diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch deleted file mode 100644 index 1ab465d..0000000 --- a/CVE-2023-28879.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100 -+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200 -@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea - byte ch = *++p; - - if (ch <= 31 && escaped[ch]) { -+ /* Make sure we have space to store two characters in the write buffer, -+ * if we don't then exit without consuming the input character, we'll process -+ * that on the next time round. -+ */ -+ if (pw->limit - q < 2) { -+ p--; -+ break; -+ } - if (p == rlimit) { - p--; - break; diff --git a/CVE-2023-36664.patch b/CVE-2023-36664.patch deleted file mode 100644 index ae3cb7f..0000000 --- a/CVE-2023-36664.patch +++ /dev/null @@ -1,116 +0,0 @@ ---- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200 -@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t * - && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { - prefix_len = 0; - } -- rlen = len+1; -- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); -- if (bufferfull == NULL) -- return gs_error_VMerror; - -- buffer = bufferfull + prefix_len; -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -- buffer[rlen] = 0; -+ /* "%pipe%" do not follow the normal rules for path definitions, so we -+ don't "reduce" them to avoid unexpected results -+ */ -+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { -+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); -+ if (buffer == NULL) -+ return gs_error_VMerror; -+ memcpy(buffer, path, len); -+ buffer[len] = 0; -+ rlen = len; -+ } -+ else { -+ rlen = len+1; -+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); -+ if (bufferfull == NULL) -+ return gs_error_VMerror; - -+ buffer = bufferfull + prefix_len; -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -+ return gs_error_invalidfileaccess; -+ buffer[rlen] = 0; -+ } - while (1) { - switch (mode[0]) - { ---- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200 -@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m - return gs_error_rangecheck; - } - -- rlen = len+1; -- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); -- if (buffer == NULL) -- return gs_error_VMerror; -- -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -- buffer[rlen] = 0; -+ /* "%pipe%" do not follow the normal rules for path definitions, so we -+ don't "reduce" them to avoid unexpected results -+ */ -+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { -+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); -+ if (buffer == NULL) -+ return gs_error_VMerror; -+ memcpy(buffer, path, len); -+ buffer[len] = 0; -+ rlen = len; -+ } -+ else { -+ rlen = len + 1; -+ -+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); -+ if (buffer == NULL) -+ return gs_error_VMerror; -+ -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -+ return gs_error_invalidfileaccess; -+ buffer[rlen] = 0; -+ } - - n = control->num; - for (i = 0; i < n; i++) -@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g - return gs_error_rangecheck; - } - -- rlen = len+1; -- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); -- if (buffer == NULL) -- return gs_error_VMerror; -- -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -- buffer[rlen] = 0; -+ /* "%pipe%" do not follow the normal rules for path definitions, so we -+ don't "reduce" them to avoid unexpected results -+ */ -+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { -+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); -+ if (buffer == NULL) -+ return gs_error_VMerror; -+ memcpy(buffer, path, len); -+ buffer[len] = 0; -+ rlen = len; -+ } -+ else { -+ rlen = len+1; -+ -+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); -+ if (buffer == NULL) -+ return gs_error_VMerror; -+ -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -+ return gs_error_invalidfileaccess; -+ buffer[rlen] = 0; -+ } - - n = control->num; - for (i = 0; i < n; i++) { diff --git a/CVE-2023-38559.patch b/CVE-2023-38559.patch deleted file mode 100644 index 2d16234..0000000 --- a/CVE-2023-38559.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200 -@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co - byte data = *from; - - from += step; -- if (data != *from || from == end) { -+ if (from >= end || data != *from) { - if (data >= 0xc0) - gp_fputc(0xc1, file); - } else { diff --git a/CVE-2023-43115.patch b/CVE-2023-43115.patch deleted file mode 100644 index f1a7d79..0000000 --- a/CVE-2023-43115.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- devices/gdevijs.