pool/ghostscript
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 800666 from Printing

Browse Source 
Ghostscript version upgrade to 9.52 which is primarily a general security upgrade that fixes in particular CVE-2020-12268 (bsc#1170603)

OBS-URL: https://build.opensuse.org/request/show/800666
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=45
This commit is contained in:
Dominique Leuenberger 2020-05-08 21:02:56 +00:00 committed by Git OBS Bridge
commit 7cdda786d1
10 changed files with 283 additions and 418 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CVE-2019-10216.patch
View File

@ -1,44 +0,0 @@
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Aug 2019 15:18:26 +0100
Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
---
Resource/Init/gs_type1.ps | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- Resource/Init/gs_type1.ps
+++ Resource/Init/gs_type1.ps 2019-09-16 13:09:12.277074046 +0000
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true .forceput
- } if
+ } executeonly if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't

3
ghostscript-9.27.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9760e8bdd07a08dbd445188a6557cb70e60ccb6a5601f7dbfba0d225e28ce285
size 42277543

3
ghostscript-9.52.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c2501d8e8e0814c4a5aa7e443e230e73d7af7f70287546f7b697e5ef49e32176
size 49722607

141
ghostscript-mini.changes
View File

@ -1,3 +1,134 @@
-------------------------------------------------------------------
Wed Apr 29 12:09:39 CEST 2020 - jsmeix@suse.de
- The version upgrade to 9.52 fixes in particular
CVE-2020-12268: jbic2dec: heap-based buffer overflow
in jbig2_image_compose (bsc#1170603)
- Version upgrade to 9.52
Highlights in this release include:
* The 9.52 release replaces the 9.51 release after a problem
was reported with 9.51 which warranted the quick turnaround.
Thus, like 9.51, 9.52 is primarily a maintenance release,
consolidating the changes we introduced in 9.50.
* IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt
(the "mt" indicating "multi-thread").
LCMS2 is not thread-safe, and cannot be made thread-safe
without breaking the ABI. Our fork will be thread-safe and
include performance enhancements (these changes have all
been offered and rejected upstream). We will maintain
compatibility between Ghostscript and LCMS2 for a time,
but not in perpetuity. If there is sufficient interest,
our fork will be available as its own package separately
from Ghostscript (and MuPDF).
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
Incompatible changes:
* New option -dALLOWPSTRANSPARENCY: The transparency compositor
(and related features), whilst we are improving it, remains
sensitive to being driven correctly, and incorrect use
can have unexpected/undefined results. Hence, as part of
improving security, we limited access to these operators,
originally using the -dSAFER feature. As we made "SAFER"
the default mode, that became unacceptable, hence the
new option -dALLOWPSTRANSPARENCY which enables access
to the operators, cf.
https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY
For a release summary see:
https://www.ghostscript.com/doc/9.52/News.htm
For details see the News.htm and History9.htm files.
- Version upgrade to 9.51
Highlights in this release include:
* 9.51 is primarily a maintainance release, consolidating
the changes we introduced in 9.50.
* We have continued our work on code hygiene for this release,
with a focus on the static analysis tool Coverity
(from Synopsys, Inc) and we are now maintaining a policy of
zero Coverity issues in the Ghostscript/GhostPDL source base.
* IMPORTANT: In consultation with a representative of
OpenPrinting (http://www.openprinting.org/) it is our
intention to deprecate and, in the not distant future,
remove the OpenPrinting Vector/Raster Printer Drivers
(that is, the opvp and oprp devices).
If you rely on either of these devices, please get in touch
with us (i.e. Ghostscript upstream), so we can discuss your
use case, and revise our plans accordingly.
* We (i.e. Ghostscript upstream) are in the process of forking
LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
For a release summary see:
https://www.ghostscript.com/doc/9.51/News.htm
For details see the News.htm and History9.htm files.
- Version upgrade to 9.50
Highlights in this release include:
* The change to version 9.50 follows recognition
of the extent and importance of the file access control
redesign/reimplementation outlined below.
* The file access control capability (enable with -dSAFER)
has been completely rewritten, with a ground-up rethink
of the design. For more details, see: "SAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* It is important to note that -dSAFER now only enables the
file access controls, and no longer applies restrictions
to standard Postscript functionality (specifically,
restrictions on setpagedevice). If your application relies
on these Postscript restrictions, see "OLDSAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer
and please get in touch, as we do plan to remove those
Postscript restrictions unless we have reason not to.
