ALP-pool/ghostscript
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 ghostscript revision e07e082e975c9db289fbeb23e3a385a2

Browse Source
This commit is contained in:
Adrian Schröter 2024-03-07 09:57:38 +01:00
parent 0104e6d035
commit 7b1f93023b
10 changed files with 98 additions and 469 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CVE-2023-28879.patch
View File

@ -1,17 +0,0 @@
--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;

116
CVE-2023-36664.patch
View File

@ -1,116 +0,0 @@
--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {

11
CVE-2023-38559.patch
View File

@ -1,11 +0,0 @@
--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200
@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {

20
CVE-2023-43115.patch
View File

@ -1,20 +0,0 @@
--- devices/gdevijs.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ devices/gdevijs.c 2023-09-20 08:18:09.178777690 +0200
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
if (!ijsdev->ColorSpace) {
ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
"gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_para
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",

20
CVE-2023-46751.patch
View File

@ -1,20 +0,0 @@
--- base/gdevprn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevprn.c 2024-01-03 12:53:20.009504451 +0100
@@ -1268,6 +1268,7 @@ gdev_prn_open_printer_seekable(gx_device
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
--- devices/gdevtsep.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ devices/gdevtsep.c 2024-01-03 13:04:42.048210048 +0100
@@ -736,6 +736,7 @@ tiffsep_initialize_device_procs(gx_devic
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);

BIN
ghostscript-10.02.1.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
ghostscript-9.56.1.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

51
ghostscript.changes
View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Tue Feb 27 10:59:43 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Thu Feb 22 09:07:33 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Allow to disable apparmor support (ALP supports only SELinux)
-------------------------------------------------------------------
Sun Jan 28 10:39:57 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 10.02.1:
* Patch release to address some security bugs
* This release (10.02.0) marks the final demise of the
PostScript based PDF interpreter.
* This 10.01.1 release removes the "-dNEWPDF=false" command
line option to fall back to the deprecated, old PDF
interpreter.
* This 10.01.0 release removes the "-dNEWPDF=false" command
line option to fall back to the deprecated, old PDF
interpreter.
* This release officially deprecates the old Postscript
implementation of PDF, we will not be updating or maintaining
that code moving forward. The option to use the old PDF
implementation _**will**_ be removed in the next full release
(10.01.0)
* Important: This release includes the new PDF interpreter
(implemented in C rather than PostScript). It is both
integrated into Ghostscript (now ENABLED by default), and
available as a standalone, PDF only, binary. See
https://ghostscript.com/pdfi.html for more details.
* This also bundles the latest zlib (1.2.12) which addresses a
security issue (CVE-2018-25032)
* **Important**: This release includes the new PDF interpreter
(implemented in C rather than PostScript). It is both
integrated into Ghostscript (now **ENABLED** by default), and
available as a standalone, PDF only, binary. See
https://ghostscript.com/pdfi.html for more details.
- drop CVE-2023-28879.patch, CVE-2023-36664.patch,
CVE-2023-38559.patch, CVE-2023-43115.patch,
CVE-2023-46751.patch: upstream
- drop remove-zlib-h-dependency.patch: unused
-------------------------------------------------------------------
Wed Jan 3 12:15:46 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
@ -103,12 +148,12 @@ Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller <dmueller@suse.com>
-------------------------------------------------------------------
Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller <dmueller@suse.com>
- Use _multibuild
- Use _multibuild
-------------------------------------------------------------------
Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller <dmueller@suse.com>
- Use system zlib (bsc#1198449)
- Use system zlib (bsc#1198449)
-------------------------------------------------------------------
Thu Apr 7 08:14:51 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
@ -231,7 +276,7 @@ Tue Oct 20 16:03:48 CEST 2020 - jsmeix@suse.de
Note for GSView Users: The patch level addition breaks
GSView 5 (it is hardcoded to check for versions 704-999).
It is possible, but not guaranteed that a GSView update might
be forthcoming to resolve this.
be forthcoming to resolve this.
For a release summary see:
https://www.ghostscript.com/doc/9.53.3/News.htm
For details see the News.htm and History9.htm files.

