Accepting request 1142081 from Printing

- update to 10.02.1:
  * Patch release to address some security bugs
  * This release (10.02.0) marks the final demise of the
    PostScript based PDF interpreter.
  * This 10.01.1 release removes the "-dNEWPDF=false" command
    line option to fall back to the deprecated, old PDF
    interpreter.
  * This 10.01.0 release removes the "-dNEWPDF=false" command
    line option to fall back to the deprecated, old PDF
    interpreter.
  * This release officially deprecates the old Postscript
    implementation of PDF, we will not be updating or maintaining
    that code moving forward. The option to use the old PDF
    implementation _**will**_ be removed in the next full release
    (10.01.0)
  * Important: This release includes the new PDF interpreter
    (implemented in C rather than PostScript). It is both
    integrated into Ghostscript (now ENABLED by default), and
    available as a standalone, PDF only, binary. See
    https://ghostscript.com/pdfi.html for more details.
  * This also bundles the latest zlib (1.2.12) which addresses a
    security issue (CVE-2018-25032)
  * **Important**: This release includes the new PDF interpreter
    (implemented in C rather than PostScript). It is both
    integrated into Ghostscript (now **ENABLED** by default), and
    available as a standalone, PDF only, binary. See
    https://ghostscript.com/pdfi.html for more details.
- drop CVE-2023-28879.patch, CVE-2023-36664.patch,
       CVE-2023-38559.patch, CVE-2023-43115.patch,
       CVE-2023-46751.patch: upstream

OBS-URL: https://build.opensuse.org/request/show/1142081
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=64
This commit is contained in:
Ana Guerrero 2024-01-29 21:26:38 +00:00 committed by Git OBS Bridge
commit 69dd483ad7
10 changed files with 78 additions and 468 deletions

View File

@ -1,17 +0,0 @@
--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;

View File

@ -1,116 +0,0 @@
--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {

View File

@ -1,11 +0,0 @@
--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200
@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {

View File

@ -1,20 +0,0 @@
--- devices/gdevijs.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ devices/gdevijs.c 2023-09-20 08:18:09.178777690 +0200
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
if (!ijsdev->ColorSpace) {
ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
"gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_para
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",

View File

@ -1,20 +0,0 @@
--- base/gdevprn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevprn.c 2024-01-03 12:53:20.009504451 +0100
@@ -1268,6 +1268,7 @@ gdev_prn_open_printer_seekable(gx_device
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
--- devices/gdevtsep.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ devices/gdevtsep.c 2024-01-03 13:04:42.048210048 +0100
@@ -736,6 +736,7 @@ tiffsep_initialize_device_procs(gx_devic
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);

BIN
ghostscript-10.02.1.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
ghostscript-9.56.1.tar.xz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,3 +1,38 @@
-------------------------------------------------------------------
Sun Jan 28 10:39:57 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 10.02.1:
* Patch release to address some security bugs
* This release (10.02.0) marks the final demise of the
PostScript based PDF interpreter.
* This 10.01.1 release removes the "-dNEWPDF=false" command
line option to fall back to the deprecated, old PDF
interpreter.
* This 10.01.0 release removes the "-dNEWPDF=false" command
line option to fall back to the deprecated, old PDF
interpreter.
* This release officially deprecates the old Postscript
implementation of PDF, we will not be updating or maintaining
that code moving forward. The option to use the old PDF
implementation _**will**_ be removed in the next full release
(10.01.0)
* Important: This release includes the new PDF interpreter
(implemented in C rather than PostScript). It is both
integrated into Ghostscript (now ENABLED by default), and
available as a standalone, PDF only, binary. See
https://ghostscript.com/pdfi.html for more details.
* This also bundles the latest zlib (1.2.12) which addresses a
security issue (CVE-2018-25032)
* **Important**: This release includes the new PDF interpreter
(implemented in C rather than PostScript). It is both
integrated into Ghostscript (now **ENABLED** by default), and
available as a standalone, PDF only, binary. See
https://ghostscript.com/pdfi.html for more details.
- drop CVE-2023-28879.patch, CVE-2023-36664.patch,
CVE-2023-38559.patch, CVE-2023-43115.patch,
CVE-2023-46751.patch: upstream
- drop remove-zlib-h-dependency.patch: unused
-------------------------------------------------------------------
Wed Jan 3 12:15:46 UTC 2024 - Johannes Meixner <jsmeix@suse.com>