IMPORTANT: File access controls are now enabled by default.
In order to run Ghostscript without these controls,
see "NOSAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer
* We (i.e. Ghostscript upstream) are in the process of forking
LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
Incompatible changes:
* There are a couple of subtle incompatibilities between the old
and new SAFER implementations. Firstly, as mentioned above,
SAFER now leaves standard Postcript functionality unchanged
(except for the file access limitations). Secondly, the
interaction with save/restore operations, see "SAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* The following is not strictly speaking new to 9.50,
as not much has changed since 9.27 in this area,
but for those who don't upgrade with every release:
The process of "tidying" the Postscript name space should have
removed only non-standard and undocumented operators.
Nevertheless, it is possible that any integrations or utilities
that rely on those non-standard and undocumented operators
may stop working, or may change behaviour.
If you encounter such a case, please contact us
(i.e. Ghostscript upstream, either the #ghostscript IRC channel
or the gs-devel mailing list would be best), and we'll work
with you to either find an alternative solution or return the
previous functionality, if there is genuinely no other option.
One case we know this has occurred is GSView 5 (and earlier).
GSView 5 support for PDF files relied upon internal use only
features which are no longer available. GSView 5 will still
work as previously for Postscript files. For PDF files,
users are encouraged to look at MuPDF https://www.mupdf.com/
For a release summary see:
https://www.ghostscript.com/doc/9.50/News.htm
For details see the News.htm and History9.htm files.
- CVE-2019-10216.patch
gs-CVE-2019-14811-885444fc.patch
gs-CVE-2019-14817-cd1b1cac.patch
openjpeg4gs-CVE-2018-6616-8ee33522.patch
are fixed in the version 9.52 upstream sources.
-------------------------------------------------------------------
Fri Jan 31 17:26:37 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
- Use system openjpeg2 on Tumbleweed/Factory.
-------------------------------------------------------------------
Mon Sep 23 08:24:49 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Made ghostscript profile enforcing and limit it to the ghostscript
binaries (bsc#1150338)
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
@ -32,6 +163,11 @@ Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
https://bugs.ghostscript.com/show_bug.cgi?id=701394
-------------------------------------------------------------------
Wed May 8 08:46:43 UTC 2019 - jsegitz@suse.com
- Set AA profile to complain and added fixes for ps2epsi (boo#1134327)
-------------------------------------------------------------------
Thu Apr 4 14:37:09 CEST 2019 - jsmeix@suse.de
@ -981,6 +1117,11 @@ Tue Sep 9 16:06:31 CEST 2014 - jsmeix@suse.de
it is fixed in the upstream sources.
- Removed trailing whitespaces in spec file and changes file.
-------------------------------------------------------------------
Mon Aug 18 15:12:28 UTC 2014 - meissner@suse.com
- gs does not seem to require libopenssl-devel for building.
-------------------------------------------------------------------
Thu Mar 27 12:21:55 CET 2014 - jsmeix@suse.de

31
ghostscript-mini.spec
View File

@ -47,7 +47,7 @@ URL: https://www.ghostscript.com/
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.27
Version: 9.52
Release: 0
# Normal version for Ghostscript releases is the upstream version:
# tarball_version is used below to specify the directory via "setup -n":
@ -59,7 +59,7 @@ Release: 0
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
#define built_version %{version}
%define built_version 9.27
%define built_version 9.52
# Source0...Source9 is for sources from upstream:
# Special URLs for Ghostscript release candidates:
# see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@ -71,21 +71,13 @@ Release: 0
#Source0: ghostscript-%{tarball_version}.tar.gz
# Normal URLs for Ghostscript releases:
# URL for Source0:
# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz
# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz
# URL for MD5 checksums:
# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS
# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz
# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS
# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from of upstream to fix CVE-2019-10216
Patch1: CVE-2019-10216.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch2: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -93,6 +85,8 @@ Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# RPM dependencies:
Conflicts: ghostscript
@ -152,21 +146,14 @@ This package contains the development files for Minimal Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from of upstream to fix CVE-2019-10216
%patch1 -p0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch2 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch3 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052