313
ghostscript.spec
View File

@ -1,5 +1,5 @@
#
# spec file
# spec file for package ghostscript
#
# Copyright (c) 2024 SUSE LLC
#
@ -21,76 +21,25 @@
%global psuffix -mini
%else
%global psuffix %{nil}
%bcond_without apparmor
%endif
# built_version is used below in the install and files sections:
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
%define built_version %{version}
Name: ghostscript%{psuffix}
Version: 9.56.1
Version: 10.02.1
Release: 0
Summary: The Ghostscript interpreter for PostScript and PDF
License: AGPL-3.0-only
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# sha512:fe5a5103c081dd87cf8b3e0bbbd0df004c0e4e04e41bded7c70372916e6e26249a0e8fa434b561292964c5f3820ee6c60ef1557827a6efb5676012ccb73ded85
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9561/ghostscript-%{version}.tar.xz
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-%{version}.tar.xz
Source10: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
# Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
Patch102: CVE-2023-28879.patch
# Patch103 CVE-2023-36664.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
Patch103: CVE-2023-36664.patch
# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
Patch104: CVE-2023-38559.patch
# Patch105 CVE-2023-43115.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
Patch105: CVE-2023-43115.patch
# Patch106 CVE-2023-46751.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# adapted for Ghostscript-9.56.1 that fixes
# https://bugs.ghostscript.com/show_bug.cgi?id=707264
# which includes a fix for CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugzilla.suse.com/show_bug.cgi?id=1217871
Patch106: CVE-2023-46751.patch
# Build Requirements:
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
@ -102,43 +51,7 @@ BuildRequires: pkgconfig
BuildRequires: update-alternatives
BuildRequires: zlib-devel
Requires(post): update-alternatives
Requires(preun):update-alternatives
# RPM dependencies:
# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
# "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
# ghostscript
# gs
# gs_lib
# pstoraster
# ghostscript_any
# ghostscript-serv
# gs_x11
# ghostscript_x11
# ghostscript-mini
# Which of those are actually used in openSUSE:Factory (dated 22 Feb. 2012):
# ghostscript
# gs
# gs_lib
# ghostscript_any
# ghostscript_x11
# ghostscript-mini
# Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012):
# webdot Requires ghostscript
# ddd BuildRequires ghostscript_any
# emacs-auctex BuildRequires ghostscript_any
# kernel-docs BuildRequires ghostscript_any
# texlive-bin BuildRequires ghostscript_any
# cups Requires ghostscript_any
# html2ps Requires ghostscript_any
# latex2html Requires ghostscript_any
# pstoedit Requires ghostscript_any
# ghostview Requires ghostscript_x11
# gv Requires ghostscript_x11
# texlive-bin Requires ghostscript_x11
# klatexformula BuildRequires gs and Requires gs
# capi4hylafax Requires gs_lib
# hylafax Requires gs_lib
# graphviz-plugins BuildRequires ghostscript-mini
Requires(preun): update-alternatives
# Provide the additional RPM Provides of the ghostscript-library package
# (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
# The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@ -166,11 +79,13 @@ BuildRequires: cups154-devel
%else
BuildRequires: cups-devel
%endif
%if %{with apparmor}
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
%endif
%endif
%endif
# Always check if latest version of openjpeg becomes compatible with ghostscript
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
@ -183,13 +98,11 @@ Conflicts: ghostscript-x11
%else
Recommends: ghostscript-x11 = %{version}-%{release}
Conflicts: ghostscript-x11 < %{version}-%{release}
Provides: gs = %{version}
Provides: gs_lib = %{version}
# There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4.
# Satisfy it to be backward compatible with installed gutenprint packages:
Provides: pstoraster
Provides: %{version}
Provides: ghostscript-library = %{version}
Provides: gs = %{version}
Provides: gs_lib = %{version}
Provides: pstoraster
Obsoletes: ghostscript-library < %{version}
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because