View File

@ -1,5 +1,5 @@
#
# spec file
# spec file for package ghostscript
#
# Copyright (c) 2024 SUSE LLC
#
@ -22,75 +22,23 @@
%else
%global psuffix %{nil}
%endif
# built_version is used below in the install and files sections:
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
%define built_version %{version}
Name: ghostscript%{psuffix}
Version: 9.56.1
Version: 10.02.1
Release: 0
Summary: The Ghostscript interpreter for PostScript and PDF
License: AGPL-3.0-only
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# sha512:fe5a5103c081dd87cf8b3e0bbbd0df004c0e4e04e41bded7c70372916e6e26249a0e8fa434b561292964c5f3820ee6c60ef1557827a6efb5676012ccb73ded85
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9561/ghostscript-%{version}.tar.xz
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-%{version}.tar.xz
Source10: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
# Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
Patch102: CVE-2023-28879.patch
# Patch103 CVE-2023-36664.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
Patch103: CVE-2023-36664.patch
# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
Patch104: CVE-2023-38559.patch
# Patch105 CVE-2023-43115.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
Patch105: CVE-2023-43115.patch
# Patch106 CVE-2023-46751.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# adapted for Ghostscript-9.56.1 that fixes
# https://bugs.ghostscript.com/show_bug.cgi?id=707264
# which includes a fix for CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugzilla.suse.com/show_bug.cgi?id=1217871
Patch106: CVE-2023-46751.patch
# Build Requirements:
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
@ -102,43 +50,7 @@ BuildRequires: pkgconfig
BuildRequires: update-alternatives
BuildRequires: zlib-devel
Requires(post): update-alternatives
Requires(preun):update-alternatives
# RPM dependencies:
# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
# "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
# ghostscript
# gs
# gs_lib
# pstoraster
# ghostscript_any
# ghostscript-serv
# gs_x11
# ghostscript_x11
# ghostscript-mini
# Which of those are actually used in openSUSE:Factory (dated 22 Feb. 2012):
# ghostscript
# gs
# gs_lib
# ghostscript_any
# ghostscript_x11
# ghostscript-mini
# Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012):
# webdot Requires ghostscript
# ddd BuildRequires ghostscript_any
# emacs-auctex BuildRequires ghostscript_any
# kernel-docs BuildRequires ghostscript_any
# texlive-bin BuildRequires ghostscript_any
# cups Requires ghostscript_any
# html2ps Requires ghostscript_any
# latex2html Requires ghostscript_any
# pstoedit Requires ghostscript_any
# ghostview Requires ghostscript_x11
# gv Requires ghostscript_x11
# texlive-bin Requires ghostscript_x11
# klatexformula BuildRequires gs and Requires gs
# capi4hylafax Requires gs_lib
# hylafax Requires gs_lib
# graphviz-plugins BuildRequires ghostscript-mini
Requires(preun): update-alternatives
# Provide the additional RPM Provides of the ghostscript-library package
# (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
# The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@ -183,13 +95,11 @@ Conflicts: ghostscript-x11
%else
Recommends: ghostscript-x11 = %{version}-%{release}
Conflicts: ghostscript-x11 < %{version}-%{release}
Provides: gs = %{version}
Provides: gs_lib = %{version}
# There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4.
# Satisfy it to be backward compatible with installed gutenprint packages:
Provides: pstoraster
Provides: %{version}
Provides: ghostscript-library = %{version}
Provides: gs = %{version}
Provides: gs_lib = %{version}
Provides: pstoraster
Obsoletes: ghostscript-library < %{version}
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because
# this package ghostscript should replace any version of ghostscript-mini.
@ -202,74 +112,40 @@ Recommends: (cups-filters-ghostscript if cups)
%description
Ghostscript is a package of software that provides:
An interpreter for the PostScript language,
with the ability to convert PostScript language files
to many raster formats, view them on displays,
and print them on printers that don't have
PostScript language capability built in.
An interpreter for the PostScript language, with the ability to convert
PostScript language files to many raster formats, view them on displays, and
print them on printers that don't have PostScript language capability built in.
An interpreter for Portable Document Format (PDF) files,
with the same abilities.
An interpreter for Portable Document Format (PDF) files, with the same
abilities.
The ability to convert PostScript language files
to PDF (with some limitations) and vice versa.
The ability to convert PostScript language files to PDF (with some limitations)
and vice versa.
A set of C procedures (the Ghostscript library)
that implement the graphics and filtering
(data compression / decompression / conversion)
capabilities that appear as primitive operations
in the PostScript language and in PDF.
A set of C procedures (the Ghostscript library) that implement the graphics and
filtering (data compression / decompression / conversion) capabilities that