122
ghostscript.changes
View File

@ -1,3 +1,123 @@
-------------------------------------------------------------------
Wed Apr 29 12:09:39 CEST 2020 - jsmeix@suse.de
- The version upgrade to 9.52 fixes in particular
CVE-2020-12268: jbic2dec: heap-based buffer overflow
in jbig2_image_compose (bsc#1170603)
- Version upgrade to 9.52
Highlights in this release include:
* The 9.52 release replaces the 9.51 release after a problem
was reported with 9.51 which warranted the quick turnaround.
Thus, like 9.51, 9.52 is primarily a maintenance release,
consolidating the changes we introduced in 9.50.
* IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt
(the "mt" indicating "multi-thread").
LCMS2 is not thread-safe, and cannot be made thread-safe
without breaking the ABI. Our fork will be thread-safe and
include performance enhancements (these changes have all
been offered and rejected upstream). We will maintain
compatibility between Ghostscript and LCMS2 for a time,
but not in perpetuity. If there is sufficient interest,
our fork will be available as its own package separately
from Ghostscript (and MuPDF).
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
Incompatible changes:
* New option -dALLOWPSTRANSPARENCY: The transparency compositor
(and related features), whilst we are improving it, remains
sensitive to being driven correctly, and incorrect use
can have unexpected/undefined results. Hence, as part of
improving security, we limited access to these operators,
originally using the -dSAFER feature. As we made "SAFER"
the default mode, that became unacceptable, hence the
new option -dALLOWPSTRANSPARENCY which enables access
to the operators, cf.
https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY
For a release summary see:
https://www.ghostscript.com/doc/9.52/News.htm
For details see the News.htm and History9.htm files.
- Version upgrade to 9.51
Highlights in this release include:
* 9.51 is primarily a maintainance release, consolidating
the changes we introduced in 9.50.
* We have continued our work on code hygiene for this release,
with a focus on the static analysis tool Coverity
(from Synopsys, Inc) and we are now maintaining a policy of
zero Coverity issues in the Ghostscript/GhostPDL source base.
* IMPORTANT: In consultation with a representative of
OpenPrinting (http://www.openprinting.org/) it is our
intention to deprecate and, in the not distant future,
remove the OpenPrinting Vector/Raster Printer Drivers
(that is, the opvp and oprp devices).
If you rely on either of these devices, please get in touch
with us (i.e. Ghostscript upstream), so we can discuss your
use case, and revise our plans accordingly.
* We (i.e. Ghostscript upstream) are in the process of forking
LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
For a release summary see:
https://www.ghostscript.com/doc/9.51/News.htm
For details see the News.htm and History9.htm files.
- Version upgrade to 9.50
Highlights in this release include:
* The change to version 9.50 follows recognition
of the extent and importance of the file access control
redesign/reimplementation outlined below.
* The file access control capability (enable with -dSAFER)
has been completely rewritten, with a ground-up rethink
of the design. For more details, see: "SAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* It is important to note that -dSAFER now only enables the
file access controls, and no longer applies restrictions
to standard Postscript functionality (specifically,
restrictions on setpagedevice). If your application relies
on these Postscript restrictions, see "OLDSAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer
and please get in touch, as we do plan to remove those
Postscript restrictions unless we have reason not to.
IMPORTANT: File access controls are now enabled by default.
In order to run Ghostscript without these controls,
see "NOSAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer
* We (i.e. Ghostscript upstream) are in the process of forking
LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes,
and incremental improvements.
Incompatible changes:
* There are a couple of subtle incompatibilities between the old
and new SAFER implementations. Firstly, as mentioned above,
SAFER now leaves standard Postcript functionality unchanged
(except for the file access limitations). Secondly, the
interaction with save/restore operations, see "SAFER" at
https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* The following is not strictly speaking new to 9.50,
as not much has changed since 9.27 in this area,
but for those who don't upgrade with every release:
The process of "tidying" the Postscript name space should have
removed only non-standard and undocumented operators.
Nevertheless, it is possible that any integrations or utilities
that rely on those non-standard and undocumented operators
may stop working, or may change behaviour.
If you encounter such a case, please contact us
(i.e. Ghostscript upstream, either the #ghostscript IRC channel
or the gs-devel mailing list would be best), and we'll work
with you to either find an alternative solution or return the
previous functionality, if there is genuinely no other option.
One case we know this has occurred is GSView 5 (and earlier).
GSView 5 support for PDF files relied upon internal use only
features which are no longer available. GSView 5 will still
work as previously for Postscript files. For PDF files,
users are encouraged to look at MuPDF https://www.mupdf.com/
For a release summary see:
https://www.ghostscript.com/doc/9.50/News.htm
For details see the News.htm and History9.htm files.
- CVE-2019-10216.patch
gs-CVE-2019-14811-885444fc.patch
gs-CVE-2019-14817-cd1b1cac.patch
openjpeg4gs-CVE-2018-6616-8ee33522.patch
are fixed in the version 9.52 upstream sources.
-------------------------------------------------------------------
Fri Jan 31 17:26:37 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
@ -33,7 +153,7 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Use update-alternatives to get the real ghostscript binary from
/usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
use this with its wrapper script
use this with its wrapper script
-------------------------------------------------------------------
Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>

