Accepting request 1315981 from Printing

In ghostscript.changes added the CVE numbers
which are fixed by Ghostscript version 10.06.0
where MITRE had not yet CVEs assigned at the time
when Ghostscript version 10.06.0 was released, cf.
https://build.opensuse.org/requests/1305216

OBS-URL: https://build.opensuse.org/request/show/1315981
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=75

ghostscript-10.06.0-Fix_32-bit_build.patch

@@ -0,0 +1,63 @@
+From 3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Wed, 10 Sep 2025 08:55:30 +0100
+Subject: Fix 32-bit build
+
+Bug #708824 "ghostscript 10.06.0 compilation failure on 32-bit archs"
+
+nbytes shiouldn't be an intptr_t, it doesn't get used for pointer
+arithmetic. Previously it was a uint, should be a int64_t, to fit with
+all the other devices.
+
+Checked other warnings, and found a (very minor) one in gdevdbit.c, fix
+that while we're here (signed/unsigned mismatch, we don't really care).
+---
+ base/gdevdbit.c | 2 +-
+ base/gdevmpla.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/gdevdbit.c b/base/gdevdbit.c
+index e07cc3f3b..1b5c69325 100644
+--- a/base/gdevdbit.c
++++ b/base/gdevdbit.c
+@@ -191,7 +191,7 @@ gx_default_copy_alpha_hl_color(gx_device * dev, const byte * data, int data_x,
+     fit_copy(dev, data, data_x, raster, id, x, y, width, height);
+     row_alpha = data;
+     out_raster = bitmap_raster(width * (size_t)byte_depth);
+-    if (check_64bit_multiply(out_raster, ncomps, &product) != 0)
++    if (check_64bit_multiply(out_raster, ncomps, (int64_t *) &product) != 0)
+         return gs_note_error(gs_error_undefinedresult);
+     gb_buff = gs_alloc_bytes(mem, product, "copy_alpha_hl_color(gb_buff)");
+     if (gb_buff == 0) {
+diff --git a/base/gdevmpla.c b/base/gdevmpla.c
+index 2f0d52256..ffc5ff42e 100644
+--- a/base/gdevmpla.c
++++ b/base/gdevmpla.c
+@@ -1954,12 +1954,12 @@ mem_planar_strip_copy_rop2(gx_device * dev,
+         int i;
+         int j;
+         intptr_t chunky_sraster;
+-        intptr_t nbytes;
++        int64_t nbytes;
+         byte **line_ptrs;
+         byte *sbuf, *buf;
+ 
+         chunky_sraster = sraster * (intptr_t)mdev->num_planar_planes;
+-        if (check_64bit_multiply(height, chunky_sraster, (size_t *)&nbytes) != 0)
++        if (check_64bit_multiply(height, chunky_sraster, &nbytes) != 0)
+             return gs_note_error(gs_error_undefinedresult);
+         buf = gs_alloc_bytes(mdev->memory, nbytes, "mem_planar_strip_copy_rop(buf)");
+         if (buf == NULL) {
+@@ -2003,7 +2003,7 @@ mem_planar_strip_copy_rop2(gx_device * dev,
+         intptr_t i;
+         intptr_t chunky_t_raster;
+         int chunky_t_height;
+-        intptr_t nbytes;
++        int64_t nbytes;
+         byte **line_ptrs;
+         byte *tbuf, *buf;
+         gx_strip_bitmap newtex;
+-- 
+cgit v1.2.3
+
+

ghostscript.changes

@@ -1,3 +1,54 @@
+-------------------------------------------------------------------
+Tue Sep 16 13:45:31 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 10.06.0
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
+  * This release addresses CVEs:
+    CVE-2025-59798 (bsc#1250353)
+    CVE-2025-59799 (bsc#1250354)
+    CVE-2025-59800 (bsc#1250355)
+    CVE-2025-59801 (belongs to GhostXPS not part of Ghostscript)
+  * The 10.06.0 removes the non-standard operator "selectdevice"
+    (cf. the entry below dated Tue Apr  1 09:56:06 UTC 2025)
+- ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+  https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+  to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+  "ghostscript 10.06.0 compilation failure on 32-bit archs"
+
+-------------------------------------------------------------------
+Tue Sep 16 08:15:18 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Switch over to libalternatives for ghostscript to provide a gs
+  variant (bsc#1245896)
+
+-------------------------------------------------------------------
+Mon Aug  4 07:14:46 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 10.05.1
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
+  * This release addresses CVEs:
+    + CVE-2025-46646
+    + CVE-2025-48708 (bsc#1243701)
+  * The 10.05.1 patch release addresses:
+    + An overflow issue in Freetype on platforms
+      where long is a 4 byte (rather than 8 byte) type
+      (Microsoft Windows, for example) causing corrupted
+      glyph rendering at higher resolutions
+    + An issue with embedded files, affecting Zugferd
+      format PDF creation.
+    + Broken logic in PDF Optional Content processing
+    + Potential slow down due to searching for identifiable
+      font files
+    + A small number of extreme edge case segmentation faults.
+
+-------------------------------------------------------------------
+Thu Apr 10 19:39:55 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
+  still allow build on Leap 15.6
+
 -------------------------------------------------------------------
 Tue Apr  1 09:56:06 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
 

ghostscript.spec

@@ -2,6 +2,7 @@
 # spec file for package ghostscript
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,28 +24,38 @@
 %global psuffix %{nil}
 %bcond_without  apparmor
 %endif
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
 Name:           ghostscript%{psuffix}
-Version:        10.05.0
+Version:        10.06.0
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
 # Use "osc service manualrun" to fetch Source0:
-Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-%{version}.tar.gz
+Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10060/ghostscript-%{version}.tar.gz
 # How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
 # (example for the Ghostscript 10.05.1 release):
 # Go to https://www.ghostscript.com
 # -> [Download] or "Releases" https://ghostscript.com/releases/index.html
 # -> "Ghostscript" https://ghostscript.com/releases/gsdnld.htm
-# -> "Ghostscript 10.05.0 Source for all platforms / Ghostscript AGPL Release"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-10.05.0.tar.gz
+# -> "Ghostscript 10.05.1 Source for all platforms / Ghostscript AGPL Release"
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/ghostscript-10.05.1.tar.gz
 # and "MD5 Checksums"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/MD5SUMS
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10051/MD5SUMS
 # and on https://ghostscript.com/releases/index.html
-# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.0/News.html
+# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.1/News.html
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+# "ghostscript 10.06.0 compilation failure on 32-bit archs":
+Patch1:         ghostscript-10.06.0-Fix_32-bit_build.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -62,10 +73,15 @@ BuildRequires:  libpng-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
 BuildRequires:  update-alternatives
-BuildRequires:  zlib-devel
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
+%endif
+BuildRequires:  zlib-devel
 # Provide the additional RPM Provides of the ghostscript-library package
 # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@@ -165,7 +181,11 @@ This package contains the development files for Ghostscript.
 
 %prep
 %setup -q -n ghostscript-%{version}
-
+# Patch1 ghostscript-10.06.0-Fix_32-bit_build.patch is the upstream commit
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=3c0be6e4fcffa63e4a5a1b0aec057cebc4d2562f
+# to fix https://bugs.ghostscript.com/show_bug.cgi?id=708824
+# "ghostscript 10.06.0 compilation failure on 32-bit archs":
+%patch -P 1 -p1
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 %patch -P 101 -p1
@@ -183,7 +203,7 @@ rm -rf openjpeg
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s})
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
+export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -std=gnu11"
 export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
 export LDFLAGS="-pie"
 autoreconf -fi
@@ -271,6 +291,25 @@ popd
 rm %{buildroot}%{_bindir}/ijs_client_example
 rm %{buildroot}%{_bindir}/ijs_server_example
 rm %{buildroot}%{_libdir}/libijs.la
+# Remove pdf2dsc which was removed in Ghostscript 10.05.0
+# because in Ghostscript 10.x pdf2dsc can no longer work as intended
+# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=2c315570de78df902f8f15312728d9e1b00cac44
+# but in Ghostscript 10.05.1 pdf2dsc was put back
+# see https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=528d324a7968ad89401ebb60dfdb22f9fdfeeb6b
+# and https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=0e23e5009c7e2a65a2f707146f2dffe8a362ab86
+# regardless that pdf2dsc can still no longer work as intended
+# according to the git commit 528d324a7968ad89401ebb60dfdb22f9fdfeeb6b message
+# which reads (excerpts)
+# > After feedback from users (AUCTeX and gv) put back the pdf2dsc utility
+# > but note in the comments that this is now unsupported code (in truth
+# > I think it always was, but this makes it explicit).
+# > Because the PostScript program uses undocumented parts of the old
+# > 'written in PostScript' PDF interpreter portions of it probably don't
+# > work and it may fail altogether at some point.
+# Because openSUSE cannot support software which is not supported by upstream
+# the unsupported pdf2dsc is kept removed from Ghostscript:
+rm %{buildroot}%{_datadir}/ghostscript/%{version}/lib/pdf2dsc.ps
+rm %{buildroot}%{_bindir}/pdf2dsc
 # Install examples:
 EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{version}/examples
 test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
@@ -323,10 +362,20 @@ install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
 %endif
 
 # Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
-install -d %{buildroot}%{_sysconfdir}/alternatives
 mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
+%if %{with libalternatives}
+mkdir -p %{buildroot}%{_datadir}/libalternatives/gs
+ln -sf %{_bindir}/alts %{buildroot}%{_bindir}/gs
+cat > %{buildroot}%{_datadir}/libalternatives/gs/10.conf <<-EOF
+	binary=%{_bindir}/gs.bin
+	man=gs.1
+	group=gs
+	EOF
+%else
+install -d %{buildroot}%{_sysconfdir}/alternatives
 ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
 ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
+%endif
 
 %post
 /sbin/ldconfig
@@ -335,20 +384,30 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
+%if ! %{with libalternatives}
 %{_sbindir}/update-alternatives \
   --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
+%endif
 
 %postun -p /sbin/ldconfig
 
+%if ! %{with libalternatives}
 %preun
 if test $1 -eq 0 ; then
     %{_sbindir}/update-alternatives \
     --remove gs %{_bindir}/gs.bin
 fi
+%endif
 
 %files
 %license LICENSE
+%if %{with libalternatives}
+%dir %{_datadir}/libalternatives/
+%dir %{_datadir}/libalternatives/gs/
+%{_datadir}/libalternatives/gs/10.conf
+%else
 %ghost %config %{_sysconfdir}/alternatives/gs
+%endif
 %{_bindir}/dvipdf
 %{_bindir}/eps2eps
 %{_bindir}/gs