# this package ghostscript should replace any version of ghostscript-mini.
@ -202,74 +115,40 @@ Recommends: (cups-filters-ghostscript if cups)
%description
Ghostscript is a package of software that provides:
An interpreter for the PostScript language,
with the ability to convert PostScript language files
to many raster formats, view them on displays,
and print them on printers that don't have
PostScript language capability built in.
An interpreter for the PostScript language, with the ability to convert
PostScript language files to many raster formats, view them on displays, and
print them on printers that don't have PostScript language capability built in.
An interpreter for Portable Document Format (PDF) files,
with the same abilities.
An interpreter for Portable Document Format (PDF) files, with the same
abilities.
The ability to convert PostScript language files
to PDF (with some limitations) and vice versa.
The ability to convert PostScript language files to PDF (with some limitations)
and vice versa.
A set of C procedures (the Ghostscript library)
that implement the graphics and filtering
(data compression / decompression / conversion)
capabilities that appear as primitive operations
in the PostScript language and in PDF.
A set of C procedures (the Ghostscript library) that implement the graphics and
filtering (data compression / decompression / conversion) capabilities that
appear as primitive operations in the PostScript language and in PDF.
For information how to use Ghostscript see
%{_datadir}/ghostscript/%{version}/doc/Use.htm
%package x11
Summary: X11 library for Ghostscript
# Require the exact matching version-release of the ghostscript main-package because
# a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
# because all Ghostscript software is built from one same Ghostscript source tar ball
# so that there could be any kind of Ghostscript-internal dependencies.
# The exact matching version-release of the ghostscript main-package is available
# on the same package repository where the ghostscript-x11 sub-package is because
# all are built simulaneously from the same Ghostscript source package:
Group: Productivity/Publishing/PS
Requires: ghostscript = %{version}-%{release}
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
# an unversioned "Provides: ghostscript" and for RPM this means that both
# ghostscript-library and ghostscript-mini provide any version of "ghostscript"
# so that any version of ghostscript-library and ghostscript-mini fulfills
# the above versioned requirement which is wrong and therefore an explicit conflicts
# is used here to avoid the mess.
# Above the ghostscript main package "Provides: ghostscript-library = version" so that
# versioned conflicts are needed to avoid a conflict with the ghostscript main package.
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two conflicts are used:
Conflicts: ghostscript-library < %{version}
Conflicts: ghostscript-library > %{version}
Conflicts: ghostscript-mini
Provides: ghostscript_x11 = %{version}
%description x11
This package contains the X11 library which is needed
to view PostScript and PDF files with Ghostscript
under the X Window System.
This package contains the X11 library which is needed to view PostScript and
PDF files with Ghostscript under the X Window System.
%package devel
Summary: Development files for Ghostscript
Group: Development/Libraries/C and C++
Requires: ghostscript = %{version}
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
# an unversioned "Provides: ghostscript" and for RPM this means that both
# ghostscript-library and ghostscript-mini provide any version of "ghostscript"
# so that any version of ghostscript-library and ghostscript-mini fulfills
# the above versioned requirement which is wrong and therefore an explicit conflicts
# is used here to avoid the mess.
# Above the ghostscript main package "Provides: ghostscript-library = version" so that
# versioned conflicts are needed to avoid a conflict with the ghostscript main package.
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two conflicts are used:
Conflicts: ghostscript-library < %{version}
Conflicts: ghostscript-library > %{version}
Conflicts: ghostscript-mini