appear as primitive operations in the PostScript language and in PDF.
For information how to use Ghostscript see
%{_datadir}/ghostscript/%{version}/doc/Use.htm
%package x11
Summary: X11 library for Ghostscript
# Require the exact matching version-release of the ghostscript main-package because
# a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
# because all Ghostscript software is built from one same Ghostscript source tar ball
# so that there could be any kind of Ghostscript-internal dependencies.
# The exact matching version-release of the ghostscript main-package is available
# on the same package repository where the ghostscript-x11 sub-package is because
# all are built simulaneously from the same Ghostscript source package:
Group: Productivity/Publishing/PS
Requires: ghostscript = %{version}-%{release}
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
# an unversioned "Provides: ghostscript" and for RPM this means that both
# ghostscript-library and ghostscript-mini provide any version of "ghostscript"
# so that any version of ghostscript-library and ghostscript-mini fulfills
# the above versioned requirement which is wrong and therefore an explicit conflicts
# is used here to avoid the mess.
# Above the ghostscript main package "Provides: ghostscript-library = version" so that
# versioned conflicts are needed to avoid a conflict with the ghostscript main package.
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two conflicts are used:
Conflicts: ghostscript-library < %{version}
Conflicts: ghostscript-library > %{version}
Conflicts: ghostscript-mini
Provides: ghostscript_x11 = %{version}
%description x11
This package contains the X11 library which is needed
to view PostScript and PDF files with Ghostscript
under the X Window System.
This package contains the X11 library which is needed to view PostScript and
PDF files with Ghostscript under the X Window System.
%package devel
Summary: Development files for Ghostscript
Group: Development/Libraries/C and C++
Requires: ghostscript = %{version}
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
# an unversioned "Provides: ghostscript" and for RPM this means that both
# ghostscript-library and ghostscript-mini provide any version of "ghostscript"
# so that any version of ghostscript-library and ghostscript-mini fulfills
# the above versioned requirement which is wrong and therefore an explicit conflicts
# is used here to avoid the mess.
# Above the ghostscript main package "Provides: ghostscript-library = version" so that
# versioned conflicts are needed to avoid a conflict with the ghostscript main package.
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two conflicts are used:
Conflicts: ghostscript-library < %{version}
Conflicts: ghostscript-library > %{version}
Conflicts: ghostscript-mini
@ -281,102 +157,16 @@ This package contains the development files for Ghostscript.
%prep
%setup -q -n ghostscript-%{version}
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
%patch102
# Patch103 CVE-2023-36664.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
%patch103
# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
%patch104
# Patch105 CVE-2023-43115.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
%patch105
# Patch106 CVE-2023-46751.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# adapted for Ghostscript-9.56.1 that fixes
# https://bugs.ghostscript.com/show_bug.cgi?id=707264
# which includes a fix for CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugzilla.suse.com/show_bug.cgi?id=1217871
%patch106
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig
# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball
# because we prefer to use for long-established standard libraries the ones from SUSE
# in particular to automatically get SUSE security updates for standard libraries.
# In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one
# is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE:
#rm -rf freetype jpeg libpng tiff zlib
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
%if 0%{?suse_version} == 1315
# Again use the freetype sources from Ghostscript upstream because
# Ghostscript 9.27 does no longer build this way for SLE12:
rm -rf jpeg libpng tiff
%else
rm -rf freetype jpeg libpng tiff
%endif
rm -rf freetype jpeg libpng lcms2art zlib tiff
%if 0%{?suse_version} >= 1550
rm -rf openjpeg
%endif
rm -rf zlib
# In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1
# because that is what Ghostscript upstream recommends according to
# https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html
# because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript
# but now it is lcms2art (the beginning of a lcms2 fork - see News.htm).
# On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5
# which is too old so that configure fails there with
# checking for local lcms2 library source... no
# checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no
# configure: error: lcms2 not found, or too old
# (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old)
# but there is no configure option to build it without lcms2
# so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript
# i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1
# cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
%if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100