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ devices/gdevijs.c 2023-09-20 08:18:09.178777690 +0200 -@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) - static const char rgb[] = "DeviceRGB"; - gx_device_ijs *ijsdev = (gx_device_ijs *)dev; - -+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) -+ return_error(gs_error_invalidaccess); - if (!ijsdev->ColorSpace) { - ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, - "gsijs_initialize"); -@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_para - if (code >= 0) - code = gsijs_read_string(plist, "IjsServer", - ijsdev->IjsServer, sizeof(ijsdev->IjsServer), -- dev->LockSafetyParams, is_open); -+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); - - if (code >= 0) - code = gsijs_read_string_malloc(plist, "DeviceManufacturer", diff --git a/CVE-2023-46751.patch b/CVE-2023-46751.patch deleted file mode 100644 index aad6ae6..0000000 --- a/CVE-2023-46751.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- base/gdevprn.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ base/gdevprn.c 2024-01-03 12:53:20.009504451 +0100 -@@ -1268,6 +1268,7 @@ gdev_prn_open_printer_seekable(gx_device - && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) { - - code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file); -+ ppdev->file = NULL; - if (code < 0) - return code; - } ---- devices/gdevtsep.c.orig 2022-04-04 15:48:49.000000000 +0200 -+++ devices/gdevtsep.c 2024-01-03 13:04:42.048210048 +0100 -@@ -736,6 +736,7 @@ tiffsep_initialize_device_procs(gx_devic - { - gdev_prn_initialize_device_procs(dev); - -+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); - set_dev_proc(dev, open_device, tiffsep_prn_open); - set_dev_proc(dev, close_device, tiffsep_prn_close); - set_dev_proc(dev, map_color_rgb, tiffsep_decode_color); diff --git a/ghostscript-10.02.1.tar.xz b/ghostscript-10.02.1.tar.xz new file mode 100644 index 0000000..a982204 --- /dev/null +++ b/ghostscript-10.02.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c58c948b0721becefcd0029c8db95f9bb3268affc25ea01d4c5a6b07fa1ab08 +size 68017088 diff --git a/ghostscript-9.56.1.tar.xz b/ghostscript-9.56.1.tar.xz deleted file mode 100644 index 6e0f5ef..0000000 --- a/ghostscript-9.56.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d43406805650009b42c3d5f6dc535233454533c1e27c13a77dd1d462a056b8e4 -size 62589232 diff --git a/ghostscript.changes b/ghostscript.changes index abcfec0..125819f 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,38 @@ +------------------------------------------------------------------- +Sun Jan 28 10:39:57 UTC 2024 - Dirk Müller + +- update to 10.02.1: + * Patch release to address some security bugs + * This release (10.02.0) marks the final demise of the + PostScript based PDF interpreter. + * This 10.01.1 release removes the "-dNEWPDF=false" command + line option to fall back to the deprecated, old PDF + interpreter. + * This 10.01.0 release removes the "-dNEWPDF=false" command + line option to fall back to the deprecated, old PDF + interpreter. + * This release officially deprecates the old Postscript + implementation of PDF, we will not be updating or maintaining + that code moving forward. The option to use the old PDF + implementation _**will**_ be removed in the next full release + (10.01.0) + * Important: This release includes the new PDF interpreter + (implemented in C rather than PostScript). It is both + integrated into Ghostscript (now ENABLED by default), and + available as a standalone, PDF only, binary. See + https://ghostscript.com/pdfi.html for more details. + * This also bundles the latest zlib (1.2.12) which addresses a + security issue (CVE-2018-25032) + * **Important**: This release includes the new PDF interpreter + (implemented in C rather than PostScript). It is both + integrated into Ghostscript (now **ENABLED** by default), and + available as a standalone, PDF only, binary. See + https://ghostscript.com/pdfi.html for more details. +- drop CVE-2023-28879.patch, CVE-2023-36664.patch, + CVE-2023-38559.patch, CVE-2023-43115.patch, + CVE-2023-46751.patch: upstream +- drop remove-zlib-h-dependency.patch: unused + ------------------------------------------------------------------- Wed Jan 3 12:15:46 UTC 2024 - Johannes Meixner @@ -103,12 +138,12 @@ Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller ------------------------------------------------------------------- Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller -- Use _multibuild +- Use _multibuild ------------------------------------------------------------------- Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller -- Use system zlib (bsc#1198449) +- Use system zlib (bsc#1198449) ------------------------------------------------------------------- Thu Apr 7 08:14:51 UTC 2022 - Frederic Crozat @@ -231,7 +266,7 @@ Tue Oct 20 16:03:48 CEST 2020 - jsmeix@suse.de Note for GSView Users: The patch level addition breaks GSView 5 (it is hardcoded to check for versions 704-999). It is possible, but not guaranteed that a GSView update might - be forthcoming to resolve this. + be forthcoming to resolve this. For a release summary see: https://www.ghostscript.com/doc/9.53.3/News.htm For details see the News.htm and History9.htm files. diff --git a/ghostscript.spec b/ghostscript.spec index 46b0a78..ae132b6 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,5 +1,5 @@ # -# spec file +# spec file for package ghostscript # # Copyright (c) 2024 SUSE LLC # @@ -22,75 +22,23 @@ %else %global psuffix %{nil} %endif -# built_version is used below in the install and files sections: -# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". -# For Ghostscript releases built_version and version are the same (i.e. the upstream version): -%define built_version %{version} Name: ghostscript%{psuffix} -Version: 9.56.1 +Version: 10.02.1 Release: 0 Summary: The Ghostscript interpreter for PostScript and PDF License: AGPL-3.0-only Group: Productivity/Office/Other URL: https://www.ghostscript.com/ -# sha512:fe5a5103c081dd87cf8b3e0bbbd0df004c0e4e04e41bded7c70372916e6e26249a0e8fa434b561292964c5f3820ee6c60ef1557827a6efb5676012ccb73ded85 -Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9561/ghostscript-%{version}.tar.xz +Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-%{version}.tar.xz Source10: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: -# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h -# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: -Patch100: remove-zlib-h-dependency.patch # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch -# Patch102 CVE-2023-28879.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd -# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process -# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 -# and https://bugzilla.suse.com/show_bug.cgi?id=1210062 -Patch102: CVE-2023-28879.patch -# Patch103 CVE-2023-36664.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c -# and -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d -# that fixes CVE-2023-36664 -# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 -# "OS command injection in %pipe% access" -# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 -# "%pipe% allowed_path bypass" -# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 -# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" -Patch103: CVE-2023-36664.patch -# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 -# that fixes CVE-2023-38559 -# "out of bounds read devn_pcx_write_rle() could result in DoS" -# see https://bugzilla.suse.com/show_bug.cgi?id=1213637 -# and https://bugs.ghostscript.com/show_bug.cgi?id=706897 -# which is in base/gdevdevn.c the same issue -# "ordering in if expression to avoid out-of-bounds access" -# as the already fixed CVE-2020-16305 in devices/gdevpcx.c -# see https://bugs.ghostscript.com/show_bug.cgi?id=701819 -Patch104: CVE-2023-38559.patch -# Patch105 CVE-2023-43115.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 -# that fixes CVE-2023-43115 -# "remote code execution via crafted PostScript documents in gdevijs.c" -# see https://bugs.ghostscript.com/show_bug.cgi?id=707051 -# and https://bugzilla.suse.com/show_bug.cgi?id=1215466 -Patch105: CVE-2023-43115.patch -# Patch106 CVE-2023-46751.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13 -# adapted for Ghostscript-9.56.1 that fixes -# https://bugs.ghostscript.com/show_bug.cgi?id=707264 -# which includes a fix for CVE-2023-46751 -# "dangling pointer in gdev_prn_open_printer_seekable()" -# see https://bugzilla.suse.com/show_bug.cgi?id=1217871 -Patch106: CVE-2023-46751.patch # Build Requirements: BuildRequires: freetype2-devel BuildRequires: libjpeg-devel @@ -102,43 +50,7 @@ BuildRequires: pkgconfig BuildRequires: update-alternatives BuildRequires: zlib-devel Requires(post): update-alternatives -Requires(preun):update-alternatives -# RPM dependencies: -# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from -# "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": -# ghostscript -# gs -# gs_lib -# pstoraster -# ghostscript_any -# ghostscript-serv -# gs_x11 -# ghostscript_x11 -# ghostscript-mini -# Which of those are actually used in openSUSE:Factory (dated 22 Feb. 2012): -# ghostscript -# gs -# gs_lib -# ghostscript_any -# ghostscript_x11 -# ghostscript-mini -# Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012): -# webdot Requires ghostscript -# ddd BuildRequires ghostscript_any -# emacs-auctex BuildRequires ghostscript_any -# kernel-docs BuildRequires ghostscript_any -# texlive-bin BuildRequires ghostscript_any -# cups Requires ghostscript_any -# html2ps Requires ghostscript_any -# latex2html Requires ghostscript_any -# pstoedit Requires ghostscript_any -# ghostview Requires ghostscript_x11 -# gv Requires ghostscript_x11 -# texlive-bin Requires ghostscript_x11 -# klatexformula BuildRequires gs and Requires gs -# capi4hylafax Requires gs_lib -# hylafax Requires gs_lib -# graphviz-plugins BuildRequires ghostscript-mini +Requires(preun): update-alternatives # Provide the additional RPM Provides of the ghostscript-library package # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below). # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" @@ -183,13 +95,11 @@ Conflicts: ghostscript-x11 %else Recommends: ghostscript-x11 = %{version}-%{release} Conflicts: ghostscript-x11 < %{version}-%{release} -Provides: gs = %{version} -Provides: gs_lib = %{version} -# There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4. -# Satisfy it to be backward compatible with installed gutenprint packages: -Provides: pstoraster Provides: %{version} Provides: ghostscript-library = %{version} +Provides: gs = %{version} +Provides: gs_lib = %{version} +Provides: pstoraster Obsoletes: ghostscript-library < %{version} # The "Obsoletes: ghostscript-mini" is intentionally unversioned because # this package ghostscript should replace any version of ghostscript-mini. @@ -202,74 +112,40 @@ Recommends: (cups-filters-ghostscript if cups) %description Ghostscript is a package of software that provides: -An interpreter for the PostScript language, -with the ability to convert PostScript language files -to many raster formats, view them on displays, -and print them on printers that don't have -PostScript language capability built in. +An interpreter for the PostScript language, with the ability to convert +PostScript language files to many raster formats, view them on displays, and +print them on printers that don't have PostScript language capability built in. -An interpreter for Portable Document Format (PDF) files, -with the same abilities. +An interpreter for Portable Document Format (PDF) files, with the same +abilities. -The ability to convert PostScript language files -to PDF (with some limitations) and vice versa. +The ability to convert PostScript language files to PDF (with some limitations) +and vice versa. -A set of C procedures (the Ghostscript library) -that implement the graphics and filtering -(data compression / decompression / conversion) -capabilities that appear as primitive operations -in the PostScript language and in PDF. +A set of C procedures (the Ghostscript library) that implement the graphics and +filtering (data compression / decompression / conversion) capabilities that +appear as primitive operations in the PostScript language and in PDF. For information how to use Ghostscript see %{_datadir}/ghostscript/%{version}/doc/Use.htm %package x11 Summary: X11 library for Ghostscript -# Require the exact matching version-release of the ghostscript main-package because -# a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) -# because all Ghostscript software is built from one same Ghostscript source tar ball -# so that there could be any kind of Ghostscript-internal dependencies. -# The exact matching version-release of the ghostscript main-package is available -# on the same package repository where the ghostscript-x11 sub-package is because -# all are built simulaneously from the same Ghostscript source package: Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} -# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have -# an unversioned "Provides: ghostscript" and for RPM this means that both -# ghostscript-library and ghostscript-mini provide any version of "ghostscript" -# so that any version of ghostscript-library and ghostscript-mini fulfills -# the above versioned requirement which is wrong and therefore an explicit conflicts -# is used here to avoid the mess. -# Above the ghostscript main package "Provides: ghostscript-library = version" so that -# versioned conflicts are needed to avoid a conflict with the ghostscript main package. -# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html -# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4) -# does not show a comparison operator for "not equal" so that two conflicts are used: Conflicts: ghostscript-library < %{version} Conflicts: ghostscript-library > %{version} Conflicts: ghostscript-mini Provides: ghostscript_x11 = %{version} %description x11 -This package contains the X11 library which is needed -to view PostScript and PDF files with Ghostscript -under the X Window System. +This package contains the X11 library which is needed to view PostScript and +PDF files with Ghostscript under the X Window System. %package devel Summary: Development files for Ghostscript Group: Development/Libraries/C and C++ Requires: ghostscript = %{version} -# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have -# an unversioned "Provides: ghostscript" and for RPM this means that both -# ghostscript-library and ghostscript-mini provide any version of "ghostscript" -# so that any version of ghostscript-library and ghostscript-mini fulfills -# the above versioned requirement which is wrong and therefore an explicit conflicts -# is used here to avoid the mess. -# Above the ghostscript main package "Provides: ghostscript-library = version" so that -# versioned conflicts are needed to avoid a conflict with the ghostscript main