pool/ghostscript
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 682767 from home:mwilck:branches:Printing

Browse Source 
- Fix IJS printing problem (bsc#1128467)
  * added ijs_exec_server_dont_use_sh.patch
  * allow exec'ing hpijs in apparmor profile

OBS-URL: https://build.opensuse.org/request/show/682767
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=107
This commit is contained in:
Tomáš Chvátal 2019-03-08 12:28:32 +00:00 committed by Git OBS Bridge
parent 3d3f520cee
commit 0dd7230d55
5 changed files with 47 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor_usr.bin.gs
View File

@ -15,4 +15,5 @@ profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps
/usr/lib64/ghostscript/** m, /usr/lib64/ghostscript/** m,
/usr/lib64/libgs.so.* m, /usr/lib64/libgs.so.* m,
/usr/lib64/libijs-* m, /usr/lib64/libijs-* m,
/usr/bin/hpijs ix,
} }

4
ghostscript-mini.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package ghostscript-mini # spec file for package ghostscript-mini
# #
# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #

7
ghostscript.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Mar 8 10:49:18 UTC 2019 - Martin Wilck <mwilck@suse.com>
- Fix IJS printing problem (bsc#1128467)
* added ijs_exec_server_dont_use_sh.patch
* allow exec'ing hpijs in apparmor profile
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com

8
ghostscript.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package ghostscript # spec file for package ghostscript
# #
# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
@ -101,6 +101,7 @@ Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch Patch100: remove-zlib-h-dependency.patch
Patch101: ijs_exec_server_dont_use_sh.patch
# RPM dependencies: # RPM dependencies:
# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
# "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@ -217,7 +218,6 @@ For information how to use Ghostscript see
%package x11 %package x11
Summary: X11 library for Ghostscript Summary: X11 library for Ghostscript
Group: Productivity/Publishing/PS
# Require the exact matching version-release of the ghostscript main-package because # Require the exact matching version-release of the ghostscript main-package because
# a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
# because all Ghostscript software is built from one same Ghostscript source tar ball # because all Ghostscript software is built from one same Ghostscript source tar ball
@ -225,6 +225,7 @@ Group: Productivity/Publishing/PS
# The exact matching version-release of the ghostscript main-package is available # The exact matching version-release of the ghostscript main-package is available
# on the same package repository where the ghostscript-x11 sub-package is because # on the same package repository where the ghostscript-x11 sub-package is because
# all are built simulaneously from the same Ghostscript source package: # all are built simulaneously from the same Ghostscript source package:
Group: Productivity/Publishing/PS
Requires: ghostscript = %{version}-%{release} Requires: ghostscript = %{version}-%{release}
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
# an unversioned "Provides: ghostscript" and for RPM this means that both # an unversioned "Provides: ghostscript" and for RPM this means that both
@ -282,6 +283,7 @@ This package contains the development files for Ghostscript.
# and disable remove-zlib-h-dependency.patch because # and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way: # Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig #patch100 -p1 -b remove-zlib-h-dependency.orig
%patch101 -p1
# Remove patch backup files to avoid packaging # Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052 # cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig rm -f Resource/Init/*.ps.orig

32
ijs_exec_server_dont_use_sh.patch Normal file
View File

@ -0,0 +1,32 @@
From 0d58bab5cdc7e76d7220ce441d39812c85329ba2 Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwilck@suse.com>
Date: Fri, 8 Mar 2019 12:01:13 +0100
Subject: [PATCH] ijs: ijs_exec_server(): don't use "sh"
If ghostscript is confined using security profiles, executing "sh"
must be obviously avoided. So, try to exec the IJS server binary
directly. This should enable security profile writers to select
which IJS binaries to allow.
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
ijs/ijs_exec_unix.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ijs/ijs_exec_unix.c b/ijs/ijs_exec_unix.c
index 6225694..e775dc3 100644
--- a/ijs/ijs_exec_unix.c
+++ b/ijs/ijs_exec_unix.c
@@ -70,9 +70,6 @@ ijs_exec_server(const char *server_cmd, int *pfd_to, int *pfd_from,
argv[i++] = "gdb";
#endif
- argv[i++] = "sh";
- argv[i++] = "-c";
-
argv[i++] = (char *)server_cmd;
argv[i++] = NULL;
status = execvp (argv[0], (char * const *)argv);
--
2.21.0