echo "Building it with lcms2art in Ghostscript"
%else
rm -rf lcms2art
%endif
%build
# Derive build timestamp from latest changelog entry
@ -412,23 +202,13 @@ autoreconf -fi
%define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW
# See http://bugs.ghostscript.com/show_bug.cgi?id=693100
export SUSE_ASNEEDED=0
# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here)
# ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking
# --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
# --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
# --mandir=/usr/share/man --infodir=/usr/share/info
# --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
# --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits
# --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x
# --disable-gtk --without-ufst --without-libpaper --without-tesseract
# configure: WARNING: unrecognized options: --disable-dependency-tracking
# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro.
%configure \
--with-fontpath=%{gs_font_path} \
--with-libiconv=maybe \
--enable-freetype \
--with-jbig2dec \
--enable-openjpeg \
--disable-hidden-visibility \
--enable-dynamic \
--disable-compile-inits \
%if "%{flavor}" == "mini"
@ -439,12 +219,15 @@ export SUSE_ASNEEDED=0
--with-drivers=FILES \
--without-x \
%else
--without-local-zlib \
--with-ijs \
--enable-cups \
--enable-dbus \
--without-pdftoraster \
--with-drivers=ALL \
--with-x \
%endif
--without-local-zlib \
--with-system-libtiff \
--disable-gtk \
--without-ufst \
--without-libpaper \
@ -478,7 +261,7 @@ rm %{buildroot}%{_bindir}/ijs_client_example
rm %{buildroot}%{_bindir}/ijs_server_example
rm %{buildroot}%{_libdir}/libijs.la
# Install examples:
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
for E in examples/*
do install -m 644 $E $EXAMPLESDIR || :
@ -490,7 +273,7 @@ done
# Install documentation which is not installed by default
# see http://bugs.ghostscript.com/show_bug.cgi?id=693002
# and fail intentionally as notification if something changed:
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version}
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{version}
for D in LICENSE
do test -e $DOCDIR/$( basename $D ) && exit 99
install -m 644 $D $DOCDIR
@ -502,7 +285,7 @@ done
# because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above):
install -d -m 755 %{buildroot}%{_defaultdocdir}
pushd %{buildroot}%{_defaultdocdir}
ln -s ../ghostscript/%{built_version} ghostscript
ln -s ../ghostscript/%{version} ghostscript
popd
# Extract the catalog of devices which are actually built-in in exactly this Ghostscript:
# If a needed source file is no longer accessible fail intentionally as notification
@ -551,6 +334,7 @@ if test $1 -eq 0 ; then
fi
%files
%license LICENSE
%ghost %config %{_sysconfdir}/alternatives/gs
%{_bindir}/dvipdf
%{_bindir}/eps2eps
@ -601,39 +385,27 @@ fi
%{_mandir}/man1/ps2pdf14.1%{?ext_man}
%{_mandir}/man1/ps2pdfwr.1%{?ext_man}
%{_mandir}/man1/ps2ps.1%{?ext_man}
%{_mandir}/de/man1/dvipdf.1%{?ext_man}
%{_mandir}/de/man1/eps2eps.1%{?ext_man}
%{_mandir}/de/man1/gsnd.1%{?ext_man}
%{_mandir}/de/man1/pdf2dsc.1%{?ext_man}
%{_mandir}/de/man1/pdf2ps.1%{?ext_man}
%{_mandir}/de/man1/printafm.1%{?ext_man}
%{_mandir}/de/man1/ps2ascii.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf12.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf13.1%{?ext_man}
%{_mandir}/de/man1/ps2pdf14.1%{?ext_man}
%{_mandir}/de/man1/ps2ps.1%{?ext_man}
%doc %{_defaultdocdir}/ghostscript
%dir %{_datadir}/doc/ghostscript
%doc %{_datadir}/doc/ghostscript/%{built_version}
%doc %{_datadir}/doc/ghostscript/%{version}
%dir %{_datadir}/ghostscript
%dir %{_datadir}/ghostscript/%{built_version}
%{_datadir}/ghostscript/%{built_version}/Resource
%{_datadir}/ghostscript/%{built_version}/iccprofiles
%{_datadir}/ghostscript/%{built_version}/examples/
%{_datadir}/ghostscript/%{built_version}/lib/
%dir %{_datadir}/ghostscript/%{version}
%{_datadir}/ghostscript/%{version}/Resource
%{_datadir}/ghostscript/%{version}/iccprofiles
%{_datadir}/ghostscript/%{version}/examples/
%{_datadir}/ghostscript/%{version}/lib/
%{_libdir}/libgs.so.*
%{_libdir}/ghostscript/
%{_libdir}/libijs-0.35.so
%if "%{flavor}" != "mini"
%exclude %{_libdir}/ghostscript/%{built_version}/X11.so
%exclude %{_libdir}/ghostscript/%{version}/X11.so
%if 0%{?suse_version} < 1500
%dir %{_sysconfdir}/apparmor.d
%endif
%{_sysconfdir}/apparmor.d/ghostscript
%files x11
%{_libdir}/ghostscript/%{built_version}/X11.so
%{_libdir}/ghostscript/%{version}/X11.so
%endif
%files devel

View File

@ -1,13 +0,0 @@
Index: ghostscript-9.18/base/lib.mak
===================================================================
--- ghostscript-9.18.orig/base/lib.mak
+++ ghostscript-9.18/base/lib.mak
@@ -582,7 +582,7 @@ srlx_h=$(GLSRC)srlx.h
sstring_h=$(GLSRC)sstring.h
strimpl_h=$(GLSRC)strimpl.h $(scommon_h) $(gstypes_h) $(gsstruct_h)
szlibx_h=$(GLSRC)szlibx.h
-zlib_h=$(ZSRCDIR)$(D)zlib.h
+zlib_h= #$(ZSRCDIR)$(D)zlib.h
# We have two of the following, for shared zlib (_1)
# and 'local' zlib (_0)
szlibxx_h_1=$(GLSRC)szlibxx.h $(szlibx_h)