- update to 10.02.1:

* Patch release to address some security bugs * This release (10.02.0) marks the final demise of the PostScript based PDF interpreter. * This 10.01.1 release removes the "-dNEWPDF=false" command line option to fall back to the deprecated, old PDF interpreter. * This 10.01.0 release removes the "-dNEWPDF=false" command line option to fall back to the deprecated, old PDF interpreter. * This release officially deprecates the old Postscript implementation of PDF, we will not be updating or maintaining that code moving forward. The option to use the old PDF implementation _**will**_ be removed in the next full release (10.01.0) * Important: This release includes the new PDF interpreter (implemented in C rather than PostScript). It is both integrated into Ghostscript (now ENABLED by default), and available as a standalone, PDF only, binary. See https://ghostscript.com/pdfi.html for more details. * This also bundles the latest zlib (1.2.12) which addresses a security issue (CVE-2018-25032) * **Important**: This release includes the new PDF interpreter (implemented in C rather than PostScript). It is both integrated into Ghostscript (now **ENABLED** by default), and available as a standalone, PDF only, binary. See https://ghostscript.com/pdfi.html for more details. - drop CVE-2023-28879.patch, CVE-2023-36664.patch, CVE-2023-38559.patch, CVE-2023-43115.patch, CVE-2023-46751.patch: upstream OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=171
2024-01-28 10:53:01 +00:00 · 2024-01-28 10:53:01 +00:00 · f8ae26665e
commit f8ae26665e
parent 79489dd1d6
10 changed files with 74 additions and 467 deletions
--- a/CVE-2023-28879.patch
+++ b/CVE-2023-28879.patch
@ -1,17 +0,0 @@
 --- base/sbcp.c.orig	2020-03-19 09:21:42.000000000 +0100
 +++ base/sbcp.c	2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
         byte ch = *++p;
         if (ch <= 31 && escaped[ch]) {
 +            /* Make sure we have space to store two characters in the write buffer,
 +             * if we don't then exit without consuming the input character, we'll process
 +             * that on the next time round.
 +             */
 +            if (pw->limit - q < 2) {
 +                p--;
 +                break;
 +            }
             if (p == rlimit) {
                 p--;
                 break;
--- a/CVE-2023-36664.patch
+++ b/CVE-2023-36664.patch
@ -1,116 +0,0 @@
 --- base/gpmisc.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ base/gpmisc.c	2023-07-04 08:13:02.173325373 +0200
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
           prefix_len = 0;
     }
 -    rlen = len+1;
 -    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
 -    if (bufferfull == NULL)
 -        return gs_error_VMerror;
 -    buffer = bufferfull + prefix_len;
 -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 -        return gs_error_invalidfileaccess;
 -    buffer[rlen] = 0;
 +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 +       don't "reduce" them to avoid unexpected results
 +     */
 +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 +        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
 +        if (buffer == NULL)
 +            return gs_error_VMerror;
 +        memcpy(buffer, path, len);
 +        buffer[len] = 0;
 +        rlen = len;
 +    }
 +    else {
 +        rlen = len+1;
 +        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
 +        if (bufferfull == NULL)
 +            return gs_error_VMerror;
 +        buffer = bufferfull + prefix_len;
 +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 +            return gs_error_invalidfileaccess;
 +        buffer[rlen] = 0;
 +    }
     while (1) {
         switch (mode[0])
         {
 --- base/gslibctx.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ base/gslibctx.c	2023-07-04 08:09:47.834639430 +0200
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
             return gs_error_rangecheck;
     }
 -    rlen = len+1;
 -    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
 -    if (buffer == NULL)
 -        return gs_error_VMerror;
 -
 -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 -        return gs_error_invalidfileaccess;
 -    buffer[rlen] = 0;
 +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 +       don't "reduce" them to avoid unexpected results
 +     */
 +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 +        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
 +        if (buffer == NULL)
 +            return gs_error_VMerror;