31
ghostscript.spec
View File

@ -71,7 +71,7 @@ URL: https://www.ghostscript.com/
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.27
Version: 9.52
Release: 0
# Normal version for Ghostscript releases is the upstream version:
# tarball_version is used below to specify the directory via "setup -n":
@ -83,7 +83,7 @@ Release: 0
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
#define built_version %{version}
%define built_version 9.27
%define built_version 9.52
# Source0...Source9 is for sources from upstream:
# Special URLs for Ghostscript release candidates:
# see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@ -95,21 +95,13 @@ Release: 0
#Source0: ghostscript-%{tarball_version}.tar.gz
# Normal URLs for Ghostscript releases:
# URL for Source0:
# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz
# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz
# URL for MD5 checksums:
# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS
# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz
# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS
# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from of upstream to fix CVE-2019-10216
Patch1: CVE-2019-10216.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch2: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -117,6 +109,8 @@ Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# RPM dependencies:
# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
@ -289,21 +283,14 @@ This package contains the development files for Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from of upstream to fix CVE-2019-10216
%patch1 -p0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch2 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch3 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052

59
gs-CVE-2019-14811-885444fc.patch
View File

@ -1,59 +0,0 @@
Based on 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: [PATCH] make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
---
Resource/Init/gs_lev2.ps | 6 +++---
Resource/Init/gs_pdfwr.ps | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

200
gs-CVE-2019-14817-cd1b1cac.patch
View File

@ -1,200 +0,0 @@
Based on cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Aug 2019 10:10:51 +0100
Subject: [PATCH] PDF interpreter - review .forceput security
Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
By abusing the error handler it was possible to get the PDFDEBUG portion
of .pdfexectoken, which uses .forceput left readable.
Add an executeonly appropriately to make sure that clause isn't readable
no mstter what.
Review all the uses of .forceput searching for similar cases, add
executeonly as required to secure those. All cases in the PostScript
support files seem to be covered already.
---
Resource/Init/pdf_base.ps | 2 +-
Resource/Init/pdf_draw.ps | 14 +++++++-------
Resource/Init/pdf_font.ps | 21 +++++++++++----------
Resource/Init/pdf_main.ps | 6 +++---
Resource/Init/pdf_ops.ps | 11 ++++++-----
5 files changed, 28 insertions(+), 26 deletions(-)
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse

67
openjpeg4gs-CVE-2018-6616-8ee33522.patch
View File

@ -1,67 +0,0 @@
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 14 Dec 2018 04:58:40 +0100
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
---
openjpeg/src/bin/jp2/convertbmp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- openjpeg/src/bin/jp2/convertbmp.c
+++ openjpeg/src/bin/jp2/convertbmp.c 2019-09-12 08:22:52.272682353 +0000
@@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE*
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}