@ -281,102 +160,16 @@ This package contains the development files for Ghostscript.
%prep
%setup -q -n ghostscript-%{version}
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
%patch102
# Patch103 CVE-2023-36664.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
%patch103
# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
%patch104
# Patch105 CVE-2023-43115.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
%patch105
# Patch106 CVE-2023-46751.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# adapted for Ghostscript-9.56.1 that fixes
# https://bugs.ghostscript.com/show_bug.cgi?id=707264
# which includes a fix for CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugzilla.suse.com/show_bug.cgi?id=1217871
%patch106
%patch -P 101 -p1
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig
# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball
# because we prefer to use for long-established standard libraries the ones from SUSE
# in particular to automatically get SUSE security updates for standard libraries.
# In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one
# is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE:
#rm -rf freetype jpeg libpng tiff zlib
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
%if 0%{?suse_version} == 1315
# Again use the freetype sources from Ghostscript upstream because
# Ghostscript 9.27 does no longer build this way for SLE12:
rm -rf jpeg libpng tiff
%else
rm -rf freetype jpeg libpng tiff
%endif
rm -rf freetype jpeg libpng lcms2art zlib tiff
%if 0%{?suse_version} >= 1550
rm -rf openjpeg
%endif
rm -rf zlib
# In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1
# because that is what Ghostscript upstream recommends according to
# https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html
# because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript
# but now it is lcms2art (the beginning of a lcms2 fork - see News.htm).
# On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5
# which is too old so that configure fails there with
# checking for local lcms2 library source... no
# checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no
# configure: error: lcms2 not found, or too old
# (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old)
# but there is no configure option to build it without lcms2
# so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript
# i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1
# cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
%if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100
echo "Building it with lcms2art in Ghostscript"
%else
rm -rf lcms2art
%endif
%build
# Derive build timestamp from latest changelog entry
@ -412,23 +205,13 @@ autoreconf -fi
%define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW
# See http://bugs.ghostscript.com/show_bug.cgi?id=693100
export SUSE_ASNEEDED=0
# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here)
# ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking
# --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
# --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
# --mandir=/usr/share/man --infodir=/usr/share/info
# --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
# --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits
# --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x
# --disable-gtk --without-ufst --without-libpaper --without-tesseract
# configure: WARNING: unrecognized options: --disable-dependency-tracking
# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro.
%configure \
--with-fontpath=%{gs_font_path} \
--with-libiconv=maybe \
--enable-freetype \
--with-jbig2dec \
--enable-openjpeg \
--disable-hidden-visibility \
--enable-dynamic \
--disable-compile-inits \
%if "%{flavor}" == "mini"
@ -439,12 +222,15 @@ export SUSE_ASNEEDED=0
--with-drivers=FILES \
--without-x \
%else
--without-local-zlib \
--with-ijs \
--enable-cups \
--enable-dbus \
--without-pdftoraster \
--with-drivers=ALL \
--with-x \
%endif
--without-local-zlib \
--with-system-libtiff \
--disable-gtk \
--without-ufst \
--without-libpaper \
@ -478,7 +264,7 @@ rm %{buildroot}%{_bindir}/ijs_client_example
rm %{buildroot}%{_bindir}/ijs_server_example