 +        memcpy(buffer, path, len);
 +        buffer[len] = 0;
 +        rlen = len;
 +    }
 +    else {
 +        rlen = len + 1;
 +
 +        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
 +        if (buffer == NULL)
 +            return gs_error_VMerror;
 +
 +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 +            return gs_error_invalidfileaccess;
 +        buffer[rlen] = 0;
 +    }
     n = control->num;
     for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
             return gs_error_rangecheck;
     }
 -    rlen = len+1;
 -    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
 -    if (buffer == NULL)
 -        return gs_error_VMerror;
 -
 -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 -        return gs_error_invalidfileaccess;
 -    buffer[rlen] = 0;
 +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 +       don't "reduce" them to avoid unexpected results
 +     */
 +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 +        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
 +        if (buffer == NULL)
 +            return gs_error_VMerror;
 +        memcpy(buffer, path, len);
 +        buffer[len] = 0;
 +        rlen = len;
 +    }
 +    else {
 +        rlen = len+1;
 +
 +        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
 +        if (buffer == NULL)
 +            return gs_error_VMerror;
 +
 +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 +            return gs_error_invalidfileaccess;
 +        buffer[rlen] = 0;
 +    }
     n = control->num;
     for (i = 0; i < n; i++) {
--- a/CVE-2023-38559.patch
+++ b/CVE-2023-38559.patch
@ -1,11 +0,0 @@
 --- base/gdevdevn.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ base/gdevdevn.c	2023-07-26 11:31:03.873226054 +0200
@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
         byte data = *from;
         from += step;
 -        if (data != *from || from == end) {
 +        if (from >= end || data != *from) {
             if (data >= 0xc0)
                 gp_fputc(0xc1, file);
         } else {
--- a/CVE-2023-43115.patch
+++ b/CVE-2023-43115.patch
@ -1,20 +0,0 @@
 --- devices/gdevijs.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ devices/gdevijs.c	2023-09-20 08:18:09.178777690 +0200
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
     static const char rgb[] = "DeviceRGB";
     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
 +    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
 +        return_error(gs_error_invalidaccess);
     if (!ijsdev->ColorSpace) {
         ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
                                        "gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_para
     if (code >= 0)
         code = gsijs_read_string(plist, "IjsServer",
             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
 -            dev->LockSafetyParams, is_open);
 +            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
     if (code >= 0)
         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
--- a/CVE-2023-46751.patch
+++ b/CVE-2023-46751.patch
@ -1,20 +0,0 @@
 --- base/gdevprn.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ base/gdevprn.c	2024-01-03 12:53:20.009504451 +0100
@@ -1268,6 +1268,7 @@ gdev_prn_open_printer_seekable(gx_device
               && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
                 code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
 +                ppdev->file = NULL;
                 if (code < 0)
                     return code;
             }
 --- devices/gdevtsep.c.orig	2022-04-04 15:48:49.000000000 +0200
 +++ devices/gdevtsep.c	2024-01-03 13:04:42.048210048 +0100
@@ -736,6 +736,7 @@ tiffsep_initialize_device_procs(gx_devic
 {
     gdev_prn_initialize_device_procs(dev);
 +    set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
     set_dev_proc(dev, open_device, tiffsep_prn_open);
     set_dev_proc(dev, close_device, tiffsep_prn_close);
     set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--- a/ghostscript-10.02.1.tar.xz
+++ b/ghostscript-10.02.1.tar.xz
--- a/ghostscript-9.56.1.tar.xz
+++ b/ghostscript-9.56.1.tar.xz
--- a/ghostscript.changes
+++ b/ghostscript.changes
@ -1,3 +1,38 @@
 -------------------------------------------------------------------
 Sun Jan 28 10:39:57 UTC 2024 - Dirk Müller <dmueller@suse.com>
 - update to 10.02.1:
  * Patch release to address some security bugs
  * This release (10.02.0) marks the final demise of the
    PostScript based PDF interpreter.
