Accepting request 731293 from Printing

- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
  for CVE-2019-14817

- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
  for CVE-2019-12973

- Update RPM groups.

  use this with its wrapper script

- CVE-2019-10216.patch fixes CVE-2019-10216
  forceput/superexec in .buildfont1 is still accessible
  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
  https://bugs.ghostscript.com/show_bug.cgi?id=701394
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
  for CVE-2019-14817

- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
  for CVE-2019-12973

- Update RPM groups.

  use this with its wrapper script 

- CVE-2019-10216.patch fixes CVE-2019-10216
  forceput/superexec in .buildfont1 is still accessible

OBS-URL: https://build.opensuse.org/request/show/731293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=42

CVE-2019-10216.patch

@@ -0,0 +1,44 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+---
+ Resource/Init/gs_type1.ps |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- Resource/Init/gs_type1.ps
++++ Resource/Init/gs_type1.ps	2019-09-16 13:09:12.277074046 +0000
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
++                 }executeonly
+                  {pop} ifelse
+-               } forall
++               } executeonly forall
+                pop pop
+-             }
++             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
++           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
++         } executeonly forall
+          3 1 roll pop pop
+-     } if
++     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
++   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't

ghostscript-mini.changes

@@ -1,9 +1,36 @@
+-------------------------------------------------------------------
+Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
+  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
+  for CVE-2019-14817
+
+-------------------------------------------------------------------
+Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
+  for CVE-2019-12973
+
+-------------------------------------------------------------------
+Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update RPM groups.
+
 -------------------------------------------------------------------
 Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
 
 - Use update-alternatives to get the real ghostscript binary from
   /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
-  use this with ist wrapper script
+  use this with its wrapper script
+
+-------------------------------------------------------------------
+Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- CVE-2019-10216.patch fixes CVE-2019-10216
+  forceput/superexec in .buildfont1 is still accessible
+  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
+  https://bugs.ghostscript.com/show_bug.cgi?id=701394
 
 -------------------------------------------------------------------
 Thu Apr  4 14:37:09 CEST 2019 - jsmeix@suse.de

ghostscript-mini.spec

@@ -35,8 +35,8 @@ Requires(post): update-alternatives
 Requires(preun): update-alternatives
 Summary:        Minimal Ghostscript for minimal build requirements
 License:        AGPL-3.0-only
-Group:          System/Libraries
+Group:          Productivity/Office/Other
-Url:            http://www.ghostscript.com/
+URL:            https://www.ghostscript.com/
 # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
 # Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
 # would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
@@ -45,6 +45,7 @@ Url:            http://www.ghostscript.com/
 # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
+# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
 #Version:        9.25pre26rc1
 Version:        9.27
 Release:        0
@@ -77,6 +78,14 @@ Release:        0
 Source0:        ghostscript-%{version}.tar.gz
 Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
+Patch0:         openjpeg4gs-CVE-2018-6616-8ee33522.patch
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+Patch1:         CVE-2019-10216.patch
+# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+Patch2:         gs-CVE-2019-14811-885444fc.patch
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+Patch3:         gs-CVE-2019-14817-cd1b1cac.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -143,6 +152,15 @@ This package contains the development files for Minimal Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
+# openjpeg4gs-CVE-2018-6616-8ee33522.patch
+%patch0
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+%patch1 -p0
+# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+%patch2 -p1
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+%patch3 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
@@ -194,8 +212,8 @@ rm -rf lcms2art
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
+export CFLAGS="%{optflags} -fno-strict-aliasing"
-export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
+export CXXFLAGS="%{optflags} -fno-strict-aliasing"
 autoreconf -fi
 # --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
 # --disable-cups and --without-pdftoraster

ghostscript.changes

@@ -1,9 +1,36 @@
+-------------------------------------------------------------------
+Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
+  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
+  for CVE-2019-14817
+
+-------------------------------------------------------------------
+Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
+  for CVE-2019-12973
+
+-------------------------------------------------------------------
+Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update RPM groups.
+
 -------------------------------------------------------------------
 Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
 
 - Use update-alternatives to get the real ghostscript binary from
   /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
-  use this with ist wrapper script 
+  use this with its wrapper script 
+
+-------------------------------------------------------------------
+Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- CVE-2019-10216.patch fixes CVE-2019-10216
+  forceput/superexec in .buildfont1 is still accessible
+  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
+  https://bugs.ghostscript.com/show_bug.cgi?id=701394
 
