R6) though,
# because many X-linked things are put into /usr now (like GNOME), and
# I've heard a few reports of compile failures when this isn't in /usr.
# Everyone else does it -- time to follow the path of least resistance.
cd $TMP
rm -rf ImageMagick-$BASEVER
tar xvf $CWD/ImageMagick-$FILEVER.tar.?z || exit 1
cd ImageMagick-$BASEVER || exit 1
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \+ -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
--libdir=/usr/lib${LIBDIRSUFFIX} \
--mandir=/usr/man \
--sysconfdir=/etc \
--program-prefix= \
--with-x \
--with-frozenpaths=no \
--with-modules \
--enable-opencl \
--enable-hdri \
--enable-static=no \
--enable-shared \
--with-fftw \
--with-gcc-arch=$ARCH \
--with-perl \
--with-perl-options="INSTALLDIRS=vendor INSTALL_BASE=" \
--with-rsvg \
--with-security-policy=$POLICY \
--build=$ARCH-slackware-linux || exit 1
make $NUMJOBS || make || exit 1
# First, spam the running development system, as ImageMagick is unable to
# properly link the utilities against a new shared library major version
# otherwise which has led to several broken packages over the years:
make $NUMJOBS install || exit 1
rm -f /usr/lib${LIBDIRSUFFIX}/libMagick*.la
/sbin/ldconfig
# Now build again against the new libraries and headers:
make clean
make $NUMJOBS || make || exit 1
make $NUMJOBS install DESTDIR=$PKG || exit 1
# This should certainly not be included.
# It stomps on the libtool package.
rm -f $PKG/usr/lib${LIBDIRSUFFIX}/libltdl.*
# .la files in /usr/lib${LIBDIRSUFFIX}/ should be removed.
# Other .la files should be left alone, as ImageMagick uses them internally
# to locate modules.
rm -f $PKG/usr/lib${LIBDIRSUFFIX}/*.la
# Make sure the proper security policy.xml is installed:
cp -a config/policy-${POLICY}.xml $PKG/etc/ImageMagick-7/policy.xml
# Provide all the security policy XML files as examples:
for file in config/policy*xml ; do
cp -a $file $PKG/etc/ImageMagick-7/$(basename ${file}).example
done
( cd $PKG
# Nothing but a perl upgrade should replace this (and maybe not even that)
find . -name perllocal.pod | xargs rm -f
)
# DESTDIR is still broken about this, but works well enough otherwise:
chmod 644 $PKG/usr/share/man/man3/*
mv $PKG/usr/share/man/man3 $PKG/usr/man
rmdir $PKG/usr/share/man
( cd $PKG/usr/lib${LIBDIRSUFFIX}/perl5
# Ditch empty dirs:
rmdir */* 2> /dev/null
rmdir * 2> /dev/null
)
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
# Remove rpaths:
for file in $(find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF | cut -f 1 -d : 2> /dev/null) ; do
if [ ! "$(patchelf --print-rpath $file 2> /dev/null)" = "" ]; then
patchelf --remove-rpath $file
fi
done
# Compress and link manpages, if any:
if [ -d $PKG/usr/man ]; then
( cd $PKG/usr/man
for manpagedir in $(find . -type d -name "man*") ; do
( cd $manpagedir
for eachpage in $( find . -type l -maxdepth 1 | grep -v '\.gz$') ; do
ln -s $( readlink $eachpage ).gz $eachpage.gz
rm $eachpage
done
gzip -9 *.?
)
done
)
fi
# Move config files to .new:
( cd $PKG/etc/ImageMagick*
for file in *.xml ; do
mv ${file} ${file}.new
done
)
mkdir -p $PKG/usr
mv $PKG/usr/share/doc $PKG/usr
cp -a \
AUTHORS LICENSE NEWS NOTICE Platforms.txt QuickStart.txt README.txt \
$PKG/usr/doc/Imag*
# If there's a ChangeLog, installing at least part of the recent history
# is useful, but don't let it get totally out of control:
if [ -r ChangeLog ]; then
DOCSDIR=$(echo $PKG/usr/doc/ImageMagick-*)
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
touch -r ChangeLog $DOCSDIR/ChangeLog
fi
mkdir -p $PKG/install
zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
cat $CWD/slack-desc > $PKG/install/slack-desc
cd $PKG
/sbin/makepkg -l y -c n $TMP/imagemagick-$PKGVER-$ARCH-$BUILD.txz
Reference in a new issue View git blame Copy permalink