Accepting request 668141 from Printing

Ghostscript security fix upgrade (purely a security fix) to fix CVE-2019-6116 bsc#1122319 (forwarded request 668140 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/668141
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=35

ghostscript-2.26-subclassing-devices-fix-put_image-method.patch

@@ -0,0 +1,34 @@
+From fae21f1668d2b44b18b84cf0923a1d5f3008a696 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 4 Dec 2018 21:31:31 +0000
+Subject: [PATCH] subclassing devices - fix put_image method
+
+The subclassing devices need to change the 'memory device' parameter to
+be the child device, when its the same as the subclassing device.
+
+Otherwise we end up trying to access the child device's memory pointers
+in the subclassing device, which may not contain valid copies of
+those pointers.
+---
+ base/gdevsclass.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/base/gdevsclass.c b/base/gdevsclass.c
+index d9c85d2..5109258 100644
+--- a/base/gdevsclass.c
++++ b/base/gdevsclass.c
+@@ -797,7 +797,10 @@ int default_subclass_put_image(gx_device *dev, gx_device *mdev, const byte **buf
+             int alpha_plane_index, int tag_plane_index)
+ {
+     if (dev->child)
+-        return dev_proc(dev->child, put_image)(dev->child, mdev, buffers, num_chan, x, y, width, height, row_stride, alpha_plane_index, tag_plane_index);
++        if (dev == mdev)
++            return dev_proc(dev->child, put_image)(dev->child, dev->child, buffers, num_chan, x, y, width, height, row_stride, alpha_plane_index, tag_plane_index);
++        else
++            return dev_proc(dev->child, put_image)(dev->child, mdev, buffers, num_chan, x, y, width, height, row_stride, alpha_plane_index, tag_plane_index);
+ 
+     return 0;
+ }
+-- 
+2.9.1
+

ghostscript-9.26.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:831fc019bd477f7cc2d481dc5395ebfa4a593a95eb2fe1eb231a97e450d7540d
-size 42084660

ghostscript-9.26a.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79482d5b8350a542ed830ce724b7317f878bcddbdbc163471e2a74848462eb3b
+size 42087219

ghostscript-mini.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
+
+- Version upgrade to 9.26a
+  The version 9.26a is a special security bugfix version to fix
+  * CVE-2019-6116: subroutines within pseudo-operators
+    must themselves be pseudo-operators
+    https://bugs.ghostscript.com/show_bug.cgi?id=700317
+    https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319
+
+-------------------------------------------------------------------
+Thu Jan 10 17:09:16 UTC 2019 - jweberhofer@weberhofer.at
+
+- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
+  fixes Ghostscript issue #700315 and bsc#1121490
+  https://bugs.ghostscript.com/show_bug.cgi?id=700315
+  Segfault in GS 9.26 with certain PDFs with -dLastPage=1
+
 -------------------------------------------------------------------
 Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript-mini
 #
-# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,9 +38,13 @@ Url:            http://www.ghostscript.com/
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.25pre26rc1
-# Normal version for Ghostscript releases is the upstream version:
+# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball
-Version:        9.26
+# where upstream provides a complete and consistent state of the whole Ghostscript code
+# that includes in particular the complete patchset that is really non-trivial
+# to fix the Ghostscript upstream bug 700317 CVE-2019-6116:
+Version:        9.26a
 Release:        0
+# Normal version for Ghostscript releases is the upstream version:
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
 # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
@@ -49,8 +53,8 @@ Release:        0
 # built_version is used below in the install and files sections:
 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
 # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
-%define built_version %{version}
+#define built_version %{version}
-#define built_version 9.26
+%define built_version 9.26
 # Source0...Source9 is for sources from upstream:
 # Special URLs for Ghostscript release candidates:
 # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@@ -68,6 +72,7 @@ Release:        0
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
 # Patch0...Patch9 is for patches from upstream:
+Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -133,6 +138,7 @@ This package contains the development files for Minimal Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+%patch0 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream

ghostscript.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
+
+- Version upgrade to 9.26a
+  The version 9.26a is a special security bugfix version to fix
+  * CVE-2019-6116: subroutines within pseudo-operators
+    must themselves be pseudo-operators
+    https://bugs.ghostscript.com/show_bug.cgi?id=700317
+    https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319
+
+-------------------------------------------------------------------
+Thu Jan 10 17:09:16 UTC 2019 - jweberhofer@weberhofer.at
+
+- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
+  fixes Ghostscript issue #700315 and bsc#1121490
+  https://bugs.ghostscript.com/show_bug.cgi?id=700315
+  Segfault in GS 9.26 with certain PDFs with -dLastPage=1
+
 -------------------------------------------------------------------
 Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
 

ghostscript.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript
 #
-# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -58,9 +58,13 @@ Url:            http://www.ghostscript.com/
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.25pre26rc1
-# Normal version for Ghostscript releases is the upstream version:
+# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball
-Version:        9.26
+# where upstream provides a complete and consistent state of the whole Ghostscript code
+# that includes in particular the complete patchset that is really non-trivial
+# to fix the Ghostscript upstream bug 700317 CVE-2019-6116:
+Version:        9.26a
 Release:        0
+# Normal version for Ghostscript releases is the upstream version:
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
 # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
@@ -69,8 +73,8 @@ Release:        0
 # built_version is used below in the install and files sections:
 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
 # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
-%define built_version %{version}
+#define built_version %{version}
-#define built_version 9.26
+%define built_version 9.26
 # Source0...Source9 is for sources from upstream:
 # Special URLs for Ghostscript release candidates:
 # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@@ -88,6 +92,7 @@ Release:        0
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
 # Patch0...Patch9 is for patches from upstream:
+Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -269,6 +274,7 @@ This package contains the development files for Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+%patch0 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream