Accepting request 1266109 from Printing

Ghostscript version upgrade to 10.05.0 fixes CVE-2025-27830 (bsc#1240074) CVE-2025-27831 (bsc#1240075) CVE-2025-27832 (bsc#1240077) CVE-2025-27833 (bsc#1240078) CVE-2025-27834 (bsc#1240079) CVE-2025-27835 (bsc#1240080) CVE-2025-27836 (bsc#1240081) (forwarded request 1266108 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1266109
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=71

ghostscript-10.06.0-Fix_32-bit_build.patch

@@ -1,63 +0,0 @@
-From 3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f Mon Sep 17 00:00:00 2001
-From: Ken Sharp <Ken.Sharp@artifex.com>
-Date: Wed, 10 Sep 2025 08:55:30 +0100
-Subject: Fix 32-bit build
-
-Bug #708824 "ghostscript 10.06.0 compilation failure on 32-bit archs"
-
-nbytes shiouldn't be an intptr_t, it doesn't get used for pointer
-arithmetic. Previously it was a uint, should be a int64_t, to fit with
-all the other devices.
-
-Checked other warnings, and found a (very minor) one in gdevdbit.c, fix
-that while we're here (signed/unsigned mismatch, we don't really care).
----
- base/gdevdbit.c | 2 +-
- base/gdevmpla.c | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/base/gdevdbit.c b/base/gdevdbit.c
-index e07cc3f3b..1b5c69325 100644
---- a/base/gdevdbit.c
-+++ b/base/gdevdbit.c
-@@ -191,7 +191,7 @@ gx_default_copy_alpha_hl_color(gx_device * dev, const byte * data, int data_x,
-     fit_copy(dev, data, data_x, raster, id, x, y, width, height);
-     row_alpha = data;
-     out_raster = bitmap_raster(width * (size_t)byte_depth);
--    if (check_64bit_multiply(out_raster, ncomps, &product) != 0)
-+    if (check_64bit_multiply(out_raster, ncomps, (int64_t *) &product) != 0)
-         return gs_note_error(gs_error_undefinedresult);
-     gb_buff = gs_alloc_bytes(mem, product, "copy_alpha_hl_color(gb_buff)");
-     if (gb_buff == 0) {
-diff --git a/base/gdevmpla.c b/base/gdevmpla.c
-index 2f0d52256..ffc5ff42e 100644
---- a/base/gdevmpla.c
-+++ b/base/gdevmpla.c
-@@ -1954,12 +1954,12 @@ mem_planar_strip_copy_rop2(gx_device * dev,
-         int i;
-         int j;
-         intptr_t chunky_sraster;
--        intptr_t nbytes;
-+        int64_t nbytes;
-         byte **line_ptrs;
-         byte *sbuf, *buf;
- 
-         chunky_sraster = sraster * (intptr_t)mdev->num_planar_planes;
--        if (check_64bit_multiply(height, chunky_sraster, (size_t *)&nbytes) != 0)
-+        if (check_64bit_multiply(height, chunky_sraster, &nbytes) != 0)
-             return gs_note_error(gs_error_undefinedresult);
-         buf = gs_alloc_bytes(mdev->memory, nbytes, "mem_planar_strip_copy_rop(buf)");
-         if (buf == NULL) {
-@@ -2003,7 +2003,7 @@ mem_planar_strip_copy_rop2(gx_device * dev,
-         intptr_t i;
-         intptr_t chunky_t_raster;
-         int chunky_t_height;
--        intptr_t nbytes;
-+        int64_t nbytes;
-         byte **line_ptrs;
-         byte *tbuf, *buf;
-         gx_strip_bitmap newtex;
--- 
-cgit v1.2.3
-
-

ghostscript.changes

@@ -1,54 +1,3 @@
--------------------------------------------------------------------
-Tue Sep 16 13:45:31 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
-
-- Version upgrade to 10.06.0
-  See 'Recent Changes in Ghostscript' at Ghostscript upstream
-  https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
-  * This release addresses CVEs:
-    CVE-2025-59798 (bsc#1250353)
-    CVE-2025-59799 (bsc#1250354)
-    CVE-2025-59800 (bsc#1250355)
-    CVE-2025-59801 (belongs to GhostXPS not part of Ghostscript)
-  * The 10.06.0 removes the non-standard operator "selectdevice"
-    (cf. the entry below dated Tue Apr  1 09:56:06 UTC 2025)
-- ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
-  https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
-  to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
-  "ghostscript 10.06.0 compilation failure on 32-bit archs"
-
--------------------------------------------------------------------
-Tue Sep 16 08:15:18 UTC 2025 - Dr. Werner Fink <werner@suse.de>
-
-- Switch over to libalternatives for ghostscript to provide a gs
-  variant (bsc#1245896)
-
--------------------------------------------------------------------
-Mon Aug  4 07:14:46 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
-
-- Version upgrade to 10.05.1
-  See 'Recent Changes in Ghostscript' at Ghostscript upstream
-  https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
-  * This release addresses CVEs:
-    + CVE-2025-46646
-    + CVE-2025-48708 (bsc#1243701)
-  * The 10.05.1 patch release addresses:
-    + An overflow issue in Freetype on platforms
-      where long is a 4 byte (rather than 8 byte) type
-      (Microsoft Windows, for example) causing corrupted
-      glyph rendering at higher resolutions
-    + An issue with embedded files, affecting Zugferd
-      format PDF creation.
-    + Broken logic in PDF Optional Content processing
-    + Potential slow down due to searching for identifiable
-      font files
-    + A small number of extreme edge case segmentation faults.
-
--------------------------------------------------------------------
-Thu Apr 10 19:39:55 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
-
-- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
-  still allow build on Leap 15.6
-
 -------------------------------------------------------------------
 Tue Apr  1 09:56:06 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
 

ghostscript.spec

@@ -2,7 +2,6 @@
 # spec file for package ghostscript
 #
 # Copyright (c) 2025 SUSE LLC
-# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,38 +23,28 @@
 %global psuffix %{nil}
 %bcond_without  apparmor
 %endif
-%if 0%{?suse_version} > 1500
-%bcond_without libalternatives
-%else
-%bcond_with libalternatives
-%endif
 Name:           ghostscript%{psuffix}
-Version:        10.06.0
+Version:        10.05.0
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
 # Use "osc service manualrun" to fetch Source0:
-Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10060/ghostscript-%{version}.tar.gz
+Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-%{version}.tar.gz
 # How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
 # (example for the Ghostscript 10.05.1 release):
 # Go to https://www.ghostscript.com
 # -> [Download] or "Releases" https://ghostscript.com/releases/index.html
 # -> "Ghostscript" https://ghostscript.com/releases/gsdnld.htm
-# -> "Ghostscript 10.05.1 Source for all platforms / Ghostscript AGPL Release"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/ghostscript-10.05.1.tar.gz
+# -> "Ghostscript 10.05.0 Source for all platforms / Ghostscript AGPL Release"
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-10.05.0.tar.gz
 # and "MD5 Checksums"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/MD5SUMS
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/MD5SUMS
 # and on https://ghostscript.com/releases/index.html
-# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
+# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.0/News.html
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
-# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
-# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
-# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
-# "ghostscript 10.06.0 compilation failure on 32-bit archs":
-Patch1:         ghostscript-10.06.0-Fix_32-bit_build.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -73,15 +62,10 @@ BuildRequires:  libpng-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
-%if %{with libalternatives}
-BuildRequires:  alts
-Requires:       alts
-%else
 BuildRequires:  update-alternatives
+BuildRequires:  zlib-devel
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
-%endif
-BuildRequires:  zlib-devel
 # Provide the additional RPM Provides of the ghostscript-library package
 # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@@ -181,11 +165,7 @@ This package contains the development files for Ghostscript.
 
 %prep
 %setup -q -n ghostscript-%{version}
-# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
-# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
-# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
-# "ghostscript 10.06.0 compilation failure on 32-bit archs":
-%patch -P 1 -p1
+
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 %patch -P 101 -p1
@@ -203,7 +183,7 @@ rm -rf openjpeg
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s})
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -std=gnu11"
+export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
 export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
 export LDFLAGS="-pie"
 autoreconf -fi
@@ -291,25 +271,6 @@ popd
 rm %{buildroot}%{_bindir}/ijs_client_example
 rm %{buildroot}%{_bindir}/ijs_server_example
 rm %{buildroot}%{_libdir}/libijs.la
-# Remove pdf2dsc which was removed in Ghostscript 10.05.0
-# because in Ghostscript 10.x pdf2dsc can no longer work as intended
-# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=2c315570de78df902f8f15312728d9e1b00cac44
-# but in Ghostscript 10.05.1 pdf2dsc was put back
-# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=528d324a7968ad89401ebb60dfdb22f9fdfeeb6b
-# and https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=0e23e5009c7e2a65a2f707146f2dffe8a362ab86
-# regardless that pdf2dsc can still no longer work as intended
-# according to the git commit 528d324a7968ad89401ebb60dfdb22f9fdfeeb6b message
-# which reads (excerpts)
-# > After feedback from users (AUCTeX and gv) put back the pdf2dsc utility
-# > but note in the comments that this is now unsupported code (in truth
-# > I think it always was, but this makes it explicit).
-# > Because the PostScript program uses undocumented parts of the old
-# > 'written in PostScript' PDF interpreter portions of it probably don't
-# > work and it may fail altogether at some point.
-# Because openSUSE cannot support software which is not supported by upstream
-# the unsupported pdf2dsc is kept removed from Ghostscript:
-rm %{buildroot}%{_datadir}/ghostscript/%{version}/lib/pdf2dsc.ps
-rm %{buildroot}%{_bindir}/pdf2dsc
 # Install examples:
 EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
 test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
@@ -362,20 +323,10 @@ install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
 %endif
 
 # Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
-mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
-%if %{with libalternatives}
-mkdir -p %{buildroot}%{_datadir}/libalternatives/gs
-ln -sf %{_bindir}/alts %{buildroot}%{_bindir}/gs
-cat > %{buildroot}%{_datadir}/libalternatives/gs/10.conf <<-EOF
-	binary=%{_bindir}/gs.bin
-	man=gs.1
-	group=gs
-	EOF
-%else
 install -d %{buildroot}%{_sysconfdir}/alternatives
+mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
 ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
 ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
-%endif
 
 %post
 /sbin/ldconfig
@@ -384,30 +335,20 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
-%if ! %{with libalternatives}
 %{_sbindir}/update-alternatives \
   --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
-%endif
 
 %postun -p /sbin/ldconfig
 
-%if ! %{with libalternatives}
 %preun
 if test $1 -eq 0 ; then
     %{_sbindir}/update-alternatives \
     --remove gs %{_bindir}/gs.bin
 fi
-%endif
 
 %files
 %license LICENSE
-%if %{with libalternatives}
-%dir %{_datadir}/libalternatives/
-%dir %{_datadir}/libalternatives/gs/
-%{_datadir}/libalternatives/gs/10.conf
-%else
 %ghost %config %{_sysconfdir}/alternatives/gs
-%endif
 %{_bindir}/dvipdf
 %{_bindir}/eps2eps
 %{_bindir}/gs