package. -# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html -# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4) -# does not show a comparison operator for "not equal" so that two conflicts are used: Conflicts: ghostscript-library < %{version} Conflicts: ghostscript-library > %{version} Conflicts: ghostscript-mini @@ -281,102 +157,16 @@ This package contains the development files for Ghostscript. %prep %setup -q -n ghostscript-%{version} -# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h -# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. -# Again use the zlib sources from Ghostscript upstream -# and disable remove-zlib-h-dependency.patch because -# Ghostscript 9.21 does no longer build this way: -#patch100 -p1 -b remove-zlib-h-dependency.orig # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 -# Patch102 CVE-2023-28879.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd -# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process -# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 -# and https://bugzilla.suse.com/show_bug.cgi?id=1210062 -%patch102 -# Patch103 CVE-2023-36664.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c -# and -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d -# that fixes CVE-2023-36664 -# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 -# "OS command injection in %pipe% access" -# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 -# "%pipe% allowed_path bypass" -# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 -# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" -%patch103 -# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 -# that fixes CVE-2023-38559 -# "out of bounds read devn_pcx_write_rle() could result in DoS" -# see https://bugzilla.suse.com/show_bug.cgi?id=1213637 -# and https://bugs.ghostscript.com/show_bug.cgi?id=706897 -# which is in base/gdevdevn.c the same issue -# "ordering in if expression to avoid out-of-bounds access" -# as the already fixed CVE-2020-16305 in devices/gdevpcx.c -# see https://bugs.ghostscript.com/show_bug.cgi?id=701819 -%patch104 -# Patch105 CVE-2023-43115.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 -# that fixes CVE-2023-43115 -# "remote code execution via crafted PostScript documents in gdevijs.c" -# see https://bugs.ghostscript.com/show_bug.cgi?id=707051 -# and https://bugzilla.suse.com/show_bug.cgi?id=1215466 -%patch105 -# Patch106 CVE-2023-46751.patch is -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13 -# adapted for Ghostscript-9.56.1 that fixes -# https://bugs.ghostscript.com/show_bug.cgi?id=707264 -# which includes a fix for CVE-2023-46751 -# "dangling pointer in gdev_prn_open_printer_seekable()" -# see https://bugzilla.suse.com/show_bug.cgi?id=1217871 -%patch106 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig -# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball -# because we prefer to use for long-established standard libraries the ones from SUSE -# in particular to automatically get SUSE security updates for standard libraries. -# In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one -# is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE: -#rm -rf freetype jpeg libpng tiff zlib -# Again use the zlib sources from Ghostscript upstream -# and disable remove-zlib-h-dependency.patch because -# Ghostscript 9.21 does no longer build this way: -%if 0%{?suse_version} == 1315 -# Again use the freetype sources from Ghostscript upstream because -# Ghostscript 9.27 does no longer build this way for SLE12: -rm -rf jpeg libpng tiff -%else -rm -rf freetype jpeg libpng tiff -%endif +rm -rf freetype jpeg libpng lcms2art zlib tiff %if 0%{?suse_version} >= 1550 rm -rf openjpeg %endif -rm -rf zlib -# In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1 -# because that is what Ghostscript upstream recommends according to -# https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html -# because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript -# but now it is lcms2art (the beginning of a lcms2 fork - see News.htm). -# On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5 -# which is too old so that configure fails there with -# checking for local lcms2 library source... no -# checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no -# configure: error: lcms2 not found, or too old -# (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old) -# but there is no configure option to build it without lcms2 -# so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript -# i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1 -# cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto -%if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100 -echo "Building it with lcms2art in Ghostscript" -%else -rm -rf lcms2art -%endif %build # Derive build timestamp from latest changelog entry @@ -412,23 +202,13 @@ autoreconf -fi %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW # See http://bugs.ghostscript.com/show_bug.cgi?id=693100 export SUSE_ASNEEDED=0 -# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here) -# ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking -# --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share -# --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib -# --mandir=/usr/share/man --infodir=/usr/share/info -# --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW -# --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits -# --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x -# --disable-gtk --without-ufst --without-libpaper --without-tesseract -# configure: WARNING: unrecognized options: --disable-dependency-tracking -# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro. %configure \ --with-fontpath=%{gs_font_path} \ --with-libiconv=maybe \ --enable-freetype \ --with-jbig2dec \ --enable-openjpeg \ + --disable-hidden-visibility \ --enable-dynamic \ --disable-compile-inits \ %if "%{flavor}" == "mini" @@ -478,7 +258,7 @@ rm %{buildroot}%{_bindir}/ijs_client_example rm %{buildroot}%{_bindir}/ijs_server_example rm %{buildroot}%{_libdir}/libijs.la # Install examples: -EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples +EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples test -d $EXAMPLESDIR || install -d $EXAMPLESDIR for E in examples/* do install -m 644 $E $EXAMPLESDIR || : @@ -490,7 +270,7 @@ done # Install documentation which is not installed by default # see http://bugs.ghostscript.com/show_bug.cgi?id=693002 # and fail intentionally as notification if something changed: -DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version} +DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{version} for D in LICENSE do test -e $DOCDIR/$( basename $D ) && exit 99 install -m 644 $D $DOCDIR @@ -502,7 +282,7 @@ done # because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above): install -d -m 755 %{buildroot}%{_defaultdocdir} pushd %{buildroot}%{_defaultdocdir} -ln -s ../ghostscript/%{built_version} ghostscript +ln -s ../ghostscript/%{version} ghostscript popd # Extract the catalog of devices which are actually built-in in exactly this Ghostscript: # If a needed source file is no longer accessible fail intentionally as notification @@ -551,6 +331,7 @@ if test $1 -eq 0 ; then fi %files +%license LICENSE %ghost %config %{_sysconfdir}/alternatives/gs %{_bindir}/dvipdf %{_bindir}/eps2eps @@ -601,39 +382,27 @@ fi %{_mandir}/man1/ps2pdf14.1%{?ext_man} %{_mandir}/man1/ps2pdfwr.1%{?ext_man} %{_mandir}/man1/ps2ps.1%{?ext_man} -%{_mandir}/de/man1/dvipdf.1%{?ext_man} -%{_mandir}/de/man1/eps2eps.1%{?ext_man} -%{_mandir}/de/man1/gsnd.1%{?ext_man} -%{_mandir}/de/man1/pdf2dsc.1%{?ext_man} -%{_mandir}/de/man1/pdf2ps.1%{?ext_man} -%{_mandir}/de/man1/printafm.1%{?ext_man} -%{_mandir}/de/man1/ps2ascii.1%{?ext_man} -%{_mandir}/de/man1/ps2pdf.1%{?ext_man} -%{_mandir}/de/man1/ps2pdf12.1%{?ext_man} -%{_mandir}/de/man1/ps2pdf13.1%{?ext_man} -%{_mandir}/de/man1/ps2pdf14.1%{?ext_man} -%{_mandir}/de/man1/ps2ps.1%{?ext_man} %doc %{_defaultdocdir}/ghostscript %dir %{_datadir}/doc/ghostscript -%doc %{_datadir}/doc/ghostscript/%{built_version} +%doc %{_datadir}/doc/ghostscript/%{version} %dir %{_datadir}/ghostscript -%dir %{_datadir}/ghostscript/%{built_version} -%{_datadir}/ghostscript/%{built_version}/Resource -%{_datadir}/ghostscript/%{built_version}/iccprofiles -%{_datadir}/ghostscript/%{built_version}/examples/ -%{_datadir}/ghostscript/%{built_version}/lib/ +%dir %{_datadir}/ghostscript/%{version} +%{_datadir}/ghostscript/%{version}/Resource +%{_datadir}/ghostscript/%{version}/iccprofiles +%{_datadir}/ghostscript/%{version}/examples/ +%{_datadir}/ghostscript/%{version}/lib/ %{_libdir}/libgs.so.* %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so %if "%{flavor}" != "mini" -%exclude %{_libdir}/ghostscript/%{built_version}/X11.so +%exclude %{_libdir}/ghostscript/%{version}/X11.so %if 0%{?suse_version} < 1500 %dir %{_sysconfdir}/apparmor.d %endif %{_sysconfdir}/apparmor.d/ghostscript %files x11 -%{_libdir}/ghostscript/%{built_version}/X11.so +%{_libdir}/ghostscript/%{version}/X11.so %endif %files devel diff --git a/remove-zlib-h-dependency.patch b/remove-zlib-h-dependency.patch deleted file mode 100644 index 87782a2..0000000 --- a/remove-zlib-h-dependency.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: ghostscript-9.18/base/lib.mak -=================================================================== ---- ghostscript-9.18.orig/base/lib.mak -+++ ghostscript-9.18/base/lib.mak -@@ -582,7 +582,7 @@ srlx_h=$(GLSRC)srlx.h - sstring_h=$(GLSRC)sstring.h - strimpl_h=$(GLSRC)strimpl.h $(scommon_h) $(gstypes_h) $(gsstruct_h) - szlibx_h=$(GLSRC)szlibx.h --zlib_h=$(ZSRCDIR)$(D)zlib.h -+zlib_h= #$(ZSRCDIR)$(D)zlib.h - # We have two of the following, for shared zlib (_1) - # and 'local' zlib (_0) - szlibxx_h_1=$(GLSRC)szlibxx.h $(szlibx_h)