 -------------------------------------------------------------------
 Wed May  8 08:46:43 UTC 2019 - jsegitz@suse.com

ghostscript.spec

@@ -46,6 +46,8 @@ BuildRequires:  update-alternatives
 BuildRequires:  xorg-x11-devel
 BuildRequires:  xorg-x11-fonts
 BuildRequires:  zlib-devel
+# Always check if latest version of penjpeg becomes compatible with ghostscript
+#BuildRequires:  pkgconfig(libopenjp2)
 %if 0%{?suse_version} >= 1500
 BuildRequires:  apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
@@ -55,8 +57,8 @@ Requires(post): update-alternatives
 Requires(preun): update-alternatives
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
-Group:          System/Libraries
+Group:          Productivity/Office/Other
-Url:            http://www.ghostscript.com/
+URL:            https://www.ghostscript.com/
 # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
 # Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
 # would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
@@ -65,6 +67,7 @@ Url:            http://www.ghostscript.com/
 # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
+# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
 #Version:        9.25pre26rc1
 Version:        9.27
 Release:        0
@@ -97,6 +100,14 @@ Release:        0
 Source0:        ghostscript-%{version}.tar.gz
 Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
+Patch0:         openjpeg4gs-CVE-2018-6616-8ee33522.patch
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+Patch1:         CVE-2019-10216.patch
+# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+Patch2:         gs-CVE-2019-14811-885444fc.patch
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+Patch3:         gs-CVE-2019-14817-cd1b1cac.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -125,9 +136,6 @@ Patch101:       ijs_exec_server_dont_use_sh.patch
 #   ghostscript_x11
 #   ghostscript-mini
 # Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012):
-#   blocxx-doc       BuildRequires ghostscript
-#   iproute2         BuildRequires ghostscript
-#   gle-graphics     Requires      ghostscript
 #   webdot           Requires      ghostscript
 #   ddd              BuildRequires ghostscript_any
 #   emacs-auctex     BuildRequires ghostscript_any
@@ -279,6 +287,15 @@ This package contains the development files for Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
+# openjpeg4gs-CVE-2018-6616-8ee33522.patch
+%patch0
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+%patch1 -p0
+# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
+%patch2 -p1
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+%patch3 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
@@ -330,8 +347,8 @@ rm -rf lcms2art
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
+export CFLAGS="%{optflags} -fno-strict-aliasing"
-export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
+export CXXFLAGS="%{optflags} -fno-strict-aliasing"
 autoreconf -fi
 # --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
 # --enable-cups but no longer --with-pdftoraster --enable-dbus --with-install-cups because

gs-CVE-2019-14811-885444fc.patch

@@ -0,0 +1,59 @@
+Based on 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: [PATCH] make .forceput inaccessible
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+
+---
+ Resource/Init/gs_lev2.ps  |    6 +++---
+ Resource/Init/gs_pdfwr.ps |    4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+     {
+       pop pop
+     } ifelse
+-  } forall
++  } executeonly forall
+         % A context switch might have occurred during the above loop,
+         % causing the interpreter-level parameters to be reset.
+         % Set them again to the new values.  From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+        { pop pop
+        }
+       ifelse
+-    }
++    } executeonly
+    forall pop
+-} .bind odef
++} .bind executeonly odef
+ 
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+--- a/Resource/Init/gs_pdfwr.ps
++++ b/Resource/Init/gs_pdfwr.ps
+@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
+           systemdict /.pdf_hooked_DSC_Creator //true .forceput
+         } executeonly if
+         pop
+-      } if
++      } executeonly if
+     } {
+       pop
+     } ifelse
+-  }
++  } executeonly
+   {
+     pop
+   } ifelse

