diff --git a/apparmor_usr.bin.gs b/apparmor_usr.bin.gs index 2893f05..86d9df4 100644 --- a/apparmor_usr.bin.gs +++ b/apparmor_usr.bin.gs @@ -15,4 +15,5 @@ profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps /usr/lib64/ghostscript/** m, /usr/lib64/libgs.so.* m, /usr/lib64/libijs-* m, + /usr/bin/hpijs ix, } diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index 1f34672..789a823 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -1,7 +1,7 @@ # # spec file for package ghostscript-mini # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # diff --git a/ghostscript.changes b/ghostscript.changes index 5399f3f..52ffe9f 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Mar 8 10:49:18 UTC 2019 - Martin Wilck + +- Fix IJS printing problem (bsc#1128467) + * added ijs_exec_server_dont_use_sh.patch + * allow exec'ing hpijs in apparmor profile + ------------------------------------------------------------------- Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com diff --git a/ghostscript.spec b/ghostscript.spec index a808576..822cc56 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,7 +1,7 @@ # # spec file for package ghostscript # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -101,6 +101,7 @@ Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +Patch101: ijs_exec_server_dont_use_sh.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -217,7 +218,6 @@ For information how to use Ghostscript see %package x11 Summary: X11 library for Ghostscript -Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -225,6 +225,7 @@ Group: Productivity/Publishing/PS # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: +Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -282,6 +283,7 @@ This package contains the development files for Ghostscript. # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig +%patch101 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig diff --git a/ijs_exec_server_dont_use_sh.patch b/ijs_exec_server_dont_use_sh.patch new file mode 100644 index 0000000..1e2f06a --- /dev/null +++ b/ijs_exec_server_dont_use_sh.patch @@ -0,0 +1,32 @@ +From 0d58bab5cdc7e76d7220ce441d39812c85329ba2 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 8 Mar 2019 12:01:13 +0100 +Subject: [PATCH] ijs: ijs_exec_server(): don't use "sh" + +If ghostscript is confined using security profiles, executing "sh" +must be obviously avoided. So, try to exec the IJS server binary +directly. This should enable security profile writers to select +which IJS binaries to allow. + +Signed-off-by: Martin Wilck +--- + ijs/ijs_exec_unix.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/ijs/ijs_exec_unix.c b/ijs/ijs_exec_unix.c +index 6225694..e775dc3 100644 +--- a/ijs/ijs_exec_unix.c ++++ b/ijs/ijs_exec_unix.c +@@ -70,9 +70,6 @@ ijs_exec_server(const char *server_cmd, int *pfd_to, int *pfd_from, + argv[i++] = "gdb"; + #endif + +- argv[i++] = "sh"; +- argv[i++] = "-c"; +- + argv[i++] = (char *)server_cmd; + argv[i++] = NULL; + status = execvp (argv[0], (char * const *)argv); +-- +2.21.0 +