From 404bd25e9d29f9e2669721f9a0c10ecfa93a0adc7ca7563a8945305998b93c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 12:50:12 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main ghostscript revision e07e082e975c9db289fbeb23e3a385a2 --- .gitattributes | 23 + _multibuild | 3 + apparmor_ghostscript | 36 + ghostscript-10.02.1.tar.xz | 3 + ghostscript.changes | 1696 +++++++++++++++++++++++++++++ ghostscript.spec | 427 ++++++++ ijs_exec_server_dont_use_sh.patch | 32 + 7 files changed, 2220 insertions(+) create mode 100644 .gitattributes create mode 100644 _multibuild create mode 100644 apparmor_ghostscript create mode 100644 ghostscript-10.02.1.tar.xz create mode 100644 ghostscript.changes create mode 100644 ghostscript.spec create mode 100644 ijs_exec_server_dont_use_sh.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..cd9eb4b --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + mini + diff --git a/apparmor_ghostscript b/apparmor_ghostscript new file mode 100644 index 0000000..de9fa35 --- /dev/null +++ b/apparmor_ghostscript @@ -0,0 +1,36 @@ +#include + +# this profile is mainly intended to prevent easy exploitation of +# issues in ghostscript. This is mainly intended as a hardening +# measure and doesn't alleviate the need for regular updates. +profile ghostscript /usr/bin/{gs,gs.bin} { + #include + #include + #include + #include + + # needed to read gc/write pdfs/eps/.. everywhere + /** wr, + # have these spelled out in case we can narrow the line above down sometime + /usr/bin/{gs,gs.bin} mrix, + /usr/bin/dvips mrix, + /usr/lib64/ghostscript/** m, + /usr/lib64/libgs.so.* m, + /usr/lib64/libijs-* m, + + /usr/bin/hpijs Cx, + profile /usr/bin/hpijs flags=(complain) { + #include + + network inet dgram, + + /etc/cups/cupsd.conf r, + /etc/hp/hplip.conf r, + /usr/bin/hpijs mr, + /usr/share/ghostscript/** r, + /usr/share/hplip/** r, + /usr/share/snmp/mibs/ r, + /usr/share/snmp/mibs/*.txt r, + owner /var/spool/cups/tmp/gs_?????? rw, + } +} diff --git a/ghostscript-10.02.1.tar.xz b/ghostscript-10.02.1.tar.xz new file mode 100644 index 0000000..a982204 --- /dev/null +++ b/ghostscript-10.02.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c58c948b0721becefcd0029c8db95f9bb3268affc25ea01d4c5a6b07fa1ab08 +size 68017088 diff --git a/ghostscript.changes b/ghostscript.changes new file mode 100644 index 0000000..4370ccf --- /dev/null +++ b/ghostscript.changes @@ -0,0 +1,1696 @@ +------------------------------------------------------------------- +Tue Feb 27 10:59:43 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Thu Feb 22 09:07:33 UTC 2024 - Thorsten Kukuk + +- Allow to disable apparmor support (ALP supports only SELinux) + +------------------------------------------------------------------- +Sun Jan 28 10:39:57 UTC 2024 - Dirk Müller + +- update to 10.02.1: + * Patch release to address some security bugs + * This release (10.02.0) marks the final demise of the + PostScript based PDF interpreter. + * This 10.01.1 release removes the "-dNEWPDF=false" command + line option to fall back to the deprecated, old PDF + interpreter. + * This 10.01.0 release removes the "-dNEWPDF=false" command + line option to fall back to the deprecated, old PDF + interpreter. + * This release officially deprecates the old Postscript + implementation of PDF, we will not be updating or maintaining + that code moving forward. The option to use the old PDF + implementation _**will**_ be removed in the next full release + (10.01.0) + * Important: This release includes the new PDF interpreter + (implemented in C rather than PostScript). It is both + integrated into Ghostscript (now ENABLED by default), and + available as a standalone, PDF only, binary. See + https://ghostscript.com/pdfi.html for more details. + * This also bundles the latest zlib (1.2.12) which addresses a + security issue (CVE-2018-25032) + * **Important**: This release includes the new PDF interpreter + (implemented in C rather than PostScript). It is both + integrated into Ghostscript (now **ENABLED** by default), and + available as a standalone, PDF only, binary. See + https://ghostscript.com/pdfi.html for more details. +- drop CVE-2023-28879.patch, CVE-2023-36664.patch, + CVE-2023-38559.patch, CVE-2023-43115.patch, + CVE-2023-46751.patch: upstream +- drop remove-zlib-h-dependency.patch: unused + +------------------------------------------------------------------- +Wed Jan 3 12:15:46 UTC 2024 - Johannes Meixner + +- CVE-2023-46751.patch is + https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13 + adapted for Ghostscript-9.56.1 that fixes + https://bugs.ghostscript.com/show_bug.cgi?id=707264 + which includes a fix for CVE-2023-46751 + "dangling pointer in gdev_prn_open_printer_seekable()" + (bsc#1217871) + +------------------------------------------------------------------- +Mon Dec 18 12:50:20 UTC 2023 - Dominique Leuenberger + +- Recommend cups-filters only when cups is present. + +------------------------------------------------------------------- +Wed Sep 20 06:23:44 UTC 2023 - Johannes Meixner + +- CVE-2023-43115.patch is + https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 + that fixes CVE-2023-43115 "remote code execution + via crafted PostScript documents in gdevijs.c" + see https://bugs.ghostscript.com/show_bug.cgi?id=707051 + (bsc#1215466) + +------------------------------------------------------------------- +Wed Jul 26 09:35:33 UTC 2023 - Johannes Meixner + +- CVE-2023-38559.patch fixes CVE-2023-38559 + "out of bounds read devn_pcx_write_rle() could result in DoS" + see bsc#1213637 + and https://bugs.ghostscript.com/show_bug.cgi?id=706897 + which is in base/gdevdevn.c the same issue + "ordering in if expression to avoid out-of-bounds access" + as the already fixed CVE-2020-16305 in devices/gdevpcx.c + see https://bugs.ghostscript.com/show_bug.cgi?id=701819 + +------------------------------------------------------------------- +Tue Jul 4 06:16:33 UTC 2023 - Johannes Meixner + +- CVE-2023-36664.patch fixes CVE-2023-36664 + see https://bugs.ghostscript.com/show_bug.cgi?id=706761 + "OS command injection in %pipe% access" + and https://bugs.ghostscript.com/show_bug.cgi?id=706778 + "%pipe% allowed_path bypass" + and bsc#1212711 + "permission validation mishandling for pipe devices + (with the %pipe% prefix or the | pipe character prefix)" + +------------------------------------------------------------------- +Wed Apr 26 19:08:09 UTC 2023 - Jan Engelhardt + +- Replace BuildRequire on xorg-x11-devel by pkgconfig(...) + +------------------------------------------------------------------- +Tue Apr 11 09:09:56 UTC 2023 - Johannes Meixner + +- CVE-2023-28879.patch fixes CVE-2023-28879 + Buffer Overflow in s_xBCPE_process + cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 + (bsc#1210062) + +------------------------------------------------------------------- +Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller + +- update to 9.56.1: + Highlights in this release include + (excerpts from the Ghostscript upstream release summary + in https://ghostscript.com/docs/9.56.1/News.htm): + * New PDF Interpreter: This is an entirely new implementation + written in C (rather than PostScript, as before) + * Calling Ghostscript via the GS API is now thread safe. The one + limitation is that the X11 devices for Unix-like systems (x11, + x11alpha, x11cmyk, x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, + x11gray4 and x11mono) cannot be made thread safe, due to their + interaction with the X11 server, those devices have been + modified to only allow one instance in an executable. + * The PSD output device now writes ICC profiles to their output + files, for improved color fidelity. + * Our efforts in code hygiene and maintainability continue. + * The usual round of bug fixes, compatibility changes, and + incremental improvements. + * We have added the capability to build with the Tesseract OCR + engine. In such a build, new devices are available + (pdfocr8/pdfocr24/pdfocr32) which render the output file to an + image, OCR that image, and output the image "wrapped" up as a + PDF file, with the OCR generated text information included + as "invisible" text (in PDF terms, text rendering mode 3). + Mainly due to time constraints, we only support including + Tesseract from source included in our release packages, + and not linking to Tesseract/Leptonica shared libraries. + Whether we add this capability will be largely dependent + on community demand for the feature. See Enabling OCR + at https://www.ghostscript.com/ocr.html for more details. + For a release summary see: + https://www.ghostscript.com/doc/9.54.0/News.htm + For details see the News.htm and History9.htm files. +- Configure --without-tesseract because this requires C++ (it + might be added if Tesseract support in Ghostscript is needed). +- Drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream + +------------------------------------------------------------------- +Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller + +- Use _multibuild + +------------------------------------------------------------------- +Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller + +- Use system zlib (bsc#1198449) + +------------------------------------------------------------------- +Thu Apr 7 08:14:51 UTC 2022 - Frederic Crozat + +- Do no longer require apparmor-abstractions, it is not mandatory + to use Ghostscript (bsc#1134289). + +------------------------------------------------------------------- +Tue Jan 11 13:40:10 CET 2022 - jsmeix@suse.de + +- CVE-2021-45949.patch fixes CVE-2021-45949 + heap-based buffer overflow in sampled_data_finish + cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml + (bsc#1194304) +- CVE-2021-45944 use-after-free in sampled_data_sample + is already fixed in the Ghostscript 9.54.0 upstream sources + (bsc#1194303) + +------------------------------------------------------------------- +Fri Sep 10 09:37:46 CEST 2021 - jsmeix@suse.de + +- CVE-2021-3781.patch fixes CVE-2021-3781 + Trivial -dSAFER bypass + cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 + (bsc#1190381) + +------------------------------------------------------------------- +Fri May 21 13:40:56 CEST 2021 - jsmeix@suse.de + +- Version upgrade to 9.54.0 + Highlights in this release include + (excerpts from the Ghostscript upstream release summary + in https://www.ghostscript.com/doc/9.54.0/News.htm): + * The 9.54.0 release is a maintenance release, + and also adds new functionality. + * Overprint simulation is now available to all output devices, + allowing quality previewing/proofing of PostScript and + PDF jobs that rely on overprint. See the -dOverprint option + documentation in: doc/9.54.0/Use.htm#Overprint + * The "docxwrite" device adds the ability to output + to Microsoft Word "docx" format. + See: doc/9.54.0/VectorDevices.htm#DOCX + * The pdfwrite device is now capable of using the Tesseract OCR + engine when it is built into Ghostscript to improve + searchability and copy and paste functionality when the input + lacks the metadata for that purpose. + See: doc/9.54.0/VectorDevices.htm#UseOCR + * Ghostscript/GhostPDL now includes a "map text to black" + function, where text drawn by an input job (except when drawn + using a Type 3 font) can be forced to draw in solid black. + See: doc/9.54.0/Use.htm#BlackText + * Ghostscript/GhostPDL now supports simple N-up imposition + "internally". See: doc/9.54.0/Use.htm#NupControl + * Our efforts in code hygiene and maintainability continue. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + * For a list of open issues, or to report problems, please visit + bugs.ghostscript.com + For a release summary see: + https://www.ghostscript.com/doc/9.54.0/News.htm + For details see the News.htm and History9.htm files. +- 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch is no longer + needed because it is fixed in the upstream sources. + +------------------------------------------------------------------- +Wed Apr 14 11:56:22 UTC 2021 - Wolfgang Frisch + +- Hardening: compile with PIC, link as PIE + +------------------------------------------------------------------- +Tue Oct 20 16:38:24 CEST 2020 - Ismail Dönmez + +- 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch + fixes compilation with FreeType 2.10.3+ + http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade + c.f. https://bugs.ghostscript.com/show_bug.cgi?id=702985 + +------------------------------------------------------------------- +Tue Oct 20 16:03:48 CEST 2020 - jsmeix@suse.de + +- Version upgrade to 9.53.3 + Highlights in this release include + (excerpts from the Ghostscript upstream release summary + in https://www.ghostscript.com/doc/9.53.3/News.htm): + * The 9.53.3 release is primarily maintenance. + * Issues arose with 9.53.0/1/2 that prompted the release + of a .3 patch: + A crash related to management of ICC profile objects. + A parameter type mismatch that would cause Ghostscript + to error out during initialisation, which + affected 64 big, big endian architectures. + An unexpected side effect of another change that prevented + multithreaded rendering and background rendering + from working correctly. + * The most obvious change is the (re-)introduction of the + patch level to the version number, this helps facilitate + a revised policy on handling security related issues. + To clarify: in the event we decide to release a patch revision, + it will replace the release with the previous patch number. + Release notes, highlights and warnings will remain the same, + except for the addition of whatever fix(es) prompted the patch. + * Our efforts in code hygiene and maintainability continue. + * We have added Python bindings for the gsapi interface, can be + found in demos/python. These are experimental, and we welcome + feedback from interested developers. + * For those integrating Ghostscript/GhostPDL via the gsapi + interface, we have added new capabilities to that, specifically + in terms of setting and interrogating device parameters. These, + along with the existing interface calls, are documented in: + Ghostscript Interpreter API at + https://www.ghostscript.com/doc/9.53.3/API.htm + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + * For a list of open issues, or to report problems, please visit + bugs.ghostscript.com + Incompatible changes: + * As of 9.53.0, we have (re-)introduced the patch level to the + version number, this helps facilitate a revised policy + on handling security related issues. + Note for GSView Users: The patch level addition breaks + GSView 5 (it is hardcoded to check for versions 704-999). + It is possible, but not guaranteed that a GSView update might + be forthcoming to resolve this. + For a release summary see: + https://www.ghostscript.com/doc/9.53.3/News.htm + For details see the News.htm and History9.htm files. +- CVE-2020-15900.patch is no longer needed + because it is fixed in the upstream sources. +- Ghostscript 9.53.3 fixes in particular txtwrite memory issues + (boo#1177922). + +------------------------------------------------------------------- +Tue Jul 28 09:15:30 CEST 2020 - jsmeix@suse.de + +- CVE-2020-15900.patch fixes CVE-2020-15900 Memory Corruption + cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582 + (bsc#1174415) + +------------------------------------------------------------------- +Wed Apr 29 12:09:39 CEST 2020 - jsmeix@suse.de + +- The version upgrade to 9.52 fixes in particular + CVE-2020-12268: jbic2dec: heap-based buffer overflow + in jbig2_image_compose (bsc#1170603) +- Version upgrade to 9.52 + Highlights in this release include: + * The 9.52 release replaces the 9.51 release after a problem + was reported with 9.51 which warranted the quick turnaround. + Thus, like 9.51, 9.52 is primarily a maintenance release, + consolidating the changes we introduced in 9.50. + * IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt + (the "mt" indicating "multi-thread"). + LCMS2 is not thread-safe, and cannot be made thread-safe + without breaking the ABI. Our fork will be thread-safe and + include performance enhancements (these changes have all + been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. If there is sufficient interest, + our fork will be available as its own package separately + from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * New option -dALLOWPSTRANSPARENCY: The transparency compositor + (and related features), whilst we are improving it, remains + sensitive to being driven correctly, and incorrect use + can have unexpected/undefined results. Hence, as part of + improving security, we limited access to these operators, + originally using the -dSAFER feature. As we made "SAFER" + the default mode, that became unacceptable, hence the + new option -dALLOWPSTRANSPARENCY which enables access + to the operators, cf. + https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY + For a release summary see: + https://www.ghostscript.com/doc/9.52/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.51 + Highlights in this release include: + * 9.51 is primarily a maintainance release, consolidating + the changes we introduced in 9.50. + * We have continued our work on code hygiene for this release, + with a focus on the static analysis tool Coverity + (from Synopsys, Inc) and we are now maintaining a policy of + zero Coverity issues in the Ghostscript/GhostPDL source base. + * IMPORTANT: In consultation with a representative of + OpenPrinting (http://www.openprinting.org/) it is our + intention to deprecate and, in the not distant future, + remove the OpenPrinting Vector/Raster Printer Drivers + (that is, the opvp and oprp devices). + If you rely on either of these devices, please get in touch + with us (i.e. Ghostscript upstream), so we can discuss your + use case, and revise our plans accordingly. + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + https://www.ghostscript.com/doc/9.51/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.50 + Highlights in this release include: + * The change to version 9.50 follows recognition + of the extent and importance of the file access control + redesign/reimplementation outlined below. + * The file access control capability (enable with -dSAFER) + has been completely rewritten, with a ground-up rethink + of the design. For more details, see: "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * It is important to note that -dSAFER now only enables the + file access controls, and no longer applies restrictions + to standard Postscript functionality (specifically, + restrictions on setpagedevice). If your application relies + on these Postscript restrictions, see "OLDSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer + and please get in touch, as we do plan to remove those + Postscript restrictions unless we have reason not to. + IMPORTANT: File access controls are now enabled by default. + In order to run Ghostscript without these controls, + see "NOSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * There are a couple of subtle incompatibilities between the old + and new SAFER implementations. Firstly, as mentioned above, + SAFER now leaves standard Postcript functionality unchanged + (except for the file access limitations). Secondly, the + interaction with save/restore operations, see "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * The following is not strictly speaking new to 9.50, + as not much has changed since 9.27 in this area, + but for those who don't upgrade with every release: + The process of "tidying" the Postscript name space should have + removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or utilities + that rely on those non-standard and undocumented operators + may stop working, or may change behaviour. + If you encounter such a case, please contact us + (i.e. Ghostscript upstream, either the #ghostscript IRC channel + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution or return the + previous functionality, if there is genuinely no other option. + One case we know this has occurred is GSView 5 (and earlier). + GSView 5 support for PDF files relied upon internal use only + features which are no longer available. GSView 5 will still + work as previously for Postscript files. For PDF files, + users are encouraged to look at MuPDF https://www.mupdf.com/ + For a release summary see: + https://www.ghostscript.com/doc/9.50/News.htm + For details see the News.htm and History9.htm files. +- CVE-2019-10216.patch + gs-CVE-2019-14811-885444fc.patch + gs-CVE-2019-14817-cd1b1cac.patch + openjpeg4gs-CVE-2018-6616-8ee33522.patch + are fixed in the version 9.52 upstream sources. + +------------------------------------------------------------------- +Fri Jan 31 17:26:37 UTC 2020 - Stefan Brüns + +- Use system openjpeg2 on Tumbleweed/Factory. + +------------------------------------------------------------------- +Mon Sep 23 08:24:49 UTC 2019 - Johannes Segitz + +- Made ghostscript profile enforcing and limit it to the ghostscript + binaries (bsc#1150338) + +------------------------------------------------------------------- +Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink + +- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882 + for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884 + for CVE-2019-14817 + +------------------------------------------------------------------- +Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink + +- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359 + for CVE-2019-12973 + +------------------------------------------------------------------- +Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt + +- Update RPM groups. + +------------------------------------------------------------------- +Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink + +- Use update-alternatives to get the real ghostscript binary from + /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to + use this with its wrapper script + +------------------------------------------------------------------- +Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink + +- CVE-2019-10216.patch fixes CVE-2019-10216 + forceput/superexec in .buildfont1 is still accessible + https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621 + https://bugs.ghostscript.com/show_bug.cgi?id=701394 + +------------------------------------------------------------------- +Wed May 8 08:46:43 UTC 2019 - jsegitz@suse.com + +- Set AA profile to complain and added fixes for ps2epsi (boo#1134327) + +------------------------------------------------------------------- +Thu Apr 4 14:37:09 CEST 2019 - jsmeix@suse.de + +- Version upgrade to 9.27 + Highlights in this release include: + * We (i.e. Ghostscript upstream) have extensively cleaned up + the Postscript name space: removing access to internal and/or + undocumented Postscript operators, procedures and data. + This has benefits for security and maintainability. + Incompatible changes: + The process of "tidying" the Postscript name space should + have removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or + utilities that rely on those non-standard and undocumented + operators may stop working, or may change behaviour. + If you encounter such a case, please contact us (i.e. + Ghostscript upstream) - (either the #ghostscript IRC channel, + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution. + * Fontmap can now reference invidual fonts in a TrueType + Collection for font subsitution. Previously, a Fontmap entry + could only reference a TrueType collection and use the default + (first) font. + Now, the Fontmap syntax allows for specifying a specific index + in a TTC. See the comments at the top of (the default) + Fontmap.GS for details. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + IMPORTANT: It is our intention, within the next 12 months + (ideally sooner, in time for the next release) to make SAFER + the default mode of operation. For many users this will have + no effect, since they use SAFER explicitly, but some niche + uses which rely on SAFER being disabled may need to start + explicitly adding the "-dNOSAFER" option. + IMPORTANT: We (i.e. Ghostscript upstream) are in the process of + forking LittleCMS. LCMS2 is not thread safe, and cannot be made + thread safe without breaking the ABI. Our fork will be thread + safe, and include performance enhancements (these changes have + all be been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, but not + in perpetuity. Our fork will be available as its own package + separately from Ghostscript (and MuPDF). + For a release summary see: + http://www.ghostscript.com/doc/9.27/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.27 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues: + * CVE-2019-3838 forceput in DefineResource is still accessible + https://bugzilla.suse.com/show_bug.cgi?id=1129186 bsc#1129186 + https://bugs.ghostscript.com/show_bug.cgi?id=700576 + * CVE-2019-3835: superexec operator is available + https://bugzilla.suse.com/show_bug.cgi?id=1129180 bsc#1129180 + https://bugs.ghostscript.com/show_bug.cgi?id=700585 +- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch + is no longer needed because it is fixed in the upstream sources. + +------------------------------------------------------------------- +Thu Mar 14 08:03:24 UTC 2019 - jsegitz@suse.com + +- Added AA rules for dvips (bsc#1127934) +- Allow execution of dirname (bsc#1128697) +- Allow execution of hpijs (bsc#1128467). For now this is in + complain mode +- Sane profile name "ghostscript", moved profile from + /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript + (bsc#1128607) +- Improved AA packaging (bsc#1128608) + Thanks to Christian Boltz for his help + +------------------------------------------------------------------- +Fri Mar 8 10:49:18 UTC 2019 - Martin Wilck + +- Fix IJS printing problem (bsc#1128467) + * added ijs_exec_server_dont_use_sh.patch + * allow exec'ing hpijs in apparmor profile + +------------------------------------------------------------------- +Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com + +- Added apparmor_usr.bin.gs. This profile prevents execution of + executables to serve as hardening for the binaries that process + ghostscript. This is of limited use but prevents simple exploits. + +------------------------------------------------------------------- +Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de + +- Version upgrade to 9.26a + The version 9.26a is a special security bugfix version to fix + * CVE-2019-6116: subroutines within pseudo-operators + must themselves be pseudo-operators + https://bugs.ghostscript.com/show_bug.cgi?id=700317 + https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319 + +------------------------------------------------------------------- +Thu Jan 10 17:09:16 UTC 2019 - jweberhofer@weberhofer.at + +- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch + fixes Ghostscript issue #700315 and bsc#1121490 + https://bugs.ghostscript.com/show_bug.cgi?id=700315 + Segfault in GS 9.26 with certain PDFs with -dLastPage=1 + +------------------------------------------------------------------- +Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) real and potential + exploits. + Thanks to Man Yue Mo of Semmle Security Research Team, + Jens Mueller of Ruhr-Universitaet Bochum and + Tavis Ormandy of Google's Project Zero + for their help to identify specific security issues. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.26/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.26 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues (bsc#1117331) + * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass + intended access restrictions + https://bugs.ghostscript.com/show_bug.cgi?id=700153 + https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327 + * CVE-2018-19476: psi/zicc.c allows attackers to bypass + intended access restrictions because of a setcolorspace + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700169 + https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313 + * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass + intended access restrictions because of a JBIG2Decode + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700168 + https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274 + * CVE-2018-19409: LockSafetyParams is not checked correctly + if another device is used + https://bugs.ghostscript.com/show_bug.cgi?id=700176 + https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022 + and those security issues + * CVE-2018-18284: 1Policy operator gives access to .forceput + https://bugs.ghostscript.com/show_bug.cgi?id=69963 + https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229 + * CVE-2018-18073: saved execution stacks can leak operator arrays + https://bugs.ghostscript.com/show_bug.cgi?id=699927 + https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480 + * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox + https://bugs.ghostscript.com/show_bug.cgi?id=699816 + https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479 + * CVE-2018-17183: remote attackers could be able to supply + crafted PostScript to potentially overwrite or replace + error handlers to inject code + https://bugs.ghostscript.com/show_bug.cgi?id=699708 + https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105 + +------------------------------------------------------------------- +Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26rc1 (first release candidate for 9.26). + Highlights in this release include: + * Purely security and a few bug fixes, there are no new features, + and no API changes to report. + +------------------------------------------------------------------- +Fri Sep 14 10:47:33 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.25 + For the highlights in this release see the highlights in the + 9.25rc1 first release candidate for 9.25 entry below. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + For a release summary see: + http://www.ghostscript.com/doc/9.25/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.25 release should fix (see below) + in particular those security issues: + * CVE-2018-15909: shading_param incomplete type checking + https://bugs.ghostscript.com/show_bug.cgi?id=699660 + https://bugzilla.suse.com/show_bug.cgi?id=1106172 bsc#1106172 + * CVE-2018-15908: .tempfile file permission issues + https://bugs.ghostscript.com/show_bug.cgi?id=699657 + https://bugzilla.suse.com/show_bug.cgi?id=1106171 bsc#1106171 + * CVE-2018-15910: LockDistillerParams type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=699656 + https://bugzilla.suse.com/show_bug.cgi?id=1106173 bsc#1106173 + * CVE-2018-15911: uninitialized memory access in the aesdecode + https://bugs.ghostscript.com/show_bug.cgi?id=699665 + https://bugzilla.suse.com/show_bug.cgi?id=1106195 bsc#1106195 + * CVE-2018-16513: setcolor missing type check + https://bugs.ghostscript.com/show_bug.cgi?id=699655 + https://bugzilla.suse.com/show_bug.cgi?id=1107412 bsc#1107412 + * CVE-2018-16509: /invalidaccess bypass after failed restore + https://bugs.ghostscript.com/show_bug.cgi?id=699654 + https://bugzilla.suse.com/show_bug.cgi?id=1107410 bsc#1107410 + * CVE-2018-16510: Incorrect exec stack handling in the "CS" + and "SC" PDF primitives + https://bugs.ghostscript.com/show_bug.cgi?id=699671 + https://bugzilla.suse.com/show_bug.cgi?id=1107411 bsc#1107411 + * CVE-2018-16542: .definemodifiedfont memory corruption + if /typecheck is handled + https://bugs.ghostscript.com/show_bug.cgi?id=699668 + https://bugzilla.suse.com/show_bug.cgi?id=1107413 bsc#1107413 + * CVE-2018-16541 incorrect free logic in pagedevice replacement + https://bugs.ghostscript.com/show_bug.cgi?id=699664 + https://bugzilla.suse.com/show_bug.cgi?id=1107421 bsc#1107421 + * CVE-2018-16540 use-after-free in copydevice handling + https://bugs.ghostscript.com/show_bug.cgi?id=699661 + https://bugzilla.suse.com/show_bug.cgi?id=1107420 bsc#1107420 + * CVE-2018-16539: incorrect access checking in temp file + handling to disclose contents of files + https://bugs.ghostscript.com/show_bug.cgi?id=699658 + https://bugzilla.suse.com/show_bug.cgi?id=1107422 bsc#1107422 + * CVE-2018-16543: gssetresolution and gsgetresolution allow + for unspecified impact + https://bugs.ghostscript.com/show_bug.cgi?id=699670 + https://bugzilla.suse.com/show_bug.cgi?id=1107423 bsc#1107423 + * CVE-2018-16511: type confusion in "ztype" could be used by + remote attackers able to supply crafted PostScript to crash + the interpreter or possibly have unspecified other impact + https://bugs.ghostscript.com/show_bug.cgi?id=699659 + https://bugzilla.suse.com/show_bug.cgi?id=1107426 bsc#1107426 + * CVE-2018-16585 .setdistillerkeys PostScript command is + accepted even though it is not intended for use + https://bugzilla.suse.com/show_bug.cgi?id=1107581 bsc#1107581 + * CVE-2018-16802: Incorrect"restoration of privilege" checking + when running out of stack during exceptionhandling could be + used by attackers able to supply crafted PostScript to execute + code using the "pipe" instruction. This is due to an incomplete + fix for CVE-2018-16509 + https://bugs.ghostscript.com/show_bug.cgi?id=699714 + https://bugs.ghostscript.com/show_bug.cgi?id=699718 + https://bugzilla.suse.com/show_bug.cgi?id=1108027 bnc#1108027 + Regarding what the above "should fix" means: + PostScript is a general purpose Turing-complete programming + language (cf. https://en.wikipedia.org/wiki/PostScript) + that supports in particular file access on the system disk. + When Ghostscript processes PostScript it runs a PostScript + program as the user who runs Ghostscript. + When Ghostscript processes an arbitrary PostScript file, + the user who runs Ghostscript runs an arbitrary program + which can do anything on the system where Ghostscript runs + that this user is allowed to do on that system. + To make it safer when Ghostscript runs a PostScript program + the Ghostscript command line option '-dSAFER' disables + certain file access functionality, for details see + /usr/share/doc/ghostscript/9.25/Use.htm + Its name 'SAFER' says everything: It makes it 'safer' + to let Ghostscript run a PostScript program, + but it does not make it completely safe. + In theory software is safe against misuse (i.e. has no bugs). + In practice there is an endless sequence of various kind of + security issues (i.e. software can be misused to do more than + what is intended) that get fixed issue by issue ad infinitum. + In the end all that means: + In practice the user who runs Ghostscript must not let it + process arbitrary PostScript files from untrusted origin. + In particular Ghostscript is usually run when printing + documents (with the '-dSAFER' option set), see the part about + "It is crucial to limit access to CUPS to trusted users" in + https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings + +------------------------------------------------------------------- +Thu Sep 13 14:14:39 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.25rc1 (first release candidate for 9.25). + Highlights in this release include: + * This release fixes problems with argument handling, some + unintended results of the security fixes to the SAFER file + access restrictions (specifically accessing ICC profile files), + and some additional security issues over the 9.24 release. + * Security issues have been the primary focus of this release, + including solving several (well publicised) real + and potential exploits. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * Avoid that ps2epsi fails with + 'Error: /undefined in --setpagedevice--' + Recent changes required to harden SAFER mode mean that + it is no longer possible to run ps2epsi in SAFER mode, + because it relies upon unsafe Ghostscript non-standard + extension operators. + Removing SAFER and DELAYSAFER, and the code to reset SAFER, + allow ps2epsi to run as well as it ever did (ie badly). + This program (i.e. ps2epsi) should now be considered unsafe, + you should not use it on untrusted PostScript programs. + Likely we (i.e. Ghostscript upstream) will deprecate and + remove this program in future. + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing + +------------------------------------------------------------------- +Thu Sep 13 10:25:21 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.24 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) + real and potential exploits. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * As well as Ghostscript itself, jbig2dec has had a significant + amount of work improving its robustness in the face of + out specification files. + * IMPORTANT: We (i.e. Ghostscript upstream) are in the process + of forking LittleCMS. LCMS2 is not thread safe, and cannot + be made thread safe without breaking the ABI. Our fork + will be thread safe, and include performance enhancements + (these changes have all be been offered and rejected upstream). + We will maintain compatibility between Ghostscript and LCMS2 + for a time, but not in perpetuity. Our fork will be available + as its own package separately from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.24/News.htm + For details see the News.htm and History9.htm files. +- fix_ln_docdir_gsdatadir.patch is no longer needed + because the issue is fixed in the upstream sources. +- CVE-2018-10194.patch is no longer needed + because the issue is fixed in the upstream sources. + +------------------------------------------------------------------- +Tue Jun 5 14:47:59 CEST 2018 - jsmeix@suse.de + +- CVE-2018-10194.patch fixes stack-based buffer overflow + in gdevpdts.c (bsc#1090099), see + https://bugs.ghostscript.com/show_bug.cgi?id=699255 and + http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879 + +------------------------------------------------------------------- +Thu Mar 22 12:51:39 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.23 + Highlights in this release include: + * Ghostscript now has a family of 'pdfimage' devices + (pdfimage8, pdfimage24 and pdfimage32) which produce + rendered output wrapped up as an image in a PDF. + Additionally, there is a 'pclm' device which + produces PCLm format output. + * There is now a ColorAccuracy parameter allowing the user + to decide between speed or accuracy in ICC color transforms. + * JPEG Passthrough: devices which support it can now receive + the 'raw' JPEG stream from the interpreter. + The main use of this is the pdfwrite/ps2write family of devices + that can now take JPEG streams from the input file(s) and write + them unchanged to the output (thus avoiding additional + quantization effects). + * PDF transparency performance improvements + * IMPORTANT: We (i.e. Ghostscript upstream) are in the process + of forking LittleCMS. + LCMS2 is not thread safe, and cannot be made thread safe + without breaking the ABI. Our fork will be thread safe, + and include performance enhancements (these changes have all + be been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. Our fork will be available as its own + package separately from Ghostscript (and MuPDF). + * We have continued the focus on code hygiene in this release + cleaning up security issues, ignored return values, + and compiler warnings. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes + * The planned device API tidy has, unfortunately, been + indefinitely postponed, until appropriate resources + are available. + For a release summary see: + http://www.ghostscript.com/doc/9.23/News.htm + For details see the News.htm and History9.htm files. + See also the entries below since "Version upgrade to 9.22" + (boo#1082896 and boo#1074266). + +------------------------------------------------------------------- +Fri Mar 16 12:39:36 CET 2018 - jsmeix@suse.de + +- For now use lcms2 from SUSE because that is what currently + Ghostscript upstream recommends according to + https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html + because since Ghostscript 9.23rc1 there is no longer lcms2 + in Ghostscript but now it is lcms2art which is the beginning + of a lcms2 fork, see News.htm that reads in particular + "LCMS2 is not thread safe ... Our fork will be thread safe ... + We will maintain compatibility between Ghostscript and LCMS2 + for a time, but not in perpetuity", see also + https://bugzilla.opensuse.org/show_bug.cgi?id=1082896#c14 +- On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5 + which is too old so that configure fails there with + configure: error: lcms2 not found, or too old + but there is no configure option to build it without lcms2 + so that for SLE11 and SLE12-SP1 it is built with + the lcms2art in Ghostscript. +- ppc64le-support.patch is no longer needed because it only + contained a fix for lcms2art/include/lcms2art.h in Ghostscript + but currently lcms2 from SUSE is used instead (see above). +- Do no longer require any fonts packages in particular + neither require ghostscript-fonts-std because the PostScript + Base35 fonts are provided by Ghostscript (in 'Resource') + nor require ghostscript-fonts-other (provides Bitream Charter, + Adobe Utopia, URW Antiqua, URW Grotesq and Hershey fonts where + all but the last are also provided by texlive--fonts) and + those fonts are not required for PostScript compliance, see + https://bugzilla.opensuse.org/show_bug.cgi?id=1082896#c13 + +------------------------------------------------------------------- +Thu Mar 15 11:19:33 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.23rc1 (first release candidate for 9.23). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing +- Adapted ppc64le-support.patch: In Ghostscript 9.23 there is now + lcms2art/include/lcms2art.h (instead of lcms2/include/lcms2.h). +- ghostscript-fix-debug-use.patch is no longer needed + because the issue is fixed in the upstream sources. +- fix_ln_docdir_gsdatadir.patch avoids + "base/unixinst.mak:162: recipe for target 'install-doc' failed" +- Adapted spec file to the new Ghostscript upstream documentation + directory /usr/share/doc/ghostscript/9.23/ + +------------------------------------------------------------------- +Wed Feb 28 00:14:31 UTC 2018 - stefan.bruens@rwth-aachen.de + +- Use -p /sbin/ldconfig instead of shell post(un) scriptlet, drop + explicit Prereq for ldconfig +- Use shared libgs library for gs binary instead of static linked + version +- Use --disable-compile-inits, to allow unbundling of Resource files +- Remove --disable-omni switch, has been removed in GS 9.20 +- Keep patch ordering in full/mini consistent +- Remove patch backup files to avoid packaging + +------------------------------------------------------------------- +Tue Feb 27 14:55:51 CET 2018 - novell@mirell.de + +- Add ghostscript-fix-debug-use.patch from upstream to fix broken + printing with some drivers (especially Dell Printers) from + https://bugs.ghostscript.com/show_bug.cgi?id=698837 +- Fix build for SLE targets + +------------------------------------------------------------------- +Wed Nov 29 16:04:48 CET 2017 - jsmeix@suse.de + +- Version upgrade to 9.22. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * Ghostscript can now consume and produce (via the pdfwrite + device) PDF 2.0 compliant files. + * The main focus of this release has been security and code + cleanliness. Hence many AddressSanitizer, Valgrind and + Coverity issues have been addressed. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes + * The planned device API tidy (still!) did not happen for + this release, due to time pressures, but we still intend + to undertake the following: We plan to somewhat tidy up + the device API. We intend to remove deprecated device procs + (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter + (rather than the current scheme where only a very few procs + take an imager state parameter). This should serve as notice + to anyone maintaining a Ghostscript device outside the + canonical source tree that you may (probably will) need + to update your device(s) when these changes happen. + Devices using only the non-deprecated procs should be + trivial to update. +- Up to 9.22rc1 it "just built" for all openSUSE versions but + since 9.22rc2 the libijs part does no longer buid for any + released openSUSE version where if fails with messages like + libtool: Version mismatch error. + This is libtool 2.4.6 Debian-2.4.6-2, but the + definition of this LT_INIT comes from libtool 2.4.2. + You should recreate aclocal.m4 with macros from + libtool 2.4.6 Debian-2.4.6-2 and run autoconf again. + Makefile: recipe for target 'ijs.lo' failed + so that currently it only builds for Tumbleweed/Factory. + Presumably it is not too complicated to make it build again + also for released openSUSE versions but currently I have + less than zero energy to fix such "latest breaking changes" + so that for now Ghostscript 9.22 is only provided for + openSUSE Tumbleweed/Factory and the upcoming SLE15/Leap15. + +------------------------------------------------------------------- +Fri Sep 29 09:12:06 CEST 2017 - jsmeix@suse.de + +- Version upgrade to 9.22rc2 (second release candidate for 9.22). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing + +------------------------------------------------------------------- +Thu Sep 14 15:19:40 CEST 2017 - jsmeix@suse.de + +- Version upgrade to 9.22rc1 (first release candidate for 9.22). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing +- Since Ghostscript 9.22rc1 font2c and wftopfa are removed. +- CVE-2017-5951.patch CVE-2017-7207.patch + CVE-2017-8291.patch and CVE-2017-9216.patch + are fixed in the version 9.22rc1 upstream sources. + +------------------------------------------------------------------- +Fri Jun 2 09:12:45 UTC 2017 - daniel.molkentin@suse.com + +- CVE-2017-7207.patch fixes a NULL pointer dereference + in mem_get_bits_rectangle + see https://bugs.ghostscript.com/show_bug.cgi?id=697676 + (bsc#1030263) +- CVE-2017-9216.patch fixes a NULL pointer dereference + in jbig2_huffman_get + see https://bugs.ghostscript.com/show_bug.cgi?id=697934 + (bsc#1040643) + +------------------------------------------------------------------- +Tue May 2 14:27:22 CEST 2017 - jsmeix@suse.de + +- CVE-2017-8291.patch fixes + a type confusion in .rsdparams and .eqproc + see https://bugs.ghostscript.com/show_bug.cgi?id=697808 + and https://bugs.ghostscript.com/show_bug.cgi?id=697799 + (bsc#1036453). + +------------------------------------------------------------------- +Wed Apr 12 11:12:27 CEST 2017 - jsmeix@suse.de + +- CVE-2016-10317 (bsc#1032230) + heap buffer overflow in fill_threshhold_buffer() + is not yet fixed because there is no fix available at + https://bugs.ghostscript.com/show_bug.cgi?id=697459 +- CVE-2016-10219 (bsc#1032138) + divide by zero in intersect() + https://bugs.ghostscript.com/show_bug.cgi?id=697453 + is fixed in the version 9.21 upstream sources +- CVE-2016-10218 (bsc#1032135) + null pointer dereference in pdf14_pop_transparency_group() + https://bugs.ghostscript.com/show_bug.cgi?id=697444 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10217 (bsc#1032130) + use-after-free in pdf14_cleanup_parent_color_profiles() + that is related to pdf14_open() in base/gdevp14.c + https://bugs.ghostscript.com/show_bug.cgi?id=697456 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10220 (bsc#1032120) + null pointer dereference in gx_device_finalize() that is + related to gs_makewordimagedevice() in base/gsdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697450 + is fixed in the version 9.21 upstream sources. +- CVE-2017-5951.patch fixes + null pointer dereference in ref_stack_index() that is + related to mem_get_bits_rectangle() in base/gdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697548 + (bsc#1032114) + +------------------------------------------------------------------- +Mon Apr 10 14:06:09 CEST 2017 - jsmeix@suse.de + +- Version upgrade to 9.21. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * pdfwrite now preserves annotations from + input PDFs (where possible). + * The GhostXPS interpreter now provides the pdfwrite device + with the data it requires to emit a ToUnicode CMap: thus + allowing fully searchable PDFs to be created from XPS + input (in the vast majority of cases). + * Ghostscript now allows the default color space + for PDF transparency blends. + * The Ghostscript/GhostPDL configure script now has much + better/fuller support for cross compiling. + * The tiffscaled and tiffscaled4 devices can now + use ETS (Even Tone Screening) + * The toolbin/pdf_info.ps utility can now emit + the PDF XML metadata. + * Ghostscript has a new scan converter available + (currently optional, but will become the default in a near + future release). It can be enabled by using the command line + option: '-dSCANCONVERTERTYPE=2'. This new implementation + provides vastly improved performance with large and complex + paths. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * The planned device API tidy (still!) did not happen for + this release, due to time pressures, but we still intend + to undertake the following: We plan to somewhat tidy up + the device API. We intend to remove deprecated device + procs (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter + (rather than the current scheme where only a very few procs + take an imager state parameter). This should serve as notice + to anyone maintaining a Ghostscript device outside the + canonical source tree that you may (probably will) need to + update your device(s) when these changes happen. Devices using + only the non-deprecated procs should be trivial to update. +- CVE-2016-7976.patch and CVE-2016-7977.patch and + CVE-2016-7978.patch and CVE-2016-7979.patch and + CVE-2016-8602.patch are no longer needed because + those issues are fixed in the upstream sources. +- 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch + and + 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch + are no longer needed because both are included + in the upstream sources, see the upstream issue + https://bugs.ghostscript.com/show_bug.cgi?id=697484 +- Again use the zlib sources from Ghostscript upstream + and disable remove-zlib-h-dependency.patch because + Ghostscript 9.21 does no longer build this way, + cf. the entry below dated "Wed Nov 18 11:46:58 UTC 2015" + +------------------------------------------------------------------- +Thu Jan 12 17:13:58 UTC 2017 - stefan.bruens@rwth-aachen.de + +- Set SOURCE_DATE_EPOCH based on changelog head +- Add 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch + * Use SOURCE_DATE_EPOCH for mkromfs output for reproducible build +- Add 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch + * Sort ROM contents for deterministic output + +------------------------------------------------------------------- +Mon Oct 17 13:36:57 CEST 2016 - jsmeix@suse.de + +- CVE-2013-5653 (getenv and filenameforall ignore -dSAFER) + is fixed in the Ghostscript 9.20 upstream sources + see http://bugs.ghostscript.com/show_bug.cgi?id=694724 + (bsc#1001951). +- CVE-2016-7976.patch fixes that + various userparams allow %pipe% in paths, allowing + remote shell command execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697178 + (bsc#1001951). +- CVE-2016-7977.patch fixes that + .libfile doesn't check PermitFileReading array, allowing + remote file disclosure + see http://bugs.ghostscript.com/show_bug.cgi?id=697169 + (bsc#1001951). +- CVE-2016-7978.patch fixes that + reference leak in .setdevice allows + use-after-free and remote code execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697179 + (bsc#1001951). +- CVE-2016-7979.patch fixes that + type confusion in .initialize_dsc_parser allows + remote code execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697190 + (bsc#1001951). +- CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 + see http://bugs.ghostscript.com/show_bug.cgi?id=697203 + (bsc#1004237). + +------------------------------------------------------------------- +Thu Sep 29 14:40:38 CEST 2016 - jsmeix@suse.de + +- Version upgrade to 9.20. Purely a maintenance release. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * The planned device API tidy did not happen for this release, + due to time pressures, but we still intend to undertake the + following: We plan to somewhat tidy up the device API. + We intend to remove deprecated device procs + (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter (rather + than the current scheme where only a very few procs take an + imager state parameter). This should serve as notice to anyone + maintaining a Ghostscript device outside the canonical source + tree that you may (probably will) need to update your + device(s) when these changes happen. Devices using only + the non-deprecated procs should be trivial to update. + +------------------------------------------------------------------- +Thu Sep 15 10:12:03 CEST 2016 - jsmeix@suse.de + +- Version upgrade to 9.20rc1 (first release candidate for 9.20). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing + +------------------------------------------------------------------- +Wed Mar 23 15:43:27 CET 2016 - jsmeix@suse.de + +- Version upgrade to 9.19. Mainly a maintenance release. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * Metadata pdfmark is now implemented. This allows the user + to specify an XMP stream which will be written to the + Catalog of the PDF file. A new pdfmark 'Ext_Metadata' has + been defined. This takes a string parameter which contains + XML to be add to the XMP normally created by pdfwrite. + See "pdfwrite pdfmark extensions" for more information. + * An experimental, rudimentary raster trapping implementation + has been added to the Ghostscript graphics library. + See "Trapping" for details. + Incompatible changes: + * (Minor) API change: copy_alpha now supports 8 bit depth + (as well as the previous 2 and 4). + * The gs man pages are woefully out of date and basically + unmaintained. With the release following 9.19, we intend + to replace their contents with a very limited summary + of (unlikely to ever change aspects of) calling + Ghostscript, and a pointer to the (maintained) HTML + documentation. That is, unless a volunteer is willing + to update, and commit to maintaining the man pages. + * ijs-config is no longer provided + Planned incompatible changes: + * We plan (ideally for the release following 9.19) to somewhat + tidy up the device API. We plan to remove deprecated device + procs (methods/function pointers). We also intend to merge + the imager state and graphics state (thus eliminating the + imager state), and change the device API so every device proc + takes a graphics state parameter (rather than the current + scheme where only a very few procs take an imager state + parameter). This should serve as notice to anyone maintaining + a Ghostscript device outside the canonical source tree that + you may (probably will) need to update your device(s) when + these changes happen. Devices using only the non-deprecated + procs should be trivial to update. +- fix_make_install.patch fixes and + add_brackets_for_old_autoconf.patch are no longer needed + because both issues are fixed in the upstream sources. + +------------------------------------------------------------------- +Fri Mar 18 10:13:23 CET 2016 - jsmeix@suse.de + +- Version upgrade to 9.19rc1 (first release candidate for 9.19). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing +- ijs-config is no longer provided +- fix_make_install.patch fixes an install error and + add_brackets_for_old_autoconf.patch fixes an autoconf error + see http://bugs.ghostscript.com/show_bug.cgi?id=696665 +- fix_ijs_and_x11_for_FirstPage_and_LastPage.patch is no longer + needed because it is fixed in the upstream sources. +- install_gserrors.h.patch is no longer needed because it is fixed + in the upstream sources. + +------------------------------------------------------------------- +Wed Nov 18 11:46:58 UTC 2015 - schwab@suse.de + +- Do not use library sources for freetype jpeg libpng tiff zlib + from the Ghostscript upstream tarball because we prefer to use + for long-established standard libraries the ones from SUSE + in particular to automatically get SUSE security updates + for standard libraries. + In contrast we use e.g. lcms2 from the Ghostscript upstream + tarball because this one is specially modified to work with + Ghostscript so that we cannot use lcms2 from SUSE. +- remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h + in makefiles as we do not use the zlib sources from the + Ghostscript upstream tarball. + +------------------------------------------------------------------- +Thu Nov 5 13:33:14 CET 2015 - jsmeix@suse.de + +- An incompatible change appeared when building other software + with Ghostscript 9.18. + Since version 9.18 Ghostscript does no longer provide + e_ (e.g. e_NeedInput) in its header files + (gserrors.h and ierrors.h). + When building other software with Ghostscript 9.18 + gs_error_ (e.g. gs_error_NeedInput) + must be used, see boo#953149 and + http://bugs.ghostscript.com/show_bug.cgi?id=696317 + +------------------------------------------------------------------- +Fri Oct 30 11:28:14 CET 2015 - jsmeix@suse.de + +- install_gserrors.h.patch installs gserrors.h to fix + http://bugs.ghostscript.com/show_bug.cgi?id=696301 + because without gserrors.h several other packages fail to build + (in particular texlive, libspectre, gimp,...). + +------------------------------------------------------------------- +Mon Oct 12 10:26:52 CEST 2015 - jsmeix@suse.de + +- fix_ijs_and_x11_for_FirstPage_and_LastPage.patch + fixes the Ghostscript device ijs and the x11* devices + so that they also work when -dFirstPage/-dLastPage is used, + see http://bugs.ghostscript.com/show_bug.cgi?id=696246 + +------------------------------------------------------------------- +Tue Oct 6 10:21:22 CEST 2015 - jsmeix@suse.de + +- Version upgrade to 9.18. A maintenance release. + There are no recorded incompatible changes (as of this writing). + Highlights in this release include: + * A substantial revision of the build system and GhostPDL + directory structure. Ghostscript-only users should + not be affected by this change. + * A new method of internally inserting devices into the device + chain has been developed, named "device subclassing". + This allows suitably written devices to be more easily and + consistently as "filter" devices. + The first fruit of this is a new implementation of + the "-dFirstPage"/"-dLastPage" feature which functions + a device filter in the Ghostscript graphics library, meaning + it works consistently with all input languages. + * Plus the usual round of bug fixes, compatibility changes, + and incremental improvements. + See http://www.ghostscript.com/doc/9.18/News.htm + For details see the News.htm and History9.htm files. + +------------------------------------------------------------------- +Tue Sep 29 11:05:48 CEST 2015 - jsmeix@suse.de + +- Version upgrade to 9.18rc2 (second release candidate for 9.18). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing +- assign_pointer_not_value_in_gximono.c.patch is no longer needed + because it is fixed in the upstream sources. + +------------------------------------------------------------------- +Thu Sep 24 10:29:04 CEST 2015 - jsmeix@suse.de + +- Version upgrade to 9.18rc1 (first release candidate for 9.18). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing +- CVE-2015-3228.patch is no longer needed because it is fixed + in the upstream sources. +- assign_pointer_not_value_in_gximono.c.patch attempts to fix a + "assignment makes pointer from integer without a cast" compiler + warning by assigning the pointer and not the integer value. +- Removed --disable-compile-inits from configure, see + http://bugs.ghostscript.com/show_bug.cgi?id=696223 + and "Precompiled run-time data" in + /usr/share/ghostscript/9.18/doc/Make.htm + +------------------------------------------------------------------- +Wed Jul 29 15:20:46 CEST 2015 - jsmeix@suse.de + +- CVE-2015-3228.patch fixes out of bound read/write cause + by integer overflow in gsmalloc.c (boo#939342). + +------------------------------------------------------------------- +Tue Mar 31 10:18:06 CEST 2015 - jsmeix@suse.de + +- Version upgrade to 9.16. Primarily a maintenance release. + There are no recorded incompatible changes (as of this writing). + Highlights in this release include: + * "LockColorants" command line option for tiffsep and psdcmyk + devices. + * Improved high level devices handling of Forms. + See http://www.ghostscript.com/doc/9.16/News.htm + For details see the News.htm and History9.htm files. +- fix.including.pread.pwrite.pthread_mutexattr_settype.diff + is no longer needed because it is fixed in the upstream sources. + +------------------------------------------------------------------- +Wed Mar 25 12:38:16 CET 2015 - jsmeix@suse.de + +- fix.including.pread.pwrite.pthread_mutexattr_settype.diff + fixes on SLE11 implicit declaration of function warnings + for 'pread' 'pwrite' 'pthread_mutexattr_settype' see + http://bugs.ghostscript.com/show_bug.cgi?id=695882 +- ppc64le-support.patch is a remainder of the previous patch + now the hunk for LCMS (lcms/include/lcms.h) is removed + because LCMS 1.x is removed since Ghostscript 9.16 + but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed + see http://bugs.ghostscript.com/show_bug.cgi?id=695544 + +------------------------------------------------------------------- +Fri Mar 20 17:12:34 CET 2015 - jsmeix@suse.de + +- Version upgrade to 9.16rc2 (second release candidate for 9.16). + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing + +------------------------------------------------------------------- +Fri Mar 20 10:52:47 CET 2015 - jsmeix@suse.de + +- For SLE12 build it with traditional CUPS 1.5.4 to ensure + it works on SLE12 both with CUPS 1.7.5 and CUPS 1.5.4. + +------------------------------------------------------------------- +Sun Sep 28 18:00:37 CEST 2014 - ro@suse.de + +- readd ppc64le patch ppc64le-support.patch (adapted for lcms2 in + Ghostscript version 9.15): the tests in lcms2.h cannot work + without "include " that is now added and + regardless that lcms is not used by default (unless the + configure option --with-lcms is set), lcms is again fixed + (see http://bugs.ghostscript.com/show_bug.cgi?id=695544). + +------------------------------------------------------------------- +Tue Sep 23 10:14:28 CEST 2014 - jsmeix@suse.de + +- Version upgrade to 9.15. Primarily a maintenance release. + There are no recorded incompatible changes (as of this writing). + Highlights in this release include: + * Ghostscript now supports the PDF security handler revision 6. + * The pdfwrite and ps2write (and related) devices can now be + forced to "flatten" glyphs into "basic" marking operations + (rather than writing fonts to the output), by giving + the -dNoOutputFonts command line option (defaults to "false"). + * PostScript programs can now use get_params or get_param to + determine if a page contains color markings by reading the + pageneutralcolor state from the device (so whether the page + is "color" or "mono"). Note that this is only accurate when in + clist mode, so -dMaxBitmap=0 and -dGrayDetection=true should + both be used. + * The pdfwrite device now supports Link annotations with GoTo + and GoToR actions. + * The pdfwrite device now supports BMC/BDC/EMC pdfmarks + * Regarding the new color management for the pdfwrite device + introduced in the previous release, the proscription on using + the new color management when producing PDF/A-1 compliant files + is now lifted. To reiterate, also, with the new color + management implementation, using the UseCIEColor option is + strongly discouraged. For further information on the new + pdfwrite color management, see in Ps2pdf.htm the + "Color Conversion and Management" section. + * Plus the usual round of bug fixes, compatibility changes, + and incremental improvements. + For details see the News.htm and History9.htm files. + +------------------------------------------------------------------- +Wed Sep 17 12:17:47 CEST 2014 - jsmeix@suse.de + +- Version upgrade to 9.15rc2 (second release candidate for 9.15). + Ghostscript upstream QA highlighted a couple of issues + that they felt warranted a fresh release candidate. + For details see the History9.htm file. + +------------------------------------------------------------------- +Tue Sep 9 16:06:31 CEST 2014 - jsmeix@suse.de + +- Version upgrade to 9.15rc1 (first release candidate for 9.15). + For details see the News.htm and History9.htm files. +- ppc64le-support.patch is no longer needed because + it is fixed in the upstream sources. +- Removed trailing whitespaces in spec file and changes file. + +------------------------------------------------------------------- +Mon Aug 18 15:12:28 UTC 2014 - meissner@suse.com + +- gs does not seem to require libopenssl-devel for building. + +------------------------------------------------------------------- +Thu Mar 27 12:21:55 CET 2014 - jsmeix@suse.de + +- Version upgrade to 9.14. Primarily a maintenance release. + Highlights in this release include (excerpt): + * pdfwrite now uses the same color management engine as + Ghostscript rendering devices (by default LCMS2). For + the duration of this release a new switch -dPDFUseOldCMS + is available which will restore the old color management. + See: "Color Conversion and Management" in Ps2pdf.htm + Due to constraints of the PDF/A-1 specification, the new color + management does not yet apply when producing PDF/A files. + * A new device 'eps2write' has been added which allows for the + creation of EPS files using the ps2write device instead of + the deprecated and removed pswrite device. The epswrite device + is now also deprecated and will be removed in a future release. + * Ghostscript has a new "pwgraster" output device for PWG Raster + output. + * The CUPS device now has improved support for PPD-less printing. + For details see the News.htm and History9.htm files. + +------------------------------------------------------------------- +Fri Dec 13 19:09:12 UTC 2013 - uweigand@de.ibm.com + +- ppc64le-support.patch from IBM fixes endianness + in lcms (the Little-CMS library) to support the new + architecture ppc64le (IBM Power PC Little Endian architecture) + because ppc64 is big-endian and ppc64le is little-endian + and lcms has a hard-coded check that assumes PowerPC + is always big-endian which is incorrect on ppc64le. + The fix is already in the main Little-CMS repository + by this Git commit + https://github.com/mm2/Little-CMS/commit/b4f5c91a2c1582bd284f0d0f49cb43e2c2235a79 + (There are some cosmetic changes in the upstream patch.) + It is not yet in the imported copy in Ghostscript. + IBM will work with upstream to get the fix imported too. + +------------------------------------------------------------------- +Tue Sep 3 16:26:46 CEST 2013 - jsmeix@suse.de + +- Version upgrade to 9.10. Primarily a maintenance release. + Highlights in this release include: + * LittleCMS2 and libpng have both been updated to the + latest versions. + * The URW Postscript font set has been updated to the + latest version, fixing many compatibility problems + with the Adobe fonts. + * The CUPS filters gstoraster and gstopxl have been + removed from Ghostscript. Those filters are now provided by + cups-filters (a free software package hosted by OpenPrinting) + that contains all CUPS filters needed by CUPS under Linux + (see also the openSUSE issue bnc#735404 comment#44 at + https://bugzilla.novell.com/show_bug.cgi?id=735404#c44). + For details see the News.htm and History9.htm files. +- fix-undefined-operation.patch is no longer needed because + it is fixed in the upstream sources. + +------------------------------------------------------------------- +Thu Aug 29 15:06:13 CEST 2013 - jsmeix@suse.de + +- Version upgrade to 9.10rc1 (release candidate for the 9.10 version). + For details see the News.htm and History9.htm files. +- Prepare spec files to build both releases and release candidates + easily in the future by using special different version strings. +- fix-undefined-operation.patch fixes + http://bugs.ghostscript.com/show_bug.cgi?id=694546 +- Removed BuildRequires for liblcms-devel because it is not needed + when we build Ghostscript that works in compliance with upstream + (see https://bugzilla.novell.com/show_bug.cgi?id=828751#c5). + +------------------------------------------------------------------- +Wed Mar 27 07:58:08 UTC 2013 - mmeister@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Tue Feb 19 13:51:06 CET 2013 - jsmeix@suse.de + +- Version upgrade to 9.07. + * As of this release (9.07), Ghostscript is distributed + under the GNU Affero General Public License (AGPL). + * Ghostscript has been extended to support file sizes >4Gb + in particular reading and writing PDF files. + * Color management enhancements. Full details of the color + management features can be found in: GS9_Color_Management.pdf + * The pdfwrite devices now supports linearized (or optimized + for fast web view) output directly ("-dFastWebView"). + * With the addition of linearisation to pdfwrite, pdfopt.ps + has become redundant. Since it is difficult to maintain, + has a number of bugs, and is believed not to work properly + anyway, it is removed. Accordingly the pdfopt shell script + that used pdfopt.ps is also removed. + +------------------------------------------------------------------- +Thu Jan 3 11:58:51 CET 2013 - jsmeix@suse.de + +- Provide libijs (that is not done via "configure --with-ijs") + because libijs is needed by the pdftoijs filter in the + cups-filters package (see the README file in cups-filters). + +------------------------------------------------------------------- +Thu Sep 27 12:02:51 UTC 2012 - mmeister@suse.com + +- Version upgrade to 9.06. Mainly a bugfix release. + * pdfwrite announcements: + pdfwrite now supports the creation of PDF/A-2 files. + For further details see the NEWS file. + * removed moribund dumphint tool, see History9.htm and + http://bugs.ghostscript.com/show_bug.cgi?id=693223 + +------------------------------------------------------------------- +Mon Sep 24 10:44:57 UTC 2012 - idonmez@suse.com + +- "export SUSE_ASNEEDED=0" disables -Wl,--as-needed linker flags, + see http://bugs.ghostscript.com/show_bug.cgi?id=693100 + +------------------------------------------------------------------- +Thu May 10 15:49:33 CEST 2012 - jsmeix@suse.de + +- Require Ghostscript's font packages because the + Ghostscript package provides the "Fontmap" file + /usr/share/ghostscript//Resource/Init/Fontmap.GS + which lists Ghostscript's fonts but the fonts itself + are provided in the separated packages ghostscript-fonts-std + and ghostscript-fonts-other so that a RPM requirement + is needed to make sure that Ghostscript has its fonts. +- Extract the catalog of devices which are actually built-in + in exactly this Ghostscript and provide it as catalog.devices + in the Ghostscript package. + +------------------------------------------------------------------- +Fri Apr 27 10:40:53 CEST 2012 - jsmeix@suse.de + +- BuildRequires dbus-1-devel for "configure --enable-dbus" + to have colord support in gstoraster (see the entry regarding + "color management daemon" in doc/History9.htm). + +------------------------------------------------------------------- +Tue Apr 24 14:30:45 CEST 2012 - jsmeix@suse.de + +- Install documentation which is not installed by default + (LICENSE doc/AUTHORS doc/COPYING doc/thirdparty.htm + doc/WhatIsGS.htm doc/GS9_Color_Management.pdf + doc/gs-vms.hlp doc/Ps2ps2.htm). +- Add a link from SUSE's usual documentation directory + (/usr/share/doc/packages/ghostscript/) to Ghostscript's + documentation directory (/usr/share/ghostscript/9.05/doc/) + because "configure --docdir=..." does not work. + +------------------------------------------------------------------- +Thu Apr 5 15:06:56 CEST 2012 - jsmeix@suse.de + +- Removed BuildRequires docbook-toys which is not needed + (db2ps and db2pdf called in ijs/Makefile.am to make ijs_spec.ps + and ijs_spec.pdf but neither of them is made - both are + provided in the sources) but docbook-toys pulls in packages + like texlive-bin-jadetex and texlive-jadetex which needlessly + blow up the build system. + +------------------------------------------------------------------- +Wed Mar 28 10:59:21 CEST 2012 - jsmeix@suse.de + +- Require the basic fonts for Ghostscript + (package ghostscript-fonts-std) and recommend the + optional fonts (package ghostscript-fonts-other). + +------------------------------------------------------------------- +Fri Mar 23 11:32:28 CET 2012 - jsmeix@suse.de + +- Cleaned up BuildRequires. +- Added ghostscript-mini.spec with minimal BuildRequires. +- Explicitly specify configure --with-* versus --without-* + in ghostscript.spec versus ghostscript-mini.spec + to make the differences clear. + +------------------------------------------------------------------- +Fri Mar 16 10:27:01 CET 2012 - jsmeix@suse.de + +- Unfortunately ghostscript-library.spec and ghostscript-mini.spec + have unversioned "Provides: ghostscript" and for RPM this means + that both ghostscript-library and ghostscript-mini + provide any version of ghostscript. Therefore any non-matching + version of ghostscript-library and ghostscript-mini fulfill + any RPM requirement for ghostscript in the ghostscript-x11 + and ghostscript-devel sub-packages which is wrong. + Therefore explicit conflicts with ghostscript-library and + ghostscript-mini are specified in the ghostscript-x11 + and ghostscript-devel sub-packages to avoid the mess. + +------------------------------------------------------------------- +Thu Mar 15 16:43:26 CET 2012 - jsmeix@suse.de + +- Configure --without-libpaper disables libpaper support + because SUSE does not have libpaper. + +------------------------------------------------------------------- +Thu Mar 15 12:28:36 CET 2012 - jsmeix@suse.de + +- Configure --without-jasper and --enable-openjpeg because + since Ghostscript 9.05 JasPer is deprecated and Ghostscript + now ships modified OpenJPEG sources for JPEG2000 decoding + (replacing JasPer). Performance, reliability and memory use + whilst decoding JPX streams are all improved. Accordingly + the BuildRequires libjasper-devel is removed. +- Configure --without-ufst and --without-luratech because + those are relevant to commercial releases only + which would require a commercial license. +- Added BuildRequires libtool which requires automake and + automake requires autoconf to fix build requirements + for openSUSE:Factory. + +------------------------------------------------------------------- +Fri Feb 24 16:48:06 CET 2012 - jsmeix@suse.de + +- Using fixed /usr/lib/cups/filter (no lib64) because CUPS + in the Printing project uses it in any case. + +------------------------------------------------------------------- +Fri Feb 24 15:21:05 CET 2012 - jsmeix@suse.de + +- Adapt RPM dependencies to what is actually used + in openSUSE:Factory (dated 22 Feb. 2012). + +------------------------------------------------------------------- +Thu Feb 16 15:36:21 CET 2012 - jsmeix@suse.de + +- Added RPM dependencies to make sure ghostscript-x11 and the + main-package have exact matching version-release because both + could have any kind of Ghostscript-internal dependencies. + This is only an approximation to have ghostscript-x11 and + the main-package from the same build where the main-package + and its sub-package have been made but currently there is + no clean way to specify a 'same build' RPM dependency. + Therefore currently ghostscript-x11 and the main-package could + have same version-release but nevertheless come from different + projects/repositories (e.g. with different patches or + whatever kind of differences). + +------------------------------------------------------------------- +Wed Feb 15 11:42:41 CET 2012 - jsmeix@suse.de + +- Split files which require X11 stuff into a ghostscript-x11 + sub-package (currently only /usr/lib/ghostscript/9.05/X11.so) + so that the ghostscript package can be installed without X11. + +------------------------------------------------------------------- +Thu Feb 9 11:34:33 CET 2012 - jsmeix@suse.de + +- Upgrade to version 9.05 (see bnc#735824): + New simple ink-coverage device (inkconv). + The ps2write device has a large number of improvements. + Fixes and improvements for the CUPS Raster output device + (in particular Ghostscript bug 691922 regarding color model). + Renamed the PXL CUPS filter from "pstopxl" to "gstopxl". + For details see the doc/News.htm file. +- Removed "make cups" and "make cups-install" from spec file + using "configure ... --with-install-cups" instead + (new since version 9.04, see "configure --help"). + +------------------------------------------------------------------- +Tue Dec 13 15:18:06 UTC 2011 - jw@suse.com + +- Upgrade to version 9.04 (see bnc#735824): + For details see the doc/News.htm file. +- Added "make cups" and "make cups-install" to spec file. + +------------------------------------------------------------------- +Tue Mar 15 16:06:40 CET 2011 - jsmeix@suse.de + +- Initial ghostscript package. + diff --git a/ghostscript.spec b/ghostscript.spec new file mode 100644 index 0000000..3463fac --- /dev/null +++ b/ghostscript.spec @@ -0,0 +1,427 @@ +# +# spec file for package ghostscript +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global flavor @BUILD_FLAVOR@%{nil} +%if "%{flavor}" == "mini" +%global psuffix -mini +%else +%global psuffix %{nil} +%bcond_without apparmor +%endif +Name: ghostscript%{psuffix} +Version: 10.02.1 +Release: 0 +Summary: The Ghostscript interpreter for PostScript and PDF +License: AGPL-3.0-only +Group: Productivity/Office/Other +URL: https://www.ghostscript.com/ +Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-%{version}.tar.xz +Source10: apparmor_ghostscript +# Patch0...Patch9 is for patches from upstream: +# Source10...Source99 is for sources from SUSE which are intended for upstream: +# Patch10...Patch99 is for patches from SUSE which are intended for upstream: +# Source100...Source999 is for sources from SUSE which are not intended for upstream: +# Patch100...Patch999 is for patches from SUSE which are not intended for upstream: +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): +Patch101: ijs_exec_server_dont_use_sh.patch +# Build Requirements: +BuildRequires: freetype2-devel +BuildRequires: libjpeg-devel +BuildRequires: liblcms2-devel +BuildRequires: libpng-devel +BuildRequires: libtiff-devel +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: update-alternatives +BuildRequires: zlib-devel +Requires(post): update-alternatives +Requires(preun): update-alternatives +# Provide the additional RPM Provides of the ghostscript-library package +# (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below). +# The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" +# so other packages can build with any available Ghostscript implementation, +# either ghostscript or ghostscript-mini ("BuildRequires: ghostscript-mini" should not +# be used because ghostscript-mini does not exist outside of OBS so other packages that +# use "BuildRequires: ghostscript-mini" could not be built in published products). +# The "Provides: ghostscript_any" does not affect end-users who should not get +# ghostscript-mini installed (but only the full featured ghostscript package) +# because ghostscript-mini (and ghostscript-mini-devel) are not published +# in openSUSE products, cf. https://build.opensuse.org/request/show/877083 +Provides: ghostscript_any = %{version} +%if "%{flavor}" != "mini" +BuildRequires: dbus-1-devel +BuildRequires: libexpat-devel +BuildRequires: xorg-x11-fonts +BuildRequires: pkgconfig(ice) +BuildRequires: pkgconfig(sm) +BuildRequires: pkgconfig(x11) +BuildRequires: pkgconfig(xext) +BuildRequires: pkgconfig(xproto) +BuildRequires: pkgconfig(xt) +%if 0%{?suse_version} == 1315 +BuildRequires: cups154-devel +%else +BuildRequires: cups-devel +%endif +%if %{with apparmor} +%if 0%{?suse_version} >= 1500 +BuildRequires: apparmor-abstractions +BuildRequires: apparmor-rpm-macros +%endif +%endif +%endif +# Always check if latest version of openjpeg becomes compatible with ghostscript +%if 0%{?suse_version} >= 1550 +BuildRequires: pkgconfig(libopenjp2) >= 2.3.1 +%endif +%if "%{flavor}" == "mini" +Conflicts: ghostscript +Conflicts: ghostscript-devel +Conflicts: ghostscript-library +Conflicts: ghostscript-x11 +%else +Recommends: ghostscript-x11 = %{version}-%{release} +Conflicts: ghostscript-x11 < %{version}-%{release} +Provides: %{version} +Provides: ghostscript-library = %{version} +Provides: gs = %{version} +Provides: gs_lib = %{version} +Provides: pstoraster +Obsoletes: ghostscript-library < %{version} +# The "Obsoletes: ghostscript-mini" is intentionally unversioned because +# this package ghostscript should replace any version of ghostscript-mini. +Obsoletes: ghostscript-mini +%if 0%{?suse_version} > 1210 +Recommends: (cups-filters-ghostscript if cups) +%endif +%endif + +%description +Ghostscript is a package of software that provides: + +An interpreter for the PostScript language, with the ability to convert +PostScript language files to many raster formats, view them on displays, and +print them on printers that don't have PostScript language capability built in. + +An interpreter for Portable Document Format (PDF) files, with the same +abilities. + +The ability to convert PostScript language files to PDF (with some limitations) +and vice versa. + +A set of C procedures (the Ghostscript library) that implement the graphics and +filtering (data compression / decompression / conversion) capabilities that +appear as primitive operations in the PostScript language and in PDF. + +For information how to use Ghostscript