Sync from SUSE:SLFO:1.1 ghostscript revision f82b36c31d020d2ecbd3e59ecb1c2b30

2025-04-15 19:03:42 +02:00
6 changed files with 20 additions and 199 deletions
--- a/2010_add_build_timestamp_setting.patch
+++ b/2010_add_build_timestamp_setting.patch
@@ -1,120 +0,0 @@
 Description: Allow the build timestamp to be externally set
 In order to make Ghostscript output reproducible, we need a way to
 set the build timestamp to other values than the current time.
 We now consistently use gp_get_realtime() instead of directly calling
 time() or gp_get_usertime() and make gp_get_realtime() use the value
 found in the SOURCE_DATE_EPOCH environment variable if set. Also,
 environment timezone is fixed to UTC if SOURCE_DATE_EPOCH is used to
 avoid variations.
 Author: Eduard Sanou <dhole@openmailbox.org>
 Author: Peter De Wachter <pdewacht@gmail.com>
 Bug-Debian: https://bugs.debian.org/794004
 Forwarded: not-needed
 Last-Update: 2023-09-13
 ---
 This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
 --- a/base/gp_unix.c
 +++ b/base/gp_unix.c
@@ -19,6 +19,7 @@
 #ifdef __MINGW32__
 #  include "windows_.h"
 #endif
 +#include "errno_.h"
 #include "pipe_.h"
 #include "string_.h"
 #include "time_.h"
@@ -149,6 +150,7 @@
 gp_get_realtime(long *pdt)
 {
     struct timeval tp;
 +    const char *env;
 #if gettimeofday_no_timezone    /* older versions of SVR4 */
     {
@@ -168,6 +170,26 @@
     }
 #endif
 +    env = getenv("SOURCE_DATE_EPOCH");
 +    if (env) {
 +        char *end;
 +        long timestamp;
 +
 +        errno = 0;
 +        timestamp = strtol(env, &end, 10);
 +        if (env == end || *end || errno != 0) {
 +            lprintf("Ghostscript: SOURCE_DATE_EPOCH is not a number!\n");
 +            timestamp = 0;
 +        }
 +
 +        tp.tv_sec = timestamp;
 +        tp.tv_usec = 0;
 +
 +        /* We need to fix the environment timezone to get reproducible */
 +        /* results when parsing the result of gp_get_realtime. */
 +        setenv("TZ", "UTC", 1);
 +    }
 +
     /* tp.tv_sec is #secs since Jan 1, 1970 */
     pdt[0] = tp.tv_sec;
 --- a/devices/vector/gdevpdf.c
 +++ b/devices/vector/gdevpdf.c
@@ -437,6 +437,7 @@
     if (!pdev->OmitInfoDate)
     {
         struct tm tms;
 +        long secs_ns[2];
         time_t t;
         char buf[1+2+4+2+2+2+2+2+1+2+1+2+1+1+1]; /* (D:yyyymmddhhmmssZhh'mm')\0 */
         int timeoffset;
@@ -448,7 +449,8 @@
         timesign = 'Z';
         timeoffset = 0;
 #else
 -        time(&t);
 +        gp_get_realtime(secs_ns);
 +        t = secs_ns[0];
         tms = *gmtime(&t);
         tms.tm_isdst = -1;
         timeoffset = (int)difftime(t, mktime(&tms)); /* tz+dst in seconds */
 --- a/devices/vector/gdevpdfe.c
 +++ b/devices/vector/gdevpdfe.c
@@ -216,6 +216,7 @@
 {
     /* We don't write a day time because we don't have a time zone. */
     struct tm tms;
 +    long secs_ns[2];
     time_t t;
     char buf1[4+1+2+1+2+1]; /* yyyy-mm-dd\0 */
@@ -223,7 +224,8 @@
     memset(&t, 0, sizeof(t));
     memset(&tms, 0, sizeof(tms));
 #else
 -    time(&t);
 +    gp_get_realtime(secs_ns);
 +    t = secs_ns[0];
     tms = *localtime(&t);
 #endif
     gs_snprintf(buf1, sizeof(buf1),
 --- a/devices/vector/gdevpsu.c
 +++ b/devices/vector/gdevpsu.c
@@ -187,6 +187,7 @@
             dev->dname);
 #endif
     {
 +        long secs_ns[2];
         time_t t;
         struct tm tms;
@@ -194,7 +195,8 @@
         memset(&t, 0, sizeof(t));
         memset(&tms, 0, sizeof(tms));
 #else
 -        time(&t);
 +        gp_get_realtime(secs_ns);
 +        t = secs_ns[0];
         tms = *localtime(&t);
 #endif
         fprintf(f, "%%%%CreationDate: %d/%02d/%02d %02d:%02d:%02d\n",
--- a/ghostscript-10.03.1.tar.gz
+++ b/ghostscript-10.03.1.tar.gz
--- a/ghostscript-10.04.0.tar.gz
+++ b/ghostscript-10.04.0.tar.gz
--- a/ghostscript.changes
+++ b/ghostscript.changes
@@ -1,49 +1,3 @@
 -------------------------------------------------------------------
 Tue Feb  4 09:42:47 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
 - Add reproducible.patch to not embed timestamp in .h file
 - Add 2010_add_build_timestamp_setting.patch to allow overriding
  timestamp in generated pdf (boo#1236773)
 -------------------------------------------------------------------
 Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 - Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024"
  by adding the individual "bsc" numbers for each CVE, see
  https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4
  and by adding the "IMPORTANT" change in Ghostscript 10.04.0
 - spec file cleanup: removed the special cases for SLE12
  i.e. rely on "suse_version >= 1500" as given precondition
  (recent Ghostscript versions fail to build in SLE12 anyway)
 -------------------------------------------------------------------
 Wed Oct 23 08:54:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
 - Version upgrade to 10.04.0 (bsc#1232173):
  Highlights in this release include:
  See 'Recent Changes in Ghostscript' at Ghostscript upstream
  https://ghostscript.readthedocs.io/en/gs10.04.0/News.html
  * This release addresses:
    + CVE-2024-46951 (bsc#1232265)
    + CVE-2024-46952 (bsc#1232266)
    + CVE-2024-46953 (bsc#1232267)
    + CVE-2024-46954 (bsc#1232268)
    + CVE-2024-46955 (bsc#1232269)
    + CVE-2024-46956 (bsc#1232270)
  * IMPORTANT: In this release (10.04.0)
    we (i.e. Ghostscript upstream) have be added
    protection for device selection from PostScript input.