  * This 10.01.1 release removes the "-dNEWPDF=false" command
    line option to fall back to the deprecated, old PDF
    interpreter.
  * This 10.01.0 release removes the "-dNEWPDF=false" command
    line option to fall back to the deprecated, old PDF
    interpreter.
  * This release officially deprecates the old Postscript
    implementation of PDF, we will not be updating or maintaining
    that code moving forward. The option to use the old PDF
    implementation _**will**_ be removed in the next full release
    (10.01.0)
  * Important: This release includes the new PDF interpreter
    (implemented in C rather than PostScript). It is both
    integrated into Ghostscript (now ENABLED by default), and
    available as a standalone, PDF only, binary. See
    https://ghostscript.com/pdfi.html for more details.
  * This also bundles the latest zlib (1.2.12) which addresses a
    security issue (CVE-2018-25032)
  * **Important**: This release includes the new PDF interpreter
    (implemented in C rather than PostScript). It is both
    integrated into Ghostscript (now **ENABLED** by default), and
    available as a standalone, PDF only, binary. See
    https://ghostscript.com/pdfi.html for more details.
 - drop CVE-2023-28879.patch, CVE-2023-36664.patch,
       CVE-2023-38559.patch, CVE-2023-43115.patch,
       CVE-2023-46751.patch: upstream
 - drop remove-zlib-h-dependency.patch: unused
 -------------------------------------------------------------------
 Wed Jan  3 12:15:46 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -1,5 +1,5 @@
 #
-# spec file
+# spec file for package ghostscript
 #
 # Copyright (c) 2024 SUSE LLC
 #
@ -22,75 +22,23 @@
 %else
 %global psuffix %{nil}
 %endif
 # built_version is used below in the install and files sections:
 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
 # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
 %define built_version %{version}
 Name:           ghostscript%{psuffix}
-Version:        9.56.1
+Version:        10.02.1
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
-# sha512:fe5a5103c081dd87cf8b3e0bbbd0df004c0e4e04e41bded7c70372916e6e26249a0e8fa434b561292964c5f3820ee6c60ef1557827a6efb5676012ccb73ded85
+Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-%{version}.tar.xz
 Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9561/ghostscript-%{version}.tar.xz
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
 # Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
 Patch100:       remove-zlib-h-dependency.patch
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 Patch101:       ijs_exec_server_dont_use_sh.patch
 # Patch102 CVE-2023-28879.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
 # that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062
 Patch102:       CVE-2023-28879.patch
 # Patch103 CVE-2023-36664.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
 # and
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
 # that fixes CVE-2023-36664
 # see https://bugs.ghostscript.com/show_bug.cgi?id=706761
 # "OS command injection in %pipe% access"
 # and https://bugs.ghostscript.com/show_bug.cgi?id=706778
 # "%pipe% allowed_path bypass"
 # and https://bugzilla.suse.com/show_bug.cgi?id=1212711
 # "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
 Patch103:       CVE-2023-36664.patch
 # Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
 # that fixes CVE-2023-38559
 # "out of bounds read devn_pcx_write_rle() could result in DoS"
 # see https://bugzilla.suse.com/show_bug.cgi?id=1213637
 # and https://bugs.ghostscript.com/show_bug.cgi?id=706897
 # which is in base/gdevdevn.c the same issue
 # "ordering in if expression to avoid out-of-bounds access"
 # as the already fixed CVE-2020-16305 in devices/gdevpcx.c
 # see https://bugs.ghostscript.com/show_bug.cgi?id=701819
 Patch104:       CVE-2023-38559.patch
 # Patch105 CVE-2023-43115.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
 # that fixes CVE-2023-43115
 # "remote code execution via crafted PostScript documents in gdevijs.c"
 # see https://bugs.ghostscript.com/show_bug.cgi?id=707051
 # and https://bugzilla.suse.com/show_bug.cgi?id=1215466
 Patch105:       CVE-2023-43115.patch
 # Patch106 CVE-2023-46751.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
 # adapted for Ghostscript-9.56.1 that fixes
 # https://bugs.ghostscript.com/show_bug.cgi?id=707264
 # which includes a fix for CVE-2023-46751
 # "dangling pointer in gdev_prn_open_printer_seekable()"
 # see https://bugzilla.suse.com/show_bug.cgi?id=1217871
 Patch106:       CVE-2023-46751.patch
 # Build Requirements:
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@ -103,42 +51,6 @@ BuildRequires:  update-alternatives
 BuildRequires:  zlib-devel
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
 # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
 #   ghostscript
 #   gs
 #   gs_lib
 #   pstoraster
 #   ghostscript_any
 #   ghostscript-serv
 #   gs_x11
 #   ghostscript_x11
 #   ghostscript-mini
 # Which of those are actually used in openSUSE:Factory (dated 22 Feb. 2012):
 #   ghostscript
 #   gs
 #   gs_lib
 #   ghostscript_any
 #   ghostscript_x11
 #   ghostscript-mini
 # Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012):
 #   webdot           Requires      ghostscript
 #   ddd              BuildRequires ghostscript_any
 #   emacs-auctex     BuildRequires ghostscript_any
 #   kernel-docs      BuildRequires ghostscript_any
 #   texlive-bin      BuildRequires ghostscript_any
 #   cups             Requires      ghostscript_any
 #   html2ps          Requires      ghostscript_any
 #   latex2html       Requires      ghostscript_any
 #   pstoedit         Requires      ghostscript_any
 #   ghostview        Requires      ghostscript_x11
 #   gv               Requires      ghostscript_x11
 #   texlive-bin      Requires      ghostscript_x11
 #   klatexformula    BuildRequires gs and Requires gs
 #   capi4hylafax     Requires      gs_lib
 #   hylafax          Requires      gs_lib
 #   graphviz-plugins BuildRequires ghostscript-mini
 # Provide the additional RPM Provides of the ghostscript-library package
 # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@ -183,13 +95,11 @@ Conflicts:      ghostscript-x11
 %else
 Recommends:     ghostscript-x11 = %{version}-%{release}
 Conflicts:      ghostscript-x11 < %{version}-%{release}
 Provides:       gs = %{version}
 Provides:       gs_lib = %{version}
 # There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4.
 # Satisfy it to be backward compatible with installed gutenprint packages:
 Provides:       pstoraster
 Provides:       %{version}
 Provides:       ghostscript-library = %{version}
 Provides:       gs = %{version}
 Provides:       gs_lib = %{version}
 Provides:       pstoraster
 Obsoletes:      ghostscript-library < %{version}
 # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
 # this package ghostscript should replace any version of ghostscript-mini.
@ -202,74 +112,40 @@ Recommends:     (cups-filters-ghostscript if cups)
 %description
 Ghostscript is a package of software that provides:
-An interpreter for the PostScript language,
+An interpreter for the PostScript language, with the ability to convert
-with the ability to convert PostScript language files
+PostScript language files to many raster formats, view them on displays, and
-to many raster formats, view them on displays,
+print them on printers that don't have PostScript language capability built in.
 and print them on printers that don't have
 PostScript language capability built in.
-An interpreter for Portable Document Format (PDF) files,
+An interpreter for Portable Document Format (PDF) files, with the same
-with the same abilities.
+abilities.
-The ability to convert PostScript language files
+The ability to convert PostScript language files to PDF (with some limitations)
-to PDF (with some limitations) and vice versa.
+and vice versa.
-A set of C procedures (the Ghostscript library)
+A set of C procedures (the Ghostscript library) that implement the graphics and
-that implement the graphics and filtering
+filtering (data compression / decompression / conversion) capabilities that
-(data compression / decompression / conversion)
+appear as primitive operations in the PostScript language and in PDF.
 capabilities that appear as primitive operations
 in the PostScript language and in PDF.
 For information how to use Ghostscript see
 %{_datadir}/ghostscript/%{version}/doc/Use.htm
 %package x11
 Summary:        X11 library for Ghostscript
 # Require the exact matching version-release of the ghostscript main-package because
 # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
 # because all Ghostscript software is built from one same Ghostscript source tar ball
 # so that there could be any kind of Ghostscript-internal dependencies.
 # The exact matching version-release of the ghostscript main-package is available
 # on the same package repository where the ghostscript-x11 sub-package is because
 # all are built simulaneously from the same Ghostscript source package:
 Group:          Productivity/Publishing/PS
 Requires:       ghostscript = %{version}-%{release}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both
 # ghostscript-library and ghostscript-mini provide any version of "ghostscript"
 # so that any version of ghostscript-library and ghostscript-mini fulfills
 # the above versioned requirement which is wrong and therefore an explicit conflicts
 # is used here to avoid the mess.
 # Above the ghostscript main package "Provides: ghostscript-library = version" so that
 # versioned conflicts are needed to avoid a conflict with the ghostscript main package.
 # The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
 # and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
 # does not show a comparison operator for "not equal" so that two conflicts are used:
 Conflicts:      ghostscript-library < %{version}
 Conflicts:      ghostscript-library > %{version}
 Conflicts:      ghostscript-mini
 Provides:       ghostscript_x11 = %{version}
 %description x11
-This package contains the X11 library which is needed
+This package contains the X11 library which is needed to view PostScript and
-to view PostScript and PDF files with Ghostscript
+PDF files with Ghostscript under the X Window System.
 under the X Window System.
 %package devel
 Summary:        Development files for Ghostscript
 Group:          Development/Libraries/C and C++
 Requires:       ghostscript = %{version}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both
 # ghostscript-library and ghostscript-mini provide any version of "ghostscript"
 # so that any version of ghostscript-library and ghostscript-mini fulfills
 # the above versioned requirement which is wrong and therefore an explicit conflicts
 # is used here to avoid the mess.
 # Above the ghostscript main package "Provides: ghostscript-library = version" so that
 # versioned conflicts are needed to avoid a conflict with the ghostscript main package.
 # The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
 # and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
 # does not show a comparison operator for "not equal" so that two conflicts are used:
 Conflicts:      ghostscript-library < %{version}
 Conflicts:      ghostscript-library > %{version}
 Conflicts:      ghostscript-mini
@ -281,102 +157,16 @@ This package contains the development files for Ghostscript.
 %prep
 %setup -q -n ghostscript-%{version}
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 #patch100 -p1 -b remove-zlib-h-dependency.orig
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 %patch101 -p1
 # Patch102 CVE-2023-28879.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
 # that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062
 %patch102
 # Patch103 CVE-2023-36664.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
 # and
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
 # that fixes CVE-2023-36664
 # see https://bugs.ghostscript.com/show_bug.cgi?id=706761
 # "OS command injection in %pipe% access"
 # and https://bugs.ghostscript.com/show_bug.cgi?id=706778
 # "%pipe% allowed_path bypass"
 # and https://bugzilla.suse.com/show_bug.cgi?id=1212711
 # "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
 %patch103
 # Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
 # that fixes CVE-2023-38559
 # "out of bounds read devn_pcx_write_rle() could result in DoS"
 # see https://bugzilla.suse.com/show_bug.cgi?id=1213637
 # and https://bugs.ghostscript.com/show_bug.cgi?id=706897
 # which is in base/gdevdevn.c the same issue
 # "ordering in if expression to avoid out-of-bounds access"
 # as the already fixed CVE-2020-16305 in devices/gdevpcx.c
 # see https://bugs.ghostscript.com/show_bug.cgi?id=701819
 %patch104
 # Patch105 CVE-2023-43115.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
 # that fixes CVE-2023-43115
 # "remote code execution via crafted PostScript documents in gdevijs.c"
 # see https://bugs.ghostscript.com/show_bug.cgi?id=707051
 # and https://bugzilla.suse.com/show_bug.cgi?id=1215466
 %patch105
 # Patch106 CVE-2023-46751.patch is
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
 # adapted for Ghostscript-9.56.1 that fixes
 # https://bugs.ghostscript.com/show_bug.cgi?id=707264
 # which includes a fix for CVE-2023-46751
 # "dangling pointer in gdev_prn_open_printer_seekable()"
 # see https://bugzilla.suse.com/show_bug.cgi?id=1217871
 %patch106
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig
-# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball
+rm -rf freetype jpeg libpng lcms2art zlib tiff
 # because we prefer to use for long-established standard libraries the ones from SUSE
 # in particular to automatically get SUSE security updates for standard libraries.
 # In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one
 # is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE:
 #rm -rf freetype jpeg libpng tiff zlib
 # Again use the zlib sources from Ghostscript upstream
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 %if 0%{?suse_version} == 1315
 # Again use the freetype sources from Ghostscript upstream because
 # Ghostscript 9.27 does no longer build this way for SLE12:
 rm -rf jpeg libpng tiff
 %else
 rm -rf freetype jpeg libpng tiff
 %endif
 %if 0%{?suse_version} >= 1550
 rm -rf openjpeg
 %endif
 rm -rf zlib
 # In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1
 # because that is what Ghostscript upstream recommends according to
 # https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html
 # because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript
 # but now it is lcms2art (the beginning of a lcms2 fork - see News.htm).
 # On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5
 # which is too old so that configure fails there with
 #   checking for local lcms2 library source... no
 #   checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no
 #   configure: error: lcms2 not found, or too old
 # (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old)
 # but there is no configure option to build it without lcms2
 # so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript
 # i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1
 # cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
 %if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100
 echo "Building it with lcms2art in Ghostscript"
 %else
 rm -rf lcms2art
 %endif
 %build
 # Derive build timestamp from latest changelog entry
@ -412,23 +202,13 @@ autoreconf -fi
 %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW
 # See http://bugs.ghostscript.com/show_bug.cgi?id=693100
 export SUSE_ASNEEDED=0
 # The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here)
 #   ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking
 #     --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
 #     --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
 #     --mandir=/usr/share/man --infodir=/usr/share/info
 #     --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
 #     --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits
 #     --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x
 #     --disable-gtk --without-ufst --without-libpaper --without-tesseract
 #   configure: WARNING: unrecognized options: --disable-dependency-tracking
 # so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro.
 %configure \
    --with-fontpath=%{gs_font_path} \
    --with-libiconv=maybe \
    --enable-freetype \
    --with-jbig2dec \
    --enable-openjpeg \
    --disable-hidden-visibility \
    --enable-dynamic \
    --disable-compile-inits \
 %if "%{flavor}" == "mini"
@ -478,7 +258,7 @@ rm %{buildroot}%{_bindir}/ijs_client_example
 rm %{buildroot}%{_bindir}/ijs_server_example
 rm %{buildroot}%{_libdir}/libijs.la
 # Install examples:
-EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples
+EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
 test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
 for E in examples/*
 do install -m 644 $E $EXAMPLESDIR || :
@ -490,7 +270,7 @@ done
 # Install documentation which is not installed by default
 # see http://bugs.ghostscript.com/show_bug.cgi?id=693002
 # and fail intentionally as notification if something changed:
-DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version}
+DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{version}
 for D in LICENSE
 do test -e $DOCDIR/$( basename $D ) && exit 99
   install -m 644 $D $DOCDIR
@ -502,7 +282,7 @@ done
 # because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above):
 install -d -m 755 %{buildroot}%{_defaultdocdir}
 pushd %{buildroot}%{_defaultdocdir}
-ln -s ../ghostscript/%{built_version} ghostscript
+ln -s ../ghostscript/%{version} ghostscript
 popd
 # Extract the catalog of devices which are actually built-in in exactly this Ghostscript:
 # If a needed source file is no longer accessible fail intentionally as notification
@ -551,6 +331,7 @@ if test $1 -eq 0 ; then
 fi
 %files
 %license LICENSE
 %ghost %config %{_sysconfdir}/alternatives/gs
 %{_bindir}/dvipdf
 %{_bindir}/eps2eps
@ -601,39 +382,27 @@ fi
 %{_mandir}/man1/ps2pdf14.1%{?ext_man}
 %{_mandir}/man1/ps2pdfwr.1%{?ext_man}
 %{_mandir}/man1/ps2ps.1%{?ext_man}
 %{_mandir}/de/man1/dvipdf.1%{?ext_man}
 %{_mandir}/de/man1/eps2eps.1%{?ext_man}
 %{_mandir}/de/man1/gsnd.1%{?ext_man}
 %{_mandir}/de/man1/pdf2dsc.1%{?ext_man}
 %{_mandir}/de/man1/pdf2ps.1%{?ext_man}
 %{_mandir}/de/man1/printafm.1%{?ext_man}
 %{_mandir}/de/man1/ps2ascii.1%{?ext_man}
 %{_mandir}/de/man1/ps2pdf.1%{?ext_man}
 %{_mandir}/de/man1/ps2pdf12.1%{?ext_man}
 %{_mandir}/de/man1/ps2pdf13.1%{?ext_man}
 %{_mandir}/de/man1/ps2pdf14.1%{?ext_man}
 %{_mandir}/de/man1/ps2ps.1%{?ext_man}
 %doc %{_defaultdocdir}/ghostscript
 %dir %{_datadir}/doc/ghostscript
-%doc %{_datadir}/doc/ghostscript/%{built_version}
+%doc %{_datadir}/doc/ghostscript/%{version}
 %dir %{_datadir}/ghostscript
-%dir %{_datadir}/ghostscript/%{built_version}
+%dir %{_datadir}/ghostscript/%{version}
-%{_datadir}/ghostscript/%{built_version}/Resource
+%{_datadir}/ghostscript/%{version}/Resource
-%{_datadir}/ghostscript/%{built_version}/iccprofiles
+%{_datadir}/ghostscript/%{version}/iccprofiles
-%{_datadir}/ghostscript/%{built_version}/examples/
+%{_datadir}/ghostscript/%{version}/examples/
-%{_datadir}/ghostscript/%{built_version}/lib/
+%{_datadir}/ghostscript/%{version}/lib/
 %{_libdir}/libgs.so.*
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
 %if "%{flavor}" != "mini"
-%exclude %{_libdir}/ghostscript/%{built_version}/X11.so
+%exclude %{_libdir}/ghostscript/%{version}/X11.so
 %if 0%{?suse_version} < 1500
 %dir %{_sysconfdir}/apparmor.d
 %endif
 %{_sysconfdir}/apparmor.d/ghostscript
 %files x11
-%{_libdir}/ghostscript/%{built_version}/X11.so
+%{_libdir}/ghostscript/%{version}/X11.so
 %endif
 %files devel
--- a/remove-zlib-h-dependency.patch
+++ b/remove-zlib-h-dependency.patch
@ -1,13 +0,0 @@
 Index: ghostscript-9.18/base/lib.mak
 ===================================================================
 --- ghostscript-9.18.orig/base/lib.mak
 +++ ghostscript-9.18/base/lib.mak
@@ -582,7 +582,7 @@ srlx_h=$(GLSRC)srlx.h
 sstring_h=$(GLSRC)sstring.h
 strimpl_h=$(GLSRC)strimpl.h $(scommon_h) $(gstypes_h) $(gsstruct_h)
 szlibx_h=$(GLSRC)szlibx.h
 -zlib_h=$(ZSRCDIR)$(D)zlib.h
 +zlib_h= #$(ZSRCDIR)$(D)zlib.h
 # We have two of the following, for shared zlib (_1)
 # and 'local' zlib (_0)
 szlibxx_h_1=$(GLSRC)szlibxx.h $(szlibx_h)