see +%{_datadir}/ghostscript/%{version}/doc/Use.htm + +%package x11 +Summary: X11 library for Ghostscript +Group: Productivity/Publishing/PS +Requires: ghostscript = %{version}-%{release} +Conflicts: ghostscript-library < %{version} +Conflicts: ghostscript-library > %{version} +Conflicts: ghostscript-mini +Provides: ghostscript_x11 = %{version} + +%description x11 +This package contains the X11 library which is needed to view PostScript and +PDF files with Ghostscript under the X Window System. + +%package devel +Summary: Development files for Ghostscript +Group: Development/Libraries/C and C++ +Requires: ghostscript = %{version} +Conflicts: ghostscript-library < %{version} +Conflicts: ghostscript-library > %{version} +Conflicts: ghostscript-mini +Conflicts: ghostscript-mini-devel + +%description devel +This package contains the development files for Ghostscript. + +%prep +%setup -q -n ghostscript-%{version} + +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): +%patch -P 101 -p1 +# Remove patch backup files to avoid packaging +# cf. https://build.opensuse.org/request/show/581052 +rm -f Resource/Init/*.ps.orig +rm -rf freetype jpeg libpng lcms2art zlib tiff +%if 0%{?suse_version} >= 1550 +rm -rf openjpeg +%endif + +%build +# Derive build timestamp from latest changelog entry +export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s}) +# Set our preferred architecture-specific flags for the compiler and linker: +export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC" +export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC" +export LDFLAGS="-pie" +autoreconf -fi +# --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used. +# --enable-cups but no longer --with-pdftoraster --enable-dbus --with-install-cups because +# --with-install-cups was introduced in version 9.04 but meanwhile it is an unrecognized option by configure +# because cups/filter/gstoraster and cups/filter/gstopxl and related files gstoraster.convs pxlcolor.ppd pxlmono.ppd +# are no longer provided by Ghostscript but were moved to the cups-filters package. +# also pdftoraster is provided by cups-filters and there is colord support that +# would need --enable-dbus because colord is accessed via D-Bus. +# --with-ijs to enable IJS printer driver support (in particular needed by HPIJS). +# --with-drivers=ALL to all file format drivers and all printer drivers. +# --with-x to use the X Window System. +# --enable-openjpeg because since Ghostscript 9.05 JasPer is deprecated +# (--without-jasper is now an unrecognized option by configure) +# and Ghostscript now ships modified OpenJPEG sources for JPEG2000 decoding +# (replacing JasPer - although JasPer is still included for this release) +# Performance, reliability and memory use whilst decoding JPX streams are all improved. +# see also http://bugs.ghostscript.com/show_bug.cgi?id=691430 +# --without-ufst because this is relevant to commercial releases only +# which would require a commercial license. +# --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...) +# into the library, which is the upstream recommendation for distributions. This also allows +# unbundling the 35 Postscript Standard fonts, provided by the URW font package +# --without-libpaper disables libpaper support because SUSE does not have libpaper. +# --without-tesseract because this requires C++ (it might be added if Tesseract support in Ghostscript is needed). +%define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW +# See http://bugs.ghostscript.com/show_bug.cgi?id=693100 +export SUSE_ASNEEDED=0 +%configure \ + --with-fontpath=%{gs_font_path} \ + --with-libiconv=maybe \ + --enable-freetype \ + --with-jbig2dec \ + --enable-openjpeg \ + --disable-hidden-visibility \ + --enable-dynamic \ + --disable-compile-inits \ +%if "%{flavor}" == "mini" + --without-ijs \ + --disable-cups \ + --disable-dbus \ + --without-pdftoraster \ + --with-drivers=FILES \ + --without-x \ +%else + --with-ijs \ + --enable-cups \ + --enable-dbus \ + --without-pdftoraster \ + --with-drivers=ALL \ + --with-x \ +%endif + --without-local-zlib \ + --with-system-libtiff \ + --disable-gtk \ + --without-ufst \ + --without-libpaper \ + --without-tesseract + +# Make libgs.so and two programs which use it, gsx and gsc: +# With --disable-gtk, gsx and gsc are identical. It provides a command line +# frontend to libgs equivalent (functional and command line arguments) to +# the gs binary, but uses the shared libgs instead of static linking +%make_build so +# Configure and make libijs (that is not done regardless whether or not --with-ijs is used above): +pushd ijs +./autogen.sh +autoreconf -fi +%configure --enable-shared --disable-static +%make_build +popd + +%install +# Install libgs.so gsx gsc and some header files: +make soinstall DESTDIR=%{buildroot} +# Use gsc instead of gs, and remove duplicate gsx (see above) +mv %{buildroot}/%{_bindir}/{gsc,gs} +rm %{buildroot}/%{_bindir}/gsx +# Install libijs and its header files: +pushd ijs +%make_install +popd +# Remove installed ijs example client and server and its .la file: +rm %{buildroot}%{_bindir}/ijs_client_example +rm %{buildroot}%{_bindir}/ijs_server_example +rm %{buildroot}%{_libdir}/libijs.la +# Install examples: +EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples +test -d $EXAMPLESDIR || install -d $EXAMPLESDIR +for E in examples/* +do install -m 644 $E $EXAMPLESDIR || : +done +test -d $EXAMPLESDIR/cjk || install -d $EXAMPLESDIR/cjk +for E in examples/cjk/* +do install -m 644 $E $EXAMPLESDIR/cjk || : +done +# Install documentation which is not installed by default +# see http://bugs.ghostscript.com/show_bug.cgi?id=693002 +# and fail intentionally as notification if something changed: +DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{version} +for D in LICENSE +do test -e $DOCDIR/$( basename $D ) && exit 99 + install -m 644 $D $DOCDIR +done +# Add a link named 'ghostscript' from SUSE's usual documentation directory /usr/share/doc/packages +# with link target Ghostscript's documentation directory e.g. /usr/share/doc/ghostscript/9.23 +# as relative link to get the link independent of the buildroot prefix +# i.e. in /usr/share/doc/packages add the link ghostscript -> ../ghostscript/9.23 +# because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above): +install -d -m 755 %{buildroot}%{_defaultdocdir} +pushd %{buildroot}%{_defaultdocdir} +ln -s ../ghostscript/%{version} ghostscript +popd +# Extract the catalog of devices which are actually built-in in exactly this Ghostscript: +# If a needed source file is no longer accessible fail intentionally as notification +# that something changed which needs adaptions here: +catalog_devices_source_files="devices/devs.mak devices/dcontrib.mak contrib/contrib.mak" +for F in $catalog_devices_source_files +do test -r $F || exit 99 +done +# Do not pollute the build log file with zillions of meaningless messages: +set +x +cat /dev/null >catalog.devices +for D in $( LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}%{_bindir}/gs -h | sed -n -e '/^Available devices:/,/^Search path:/p' | grep -E -v '^Available devices:|^Search path:' ) +do for F in $catalog_devices_source_files + do sed -n -e '/ Catalog /,/ End of catalog /p' $F | grep "[[:space:]]$D[[:space:]]" | grep -o '[[:alnum:]].*' | tr -s '[:blank:]' ' ' | sed -e 's/ /\t/' | expand -t16 >>catalog.devices + done +done +# Switch back to the usual build log messages: +set -x +install -m 644 catalog.devices $DOCDIR +%if %{with apparmor} +%if "%{flavor}" != "mini" +install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript +%endif +%endif + +# Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives +install -d %{buildroot}%{_sysconfdir}/alternatives +mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin +ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs +ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs + +%post +/sbin/ldconfig +%if %{with apparmor} +%if "%{flavor}" != "mini" +%if 0%{?suse_version} >= 1500 +%apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript +%endif +%endif +%endif +%{_sbindir}/update-alternatives \ + --install %{_bindir}/gs gs %{_bindir}/gs.bin 15 + +%postun -p /sbin/ldconfig + +%preun +if test $1 -eq 0 ; then + %{_sbindir}/update-alternatives \ + --remove gs %{_bindir}/gs.bin +fi + +%files +%license LICENSE +%ghost %config %{_sysconfdir}/alternatives/gs +%{_bindir}/dvipdf +%{_bindir}/eps2eps +%{_bindir}/gs +%{_bindir}/gs.bin +%{_bindir}/gsbj +%{_bindir}/gsdj +%{_bindir}/gsdj500 +%{_bindir}/gslj +%{_bindir}/gslp +%{_bindir}/gsnd +%{_bindir}/lprsetup.sh +%{_bindir}/pdf2dsc +%{_bindir}/pdf2ps +%{_bindir}/pf2afm +%{_bindir}/pfbtopfa +%{_bindir}/pphs +%{_bindir}/printafm +%{_bindir}/ps2ascii +%{_bindir}/ps2epsi +%{_bindir}/ps2pdf +%{_bindir}/ps2pdf12 +%{_bindir}/ps2pdf13 +%{_bindir}/ps2pdf14 +%{_bindir}/ps2pdfwr +%{_bindir}/ps2ps +%{_bindir}/ps2ps2 +%{_bindir}/unix-lpr.sh +%{_mandir}/man1/dvipdf.1%{?ext_man} +%{_mandir}/man1/eps2eps.1%{?ext_man} +%{_mandir}/man1/gs.1%{?ext_man} +%{_mandir}/man1/gsbj.1%{?ext_man} +%{_mandir}/man1/gsdj.1%{?ext_man} +%{_mandir}/man1/gsdj500.1%{?ext_man} +%{_mandir}/man1/gslj.1%{?ext_man} +%{_mandir}/man1/gslp.1%{?ext_man} +%{_mandir}/man1/gsnd.1%{?ext_man} +%{_mandir}/man1/pdf2dsc.1%{?ext_man} +%{_mandir}/man1/pdf2ps.1%{?ext_man} +%{_mandir}/man1/pf2afm.1%{?ext_man} +%{_mandir}/man1/pfbtopfa.1%{?ext_man} +%{_mandir}/man1/printafm.1%{?ext_man} +%{_mandir}/man1/ps2ascii.1%{?ext_man} +%{_mandir}/man1/ps2epsi.1%{?ext_man} +%{_mandir}/man1/ps2pdf.1%{?ext_man} +%{_mandir}/man1/ps2pdf12.1%{?ext_man} +%{_mandir}/man1/ps2pdf13.1%{?ext_man} +%{_mandir}/man1/ps2pdf14.1%{?ext_man} +%{_mandir}/man1/ps2pdfwr.1%{?ext_man} +%{_mandir}/man1/ps2ps.1%{?ext_man} +%doc %{_defaultdocdir}/ghostscript +%dir %{_datadir}/doc/ghostscript +%doc %{_datadir}/doc/ghostscript/%{version} +%dir %{_datadir}/ghostscript +%dir %{_datadir}/ghostscript/%{version} +%{_datadir}/ghostscript/%{version}/Resource +%{_datadir}/ghostscript/%{version}/iccprofiles +%{_datadir}/ghostscript/%{version}/examples/ +%{_datadir}/ghostscript/%{version}/lib/ +%{_libdir}/libgs.so.* +%{_libdir}/ghostscript/ +%{_libdir}/libijs-0.35.so +%if "%{flavor}" != "mini" +%exclude %{_libdir}/ghostscript/%{version}/X11.so +%if %{with apparmor} +%if 0%{?suse_version} < 1500 +%dir %{_sysconfdir}/apparmor.d +%endif +%{_sysconfdir}/apparmor.d/ghostscript +%endif + +%files x11 +%{_libdir}/ghostscript/%{version}/X11.so +%endif + +%files devel +%{_includedir}/ghostscript/ +%{_libdir}/libgs.so +%{_includedir}/ijs/ +%{_libdir}/libijs.so +%{_libdir}/pkgconfig/ijs.pc + +%changelog diff --git a/ijs_exec_server_dont_use_sh.patch b/ijs_exec_server_dont_use_sh.patch new file mode 100644 index 0000000..1e2f06a --- /dev/null +++ b/ijs_exec_server_dont_use_sh.patch @@ -0,0 +1,32 @@ +From 0d58bab5cdc7e76d7220ce441d39812c85329ba2 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 8 Mar 2019 12:01:13 +0100 +Subject: [PATCH] ijs: ijs_exec_server(): don't use "sh" + +If ghostscript is confined using security profiles, executing "sh" +must be obviously avoided. So, try to exec the IJS server binary +directly. This should enable security profile writers to select +which IJS binaries to allow. + +Signed-off-by: Martin Wilck +--- + ijs/ijs_exec_unix.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/ijs/ijs_exec_unix.c b/ijs/ijs_exec_unix.c +index 6225694..e775dc3 100644 +--- a/ijs/ijs_exec_unix.c ++++ b/ijs/ijs_exec_unix.c +@@ -70,9 +70,6 @@ ijs_exec_server(const char *server_cmd, int *pfd_to, int *pfd_from, + argv[i++] = "gdb"; + #endif + +- argv[i++] = "sh"; +- argv[i++] = "-c"; +- + argv[i++] = (char *)server_cmd; + argv[i++] = NULL; + status = execvp (argv[0], (char * const *)argv); +-- +2.21.0 +