    This will mean that, by default, only the device specified
    on the command line will be permitted. Similar to the file
    permissions, there will be a "--permit-devices=" allowing
    a comma separation list of allowed devices. This will also
    take a single wildcard "*" allowing any device.
    Any application which relies on allowing PostScript
    to change devices during a job will have to be aware,
    and take action to deal with this change.
    The exception is "nulldevice", switching to that requires
    no special action. 
 -------------------------------------------------------------------
 Mon Jul  1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -24,21 +24,19 @@
 %bcond_without  apparmor
 %endif
 Name:           ghostscript%{psuffix}
-Version:        10.04.0
+Version:        10.03.1
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
-# Use "osc service manualrun" to fetch Source0:
+# How to manually get Source0:
 Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-%{version}.tar.gz
 # How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
 # (example for the Ghostscript 10.03.1 release):
 # Go to https://www.ghostscript.com
 # -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
 # -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
 # -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
 # https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
 Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -48,8 +46,6 @@ Source10:       apparmor_ghostscript
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 Patch101:       ijs_exec_server_dont_use_sh.patch
 Patch102:       reproducible.patch
 Patch103:       2010_add_build_timestamp_setting.patch
 # Build Requirements:
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@@ -75,7 +71,6 @@ Requires(preun):update-alternatives
 # in openSUSE products, cf. https://build.opensuse.org/request/show/877083
 Provides:       ghostscript_any = %{version}
 %if "%{flavor}" != "mini"
 BuildRequires:  cups-devel
 BuildRequires:  dbus-1-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  xorg-x11-fonts
@@ -85,11 +80,18 @@ BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xext)
 BuildRequires:  pkgconfig(xproto)
 BuildRequires:  pkgconfig(xt)
 %if 0%{?suse_version} == 1315
 BuildRequires:  cups154-devel
 %else
 BuildRequires:  cups-devel
 %endif
 %if %{with apparmor}
 %if 0%{?suse_version} >= 1500
 BuildRequires:  apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
 %endif
 %endif
 %endif
 # Always check if latest version of openjpeg becomes compatible with ghostscript
 %if 0%{?suse_version} >= 1550
 BuildRequires:  pkgconfig(libopenjp2) >= 2.3.1
@@ -111,8 +113,10 @@ Obsoletes:      ghostscript-library < %{version}
 # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
 # this package ghostscript should replace any version of ghostscript-mini.
 Obsoletes:      ghostscript-mini
 %if 0%{?suse_version} > 1210
 Recommends:     (cups-filters-ghostscript if cups)
 %endif
 %endif
 %description
 Ghostscript is a package of software that provides:
@@ -172,8 +176,6 @@ rm -rf freetype jpeg libpng lcms2art zlib tiff
 %if 0%{?suse_version} >= 1550
 rm -rf openjpeg
 %endif
 %patch -P102 -p1
 %patch -P103 -p1
 %build
 # Derive build timestamp from latest changelog entry
@@ -328,9 +330,11 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 /sbin/ldconfig
 %if %{with apparmor}
 %if "%{flavor}" != "mini"
 %if 0%{?suse_version} >= 1500
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
 %endif
 %{_sbindir}/update-alternatives \
  --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
@@ -409,6 +413,9 @@ fi
 %if "%{flavor}" != "mini"
 %exclude %{_libdir}/ghostscript/%{version}/X11.so
 %if %{with apparmor}
 %if 0%{?suse_version} < 1500
 %dir %{_sysconfdir}/apparmor.d
 %endif
 %{_sysconfdir}/apparmor.d/ghostscript
 %endif
--- a/reproducible.patch
+++ b/reproducible.patch
@@ -1,20 +0,0 @@
 Date: 2024-09-20
 Author: Bernhard M. Wiedemann <bwiedemann suse de>
 Drop build date from generated .h file
 so that openSUSE's ghostscript-debugsource package
 does not vary between builds.
 Index: ghostscript-10.03.1/base/pack_ps.c
 ===================================================================
 --- ghostscript-10.03.1.orig/base/pack_ps.c
 +++ ghostscript-10.03.1/base/pack_ps.c
@@ -344,7 +344,7 @@ main(int argc, char *argv[])
     if (!buildtime) {
         buildtime = time(NULL);
     }
 -    fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" at time %ld */\n", infilename, (long)buildtime);
 +    fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" */\n", infilename);
     while (readline(infile, inputline, INPUT_LINE_LENGTH_MAX)) {