gs-CVE-2019-14817-cd1b1cac.patch

@@ -0,0 +1,200 @@
+Based on cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Aug 2019 10:10:51 +0100
+Subject: [PATCH] PDF interpreter - review .forceput security
+
+Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
+
+By abusing the error handler it was possible to get the PDFDEBUG portion
+of .pdfexectoken, which uses .forceput left readable.
+
+Add an executeonly appropriately to make sure that clause isn't readable
+no mstter what.
+
+Review all the uses of .forceput searching for similar cases, add
+executeonly as required to secure those. All cases in the PostScript
+support files seem to be covered already.
+
+---
+ Resource/Init/pdf_base.ps |    2 +-
+ Resource/Init/pdf_draw.ps |   14 +++++++-------
+ Resource/Init/pdf_font.ps |   21 +++++++++++----------
+ Resource/Init/pdf_main.ps |    6 +++---
+ Resource/Init/pdf_ops.ps  |   11 ++++++-----
+ 5 files changed, 28 insertions(+), 26 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
+     {
+       dup ==only () = flush
+     } ifelse % PDFSTEP
+-  } if % PDFDEBUG
++  } executeonly if % PDFDEBUG
+   2 copy .knownget {
+     exch pop exch pop exch pop exec
+   } {
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -501,8 +501,8 @@ end
+       (        Output may be incorrect.\n) pdfformaterror
+       //pdfdict /.gs_warning_issued //true .forceput
+       PDFSTOPONERROR { /gs /undefined signalerror } if
+-    } if
+-  }
++    } executeonly if
++  } executeonly
+   ifelse
+ } bind executeonly def
+ 
+@@ -1142,7 +1142,7 @@ currentdict end readonly def
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+-      }
++      } executeonly
+       {
+         currentglobal //pdfdict gcheck .setglobal
+         //pdfdict /.Qqwarning_issued //true .forceput
+@@ -1150,8 +1150,8 @@ currentdict end readonly def
+         pdfformaterror
+       } executeonly ifelse
+       end
+-    } ifelse
+-  } loop
++    } executeonly ifelse
++  } executeonly loop
+   {
+     (\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+     //pdfdict /.Qqwarning_issued .knownget
+@@ -1165,14 +1165,14 @@ currentdict end readonly def
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    }
++    } executeonly
+     {
+       currentglobal //pdfdict gcheck .setglobal
+       //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+-  } if
++  } executeonly if
+   pop
+ 
+   % restore pdfemptycount
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -701,9 +701,9 @@ currentdict end readonly def
+         } if
+         PDFDEBUG {
+           (.processToUnicode end) =
+-        } if
+-      } if
+-    } stopped
++        } executeonly if
++      } executeonly if
++    } executeonly stopped
+     {
+       .dstackdepth 1 countdictstack 1 sub
+       {pop end} for
+@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
+                 //pdfdict /.Qqwarning_issued //true .forceput
+               } executeonly if
+               Q
+-            } repeat
++            } executeonly repeat
+             Q
+-          } PDFfile fileposition 2 .execn % Keep pdfcount valid.
++          } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
+           PDFfile exch setfileposition
+-        } ifelse
+-      } {
++        } executeonly ifelse
++      } executeonly
++      {
+         % PDF Type 3 fonts don't use .notdef
+         % d1 implementation adjusts the width as needed
+         0 0 0 0 0 0
+         pdfopdict /d1 get exec
+       } ifelse
+       end end
+-    } bdef
++    } executeonly bdef
+     dup currentdict Encoding .processToUnicode
+     currentdict end .completefont exch pop
+ } bind executeonly odef
+@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
+           (Will continue, but content may be missing.) = flush
+         } ifelse
+       } if
+-    } if
++    } executeonly if
+     /findresource cvx /undefined signalerror
+-  } loop
++  } executeonly loop
+ } bind executeonly odef
+ 
+ /buildCIDType0 {	% <CIDFontType0-font-resource> buildCIDType0 <font>
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+-      }
++      } executeonly
+       {
+         currentglobal //pdfdict gcheck .setglobal
+         //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    } if
+-  } if
++    } executeonly if
++  } executeonly if
+   pop
+   count PDFexecstackcount sub { pop } repeat
+   (after exec) VMDEBUG
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    }
++    } executeonly
+     {
+       currentglobal //pdfdict gcheck .setglobal
+       //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+-  } if
++  } executeonly if
+ } bind executeonly odef
+ 
+ % Save PDF gstate
+@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
+   dup type /booleantype eq {
+     .currentSMask type /dicttype eq {
+       .currentSMask /Processed 2 index .forceput
++    } executeonly
++    {
++      .setSMask
++    }ifelse
+   } executeonly
+   {
+-      .setSMask
+-  }ifelse
+-  }{
+   .setSMask
+   }ifelse
+ 

openjpeg4gs-CVE-2018-6616-8ee33522.patch

@@ -0,0 +1,67 @@
+From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Fri, 14 Dec 2018 04:58:40 +0100
+Subject: [PATCH] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+Fixes #1059 (CVE-2018-6616).
+---
+ openjpeg/src/bin/jp2/convertbmp.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- openjpeg/src/bin/jp2/convertbmp.c
++++ openjpeg/src/bin/jp2/convertbmp.c	2019-09-12 08:22:52.272682353 +0000
+@@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE*
+ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+                                    OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+-    OPJ_UINT32 x, y;
++    OPJ_UINT32 x, y, written;
+     OPJ_UINT8 *pix;
+     const OPJ_UINT8 *beyond;
+ 
+     beyond = pData + stride * height;
+     pix = pData;
+ 
+-    x = y = 0U;
++    x = y = written = 0U;
+     while (y < height) {
+         int c = getc(IN);
+         if (c == EOF) {
+@@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+             for (j = 0; (j < c) && (x < width) &&
+                     ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+                 *pix = c1;
++                written++;
+             }
+         } else {
+             c = getc(IN);
+@@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+                     }
+                     c1 = (OPJ_UINT8)c1_int;
+                     *pix = c1;
++                    written++;
+                 }
+                 if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
+                     c = getc(IN);
+@@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+             }
+         }
+     }/* while() */
++
++    if (written != width * height) {
++        fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++        return OPJ_FALSE;
++    }
++
+     return OPJ_TRUE;
+ }
+