rm %{buildroot}%{_libdir}/libijs.la
# Install examples:
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
for E in examples/*
do install -m 644 $E $EXAMPLESDIR || :
@ -490,7 +276,7 @@ done
# Install documentation which is not installed by default
# see http://bugs.ghostscript.com/show_bug.cgi?id=693002
# and fail intentionally as notification if something changed:
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version}
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{version}
for D in LICENSE
do test -e $DOCDIR/$( basename $D ) && exit 99
install -m 644 $D $DOCDIR
@ -502,7 +288,7 @@ done
# because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above):
install -d -m 755 %{buildroot}%{_defaultdocdir}
pushd %{buildroot}%{_defaultdocdir}
ln -s ../ghostscript/%{built_version} ghostscript
ln -s ../ghostscript/%{version} ghostscript
popd
# Extract the catalog of devices which are actually built-in in exactly this Ghostscript:
# If a needed source file is no longer accessible fail intentionally as notification
@ -522,9 +308,11 @@ done
# Switch back to the usual build log messages:
set -x
install -m 644 catalog.devices $DOCDIR
%if %{with apparmor}
%if "%{flavor}" != "mini"
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
%endif
%endif
# Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
install -d %{buildroot}%{_sysconfdir}/alternatives
@ -534,11 +322,13 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
%post
/sbin/ldconfig
%if %{with apparmor}
%if "%{flavor}" != "mini"
%if 0%{?suse_version} >= 1500
%apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
%endif
%endif
%endif
%{_sbindir}/update-alternatives \
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15
@ -551,6 +341,7 @@ if test $1 -eq 0 ; then
fi
%files
%license LICENSE
%ghost %config %{_sysconfdir}/alternatives/gs
%{_bindir}/dvipdf
%{_bindir}/eps2eps
@ -601,39 +392,29 @@ fi
%{_mandir}/man1/ps2pdf14.1%{?ext_man}
%{_mandir}/man1/ps2pdfwr.1%{?ext_man}
%{_mandir}/man1/ps2ps.1%{?ext_man}
%{_mandir}/de/man1/dvipdf.1%{?ext_man}
%{_mandir}/de/man1/eps2eps.1%{?ext_man}
%{_mandir}/de/man1/gsnd.1%{?ext_man}
%{_mandir}/de/man1/pdf2dsc.1%{?ext_man}
%{_mandir}/de/man1/pdf2ps.1%{?ext_man}
%{_mandir}/de/man1/printafm.1%{?ext_man}
%{_mandir}/de/man1/ps2ascii.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf12.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf13.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf14.1%{?ext_man}
%{_mandir}/de/man1/ps2ps.1%{?ext_man}
%doc %{_defaultdocdir}/ghostscript
%dir %{_datadir}/doc/ghostscript
%doc %{_datadir}/doc/ghostscript/%{built_version}
%doc %{_datadir}/doc/ghostscript/%{version}
%dir %{_datadir}/ghostscript
%dir %{_datadir}/ghostscript/%{built_version}
%{_datadir}/ghostscript/%{built_version}/Resource
%{_datadir}/ghostscript/%{built_version}/iccprofiles
%{_datadir}/ghostscript/%{built_version}/examples/
%{_datadir}/ghostscript/%{built_version}/lib/
%dir %{_datadir}/ghostscript/%{version}
%{_datadir}/ghostscript/%{version}/Resource
%{_datadir}/ghostscript/%{version}/iccprofiles
%{_datadir}/ghostscript/%{version}/examples/
%{_datadir}/ghostscript/%{version}/lib/
%{_libdir}/libgs.so.*
%{_libdir}/ghostscript/
%{_libdir}/libijs-0.35.so
%if "%{flavor}" != "mini"
%exclude %{_libdir}/ghostscript/%{built_version}/X11.so
%exclude %{_libdir}/ghostscript/%{version}/X11.so
%if %{with apparmor}
%if 0%{?suse_version} < 1500
%dir %{_sysconfdir}/apparmor.d
%endif
%{_sysconfdir}/apparmor.d/ghostscript
%endif
%files x11
%{_libdir}/ghostscript/%{built_version}/X11.so
%{_libdir}/ghostscript/%{version}/X11.so
%endif
%files devel

13
remove-zlib-h-dependency.patch
View File

@ -1,13 +0,0 @@
Index: ghostscript-9.18/base/lib.mak
===================================================================
--- ghostscript-9.18.orig/base/lib.mak
+++ ghostscript-9.18/base/lib.mak
@@ -582,7 +582,7 @@ srlx_h=$(GLSRC)srlx.h
sstring_h=$(GLSRC)sstring.h
strimpl_h=$(GLSRC)strimpl.h $(scommon_h) $(gstypes_h) $(gsstruct_h)
szlibx_h=$(GLSRC)szlibx.h
-zlib_h=$(ZSRCDIR)$(D)zlib.h
+zlib_h= #$(ZSRCDIR)$(D)zlib.h
# We have two of the following, for shared zlib (_1)
# and 'local' zlib (_0)
szlibxx_h_1=$(GLSRC)szlibxx.h $(szlibx_h)