Accepting request 635499 from home:jsmeix:branches:Printing

ghostscript version upgrade to 9.24 which provides in particular security bufgixes, see https://www.ghostscript.com/doc/9.24/News.htm

OBS-URL: https://build.opensuse.org/request/show/635499
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=93

CVE-2018-10194.patch

@@ -1,18 +0,0 @@
---- devices/vector/gdevpdts.c.orig	2018-03-21 09:48:06.000000000 +0100
-+++ devices/vector/gdevpdts.c	2018-06-05 14:39:39.000000000 +0200
-@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts,
- static int
- set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
- {
--    int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
-+    int code;
-     double rounded;
- 
-+    if (dx > 1e38 || dy > 1e38)
-+        code = gs_error_undefinedresult;
-+    else
-+        code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
-+
-     if (code == gs_error_undefinedresult) {
-         /* The CTM is degenerate.
-            Can't know the distance in user space.

fix_ln_docdir_gsdatadir.patch

@@ -1,11 +0,0 @@
---- base/unixinst.mak.orig	2018-03-07 16:01:52.000000000 +0100
-+++ base/unixinst.mak	2018-03-12 14:06:43.000000000 +0100
-@@ -163,7 +163,7 @@ install-doc: $(PSDOCDIR)/News.htm
- 	$(SH) -c 'for f in $(DOC_PAGES) ;\
- 	do if ( test -f $(PSDOCDIR)/$$f ); then $(INSTALL_DATA) $(PSDOCDIR)/$$f $(DESTDIR)$(docdir); fi;\
- 	done'
--	ln -s $(DESTDIR)$(docdir) $(DESTDIR)$(gsdatadir)/doc
-+	# ln -s $(DESTDIR)$(docdir) $(DESTDIR)$(gsdatadir)/doc
- 
- # install the man pages for each locale
- MAN_LCDIRS=. de

ghostscript-9.23.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f65964807a3c97a2c0810d4b9806585367e73129e57ae33378cea18e07a1ed9b
-size 43208330

ghostscript-9.24.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e613b2376f01882e82e0cf08f6caa3c5719793c4e31dd7d4a8e87d61d371005f
+size 42010597

ghostscript-mini.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Thu Sep 13 10:25:21 CEST 2018 - jsmeix@suse.de
+
+- Version upgrade to 9.24
+  Highlights in this release include:
+  * Security issues have been the primary focus of this release,
+    including solving several (well publicised)
+    real and potential exploits.
+    PLEASE NOTE:
+    We (i.e. Ghostscript upstream) strongly urge users to upgrade
+    to this latest release to avoid these issues.
+  * As well as Ghostscript itself, jbig2dec has had a significant
+    amount of work improving its robustness in the face of
+    out specification files.
+  * IMPORTANT: We (i.e. Ghostscript upstream) are in the process
+    of forking LittleCMS. LCMS2 is not thread safe, and cannot
+    be made thread safe without breaking the ABI. Our fork
+    will be thread safe, and include performance enhancements
+    (these changes have all be been offered and rejected upstream).
+    We will maintain compatibility between Ghostscript and LCMS2
+    for a time, but not in perpetuity. Our fork will be available
+    as its own package separately from Ghostscript (and MuPDF).
+  * The usual round of bug fixes, compatibility changes,
+    and incremental improvements.
+  For a release summary see:
+  http://www.ghostscript.com/doc/9.24/News.htm
+  For details see the News.htm and History9.htm files.
+- fix_ln_docdir_gsdatadir.patch is no longer needed
+  because the issue is fixed in the upstream sources.
+- CVE-2018-10194.patch is no longer needed
+  because the issue is fixed in the upstream sources.
+
 -------------------------------------------------------------------
 Tue Jun  5 14:47:59 CEST 2018 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -39,7 +39,7 @@ Url:            http://www.ghostscript.com/
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.22pre23rc1
 # Normal version for Ghostscript releases is the upstream version:
-Version:        9.23
+Version:        9.24
 Release:        0
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
@@ -60,30 +60,19 @@ Release:        0
 #Source0:        ghostscript-%{tarball_version}.tar.gz
 # Normal URLs for Ghostscript releases:
 # URL for Source0:
-# wget -O ghostscript-9.23.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs923/ghostscript-9.23.tar.gz
+# wget -O ghostscript-9.24.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/ghostscript-9.24.tar.gz
 # URL for MD5 checksums:
-# wget -O gs923.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs923/MD5SUMS
+# wget -O gs924.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/MD5SUMS
-# MD5 checksum for Source0: 5a47ab47cd22dec1eb5f51c06f1c9d9c
+# MD5 checksum for Source0: c5c3fa8eb737a6540814314a9d9e4995
 Source0:        ghostscript-%{version}.tar.gz
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
-# Avoid
-#   ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc
-#   ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory
-#   base/unixinst.mak:162: recipe for target 'install-doc' failed
-#   make[1]: *** [install-doc] Error 1
-Patch12:        fix_ln_docdir_gsdatadir.patch
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
 # Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
 Patch100:       remove-zlib-h-dependency.patch
-# Patch101 fixes stack-based buffer overflow in gdevpdts.c
-# see https://bugzilla.suse.com/show_bug.cgi?id=1090099
-# and https://bugs.ghostscript.com/show_bug.cgi?id=699255
-# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
-Patch101:       CVE-2018-10194.patch
 # RPM dependencies:
 Conflicts:      ghostscript
 Conflicts:      ghostscript-x11
@@ -142,23 +131,12 @@ This package contains the development files for Minimal Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
-# Avoid
-#   ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc
-#   ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory
-#   base/unixinst.mak:162: recipe for target 'install-doc' failed
-#   make[1]: *** [install-doc] Error 1
-%patch12
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 #patch100 -p1 -b remove-zlib-h-dependency.orig
-# Patch101 fixes stack-based buffer overflow in gdevpdts.c
-# see https://bugzilla.suse.com/show_bug.cgi?id=1090099
-# and https://bugs.ghostscript.com/show_bug.cgi?id=699255
-# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
-%patch101 -b CVE-2018-10194.orig
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig

ghostscript.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Thu Sep 13 10:25:21 CEST 2018 - jsmeix@suse.de
+
+- Version upgrade to 9.24
+  Highlights in this release include:
+  * Security issues have been the primary focus of this release,
+    including solving several (well publicised)
+    real and potential exploits.
+    PLEASE NOTE:
+    We (i.e. Ghostscript upstream) strongly urge users to upgrade
+    to this latest release to avoid these issues.
+  * As well as Ghostscript itself, jbig2dec has had a significant
+    amount of work improving its robustness in the face of
+    out specification files.
+  * IMPORTANT: We (i.e. Ghostscript upstream) are in the process
+    of forking LittleCMS. LCMS2 is not thread safe, and cannot
+    be made thread safe without breaking the ABI. Our fork
+    will be thread safe, and include performance enhancements
+    (these changes have all be been offered and rejected upstream).
+    We will maintain compatibility between Ghostscript and LCMS2
+    for a time, but not in perpetuity. Our fork will be available
+    as its own package separately from Ghostscript (and MuPDF).
+  * The usual round of bug fixes, compatibility changes,
+    and incremental improvements.
+  For a release summary see:
+  http://www.ghostscript.com/doc/9.24/News.htm
+  For details see the News.htm and History9.htm files.
+- fix_ln_docdir_gsdatadir.patch is no longer needed
+  because the issue is fixed in the upstream sources.
+- CVE-2018-10194.patch is no longer needed
+  because the issue is fixed in the upstream sources.
+
 -------------------------------------------------------------------
 Tue Jun  5 14:47:59 CEST 2018 - jsmeix@suse.de
 

ghostscript.spec

@@ -59,7 +59,7 @@ Url:            http://www.ghostscript.com/
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.22pre23rc1
 # Normal version for Ghostscript releases is the upstream version:
-Version:        9.23
+Version:        9.24
 Release:        0
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
@@ -80,30 +80,19 @@ Release:        0
 #Source0:        ghostscript-%{tarball_version}.tar.gz
 # Normal URLs for Ghostscript releases:
 # URL for Source0:
-# wget -O ghostscript-9.23.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs923/ghostscript-9.23.tar.gz
+# wget -O ghostscript-9.24.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/ghostscript-9.24.tar.gz
 # URL for MD5 checksums:
-# wget -O gs923.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs923/MD5SUMS
+# wget -O gs924.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/MD5SUMS
-# MD5 checksum for Source0: 5a47ab47cd22dec1eb5f51c06f1c9d9c
+# MD5 checksum for Source0: c5c3fa8eb737a6540814314a9d9e4995
 Source0:        ghostscript-%{version}.tar.gz
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
-# Avoid
-#   ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc
-#   ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory
-#   base/unixinst.mak:162: recipe for target 'install-doc' failed
-#   make[1]: *** [install-doc] Error 1
-Patch12:        fix_ln_docdir_gsdatadir.patch
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
 # Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
 Patch100:       remove-zlib-h-dependency.patch
-# Patch101 fixes stack-based buffer overflow in gdevpdts.c
-# see https://bugzilla.suse.com/show_bug.cgi?id=1090099
-# and https://bugs.ghostscript.com/show_bug.cgi?id=699255
-# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
-Patch101:       CVE-2018-10194.patch
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
 # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@@ -278,23 +267,12 @@ This package contains the development files for Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
-# Avoid
-#   ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc
-#   ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory
-#   base/unixinst.mak:162: recipe for target 'install-doc' failed
-#   make[1]: *** [install-doc] Error 1
-%patch12
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 #patch100 -p1 -b remove-zlib-h-dependency.orig
-# Patch101 fixes stack-based buffer overflow in gdevpdts.c
-# see https://bugzilla.suse.com/show_bug.cgi?id=1090099
-# and https://bugs.ghostscript.com/show_bug.cgi?id=699255
-# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
-%patch101 -b CVE-2018-10194.orig
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig