In ghostscript.changes add fixed CVE and bsc numbers

Ghostscript version upgrade to 10.06.0 fixes security issues where MITRE has not yet CVEs assigned (forwarded request 1305215 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1305216
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=74

ghostscript-10.06.0-Fix_32-bit_build.patch

@@ -0,0 +1,63 @@
+From 3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Wed, 10 Sep 2025 08:55:30 +0100
+Subject: Fix 32-bit build
+
+Bug #708824 "ghostscript 10.06.0 compilation failure on 32-bit archs"
+
+nbytes shiouldn't be an intptr_t, it doesn't get used for pointer
+arithmetic. Previously it was a uint, should be a int64_t, to fit with
+all the other devices.
+
+Checked other warnings, and found a (very minor) one in gdevdbit.c, fix
+that while we're here (signed/unsigned mismatch, we don't really care).
+---
+ base/gdevdbit.c | 2 +-
+ base/gdevmpla.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/gdevdbit.c b/base/gdevdbit.c
+index e07cc3f3b..1b5c69325 100644
+--- a/base/gdevdbit.c
++++ b/base/gdevdbit.c
+@@ -191,7 +191,7 @@ gx_default_copy_alpha_hl_color(gx_device * dev, const byte * data, int data_x,
+     fit_copy(dev, data, data_x, raster, id, x, y, width, height);
+     row_alpha = data;
+     out_raster = bitmap_raster(width * (size_t)byte_depth);
+-    if (check_64bit_multiply(out_raster, ncomps, &product) != 0)
++    if (check_64bit_multiply(out_raster, ncomps, (int64_t *) &product) != 0)
+         return gs_note_error(gs_error_undefinedresult);
+     gb_buff = gs_alloc_bytes(mem, product, "copy_alpha_hl_color(gb_buff)");
+     if (gb_buff == 0) {
+diff --git a/base/gdevmpla.c b/base/gdevmpla.c
+index 2f0d52256..ffc5ff42e 100644
+--- a/base/gdevmpla.c
++++ b/base/gdevmpla.c
+@@ -1954,12 +1954,12 @@ mem_planar_strip_copy_rop2(gx_device * dev,
+         int i;
+         int j;
+         intptr_t chunky_sraster;
+-        intptr_t nbytes;
++        int64_t nbytes;
+         byte **line_ptrs;
+         byte *sbuf, *buf;
+ 
+         chunky_sraster = sraster * (intptr_t)mdev->num_planar_planes;
+-        if (check_64bit_multiply(height, chunky_sraster, (size_t *)&nbytes) != 0)
++        if (check_64bit_multiply(height, chunky_sraster, &nbytes) != 0)
+             return gs_note_error(gs_error_undefinedresult);
+         buf = gs_alloc_bytes(mdev->memory, nbytes, "mem_planar_strip_copy_rop(buf)");
+         if (buf == NULL) {
+@@ -2003,7 +2003,7 @@ mem_planar_strip_copy_rop2(gx_device * dev,
+         intptr_t i;
+         intptr_t chunky_t_raster;
+         int chunky_t_height;
+-        intptr_t nbytes;
++        int64_t nbytes;
+         byte **line_ptrs;
+         byte *tbuf, *buf;
+         gx_strip_bitmap newtex;
+-- 
+cgit v1.2.3
+
+

ghostscript.changes

@@ -1,3 +1,54 @@
+-------------------------------------------------------------------
+Tue Sep 16 13:45:31 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 10.06.0
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
+  * This release addresses CVEs:
+    CVE-2025-59798 (bsc#1250353)
+    CVE-2025-59799 (bsc#1250354)
+    CVE-2025-59800 (bsc#1250355)
+    CVE-2025-59801 (belongs to GhostXPS not part of Ghostscript)
+  * The 10.06.0 removes the non-standard operator "selectdevice"
+    (cf. the entry below dated Tue Apr  1 09:56:06 UTC 2025)
+- ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+  https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+  to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+  "ghostscript 10.06.0 compilation failure on 32-bit archs"
+
+-------------------------------------------------------------------
+Tue Sep 16 08:15:18 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Switch over to libalternatives for ghostscript to provide a gs
+  variant (bsc#1245896)
+
+-------------------------------------------------------------------
+Mon Aug  4 07:14:46 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 10.05.1
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
+  * This release addresses CVEs:
+    + CVE-2025-46646
+    + CVE-2025-48708 (bsc#1243701)
+  * The 10.05.1 patch release addresses:
+    + An overflow issue in Freetype on platforms
+      where long is a 4 byte (rather than 8 byte) type
+      (Microsoft Windows, for example) causing corrupted
+      glyph rendering at higher resolutions
+    + An issue with embedded files, affecting Zugferd
+      format PDF creation.
+    + Broken logic in PDF Optional Content processing
+    + Potential slow down due to searching for identifiable
+      font files
+    + A small number of extreme edge case segmentation faults.
+
+-------------------------------------------------------------------
+Thu Apr 10 19:39:55 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
+  still allow build on Leap 15.6
+
 -------------------------------------------------------------------
 Tue Apr  1 09:56:06 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
 

ghostscript.spec

@@ -2,6 +2,7 @@
 # spec file for package ghostscript
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,28 +24,38 @@
 %global psuffix %{nil}
 %bcond_without  apparmor
 %endif
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
 Name:           ghostscript%{psuffix}
-Version:        10.05.0
+Version:        10.06.0
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
 # Use "osc service manualrun" to fetch Source0:
-Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-%{version}.tar.gz
+Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10060/ghostscript-%{version}.tar.gz
 # How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
 # (example for the Ghostscript 10.05.1 release):
 # Go to https://www.ghostscript.com
 # -> [Download] or "Releases" https://ghostscript.com/releases/index.html
 # -> "Ghostscript" https://ghostscript.com/releases/gsdnld.htm
-# -> "Ghostscript 10.05.0 Source for all platforms / Ghostscript AGPL Release"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-10.05.0.tar.gz
+# -> "Ghostscript 10.05.1 Source for all platforms / Ghostscript AGPL Release"
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/ghostscript-10.05.1.tar.gz
 # and "MD5 Checksums"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/MD5SUMS
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/MD5SUMS
 # and on https://ghostscript.com/releases/index.html
-# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.0/News.html
+# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+# "ghostscript 10.06.0 compilation failure on 32-bit archs":
+Patch1:         ghostscript-10.06.0-Fix_32-bit_build.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -62,10 +73,15 @@ BuildRequires:  libpng-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
 BuildRequires:  update-alternatives
-BuildRequires:  zlib-devel
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
+%endif
+BuildRequires:  zlib-devel
 # Provide the additional RPM Provides of the ghostscript-library package
 # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@@ -165,7 +181,11 @@ This package contains the development files for Ghostscript.
 
 %prep
 %setup -q -n ghostscript-%{version}
-
+# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+# "ghostscript 10.06.0 compilation failure on 32-bit archs":
+%patch -P 1 -p1
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 %patch -P 101 -p1
@@ -183,7 +203,7 @@ rm -rf openjpeg
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s})
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
+export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -std=gnu11"
 export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
 export LDFLAGS="-pie"
 autoreconf -fi
@@ -271,6 +291,25 @@ popd
 rm %{buildroot}%{_bindir}/ijs_client_example
 rm %{buildroot}%{_bindir}/ijs_server_example
 rm %{buildroot}%{_libdir}/libijs.la
+# Remove pdf2dsc which was removed in Ghostscript 10.05.0
+# because in Ghostscript 10.x pdf2dsc can no longer work as intended
+# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=2c315570de78df902f8f15312728d9e1b00cac44
+# but in Ghostscript 10.05.1 pdf2dsc was put back
+# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=528d324a7968ad89401ebb60dfdb22f9fdfeeb6b
+# and https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=0e23e5009c7e2a65a2f707146f2dffe8a362ab86
+# regardless that pdf2dsc can still no longer work as intended
+# according to the git commit 528d324a7968ad89401ebb60dfdb22f9fdfeeb6b message
+# which reads (excerpts)
+# > After feedback from users (AUCTeX and gv) put back the pdf2dsc utility
+# > but note in the comments that this is now unsupported code (in truth
+# > I think it always was, but this makes it explicit).
+# > Because the PostScript program uses undocumented parts of the old
+# > 'written in PostScript' PDF interpreter portions of it probably don't
+# > work and it may fail altogether at some point.
+# Because openSUSE cannot support software which is not supported by upstream
+# the unsupported pdf2dsc is kept removed from Ghostscript:
+rm %{buildroot}%{_datadir}/ghostscript/%{version}/lib/pdf2dsc.ps
+rm %{buildroot}%{_bindir}/pdf2dsc
 # Install examples:
 EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
 test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
@@ -323,10 +362,20 @@ install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
 %endif
 
 # Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
-install -d %{buildroot}%{_sysconfdir}/alternatives
 mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
+%if %{with libalternatives}
+mkdir -p %{buildroot}%{_datadir}/libalternatives/gs
+ln -sf %{_bindir}/alts %{buildroot}%{_bindir}/gs
+cat > %{buildroot}%{_datadir}/libalternatives/gs/10.conf <<-EOF
+	binary=%{_bindir}/gs.bin
+	man=gs.1
+	group=gs
+	EOF
+%else
+install -d %{buildroot}%{_sysconfdir}/alternatives
 ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
 ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
+%endif
 
 %post
 /sbin/ldconfig
@@ -335,20 +384,30 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
+%if ! %{with libalternatives}
 %{_sbindir}/update-alternatives \
   --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
+%endif
 
 %postun -p /sbin/ldconfig
 
+%if ! %{with libalternatives}
 %preun
 if test $1 -eq 0 ; then
     %{_sbindir}/update-alternatives \
     --remove gs %{_bindir}/gs.bin
 fi
+%endif
 
 %files
 %license LICENSE
+%if %{with libalternatives}
+%dir %{_datadir}/libalternatives/
+%dir %{_datadir}/libalternatives/gs/
+%{_datadir}/libalternatives/gs/10.conf
+%else
 %ghost %config %{_sysconfdir}/alternatives/gs
+%endif
 %{_bindir}/dvipdf
 %{_bindir}/eps2eps
 %{_bindir}/gs