Accepting request 682767 from home:mwilck:branches:Printing

- Fix IJS printing problem (bsc#1128467) * added ijs_exec_server_dont_use_sh.patch * allow exec'ing hpijs in apparmor profile OBS-URL: https://build.opensuse.org/request/show/682767 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=107
2019-03-08 12:28:32 +00:00 · 2019-03-08 12:28:32 +00:00 · 0dd7230d55
commit 0dd7230d55
parent 3d3f520cee
5 changed files with 47 additions and 5 deletions
--- a/apparmor_usr.bin.gs
+++ b/apparmor_usr.bin.gs
@ -15,4 +15,5 @@ profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps
  /usr/lib64/ghostscript/** m,
  /usr/lib64/libgs.so.* m,
  /usr/lib64/libijs-* m,
+  /usr/bin/hpijs ix,
 }
--- a/ghostscript-mini.spec
+++ b/ghostscript-mini.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript-mini
 #
-# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


--- a/ghostscript.changes
+++ b/ghostscript.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Mar  8 10:49:18 UTC 2019 - Martin Wilck <mwilck@suse.com>
+
+- Fix IJS printing problem (bsc#1128467)
+  * added ijs_exec_server_dont_use_sh.patch
+  * allow exec'ing hpijs in apparmor profile
+
 -------------------------------------------------------------------
 Thu Feb  7 09:27:44 UTC 2019 - jsegitz@suse.com

--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript
 #
-# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -101,6 +101,7 @@ Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
 Patch100:       remove-zlib-h-dependency.patch
+Patch101:       ijs_exec_server_dont_use_sh.patch
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
 # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@ -217,7 +218,6 @@ For information how to use Ghostscript see

 %package x11
 Summary:        X11 library for Ghostscript
-Group:          Productivity/Publishing/PS
 # Require the exact matching version-release of the ghostscript main-package because
 # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
 # because all Ghostscript software is built from one same Ghostscript source tar ball
@ -225,6 +225,7 @@ Group:          Productivity/Publishing/PS
 # The exact matching version-release of the ghostscript main-package is available
 # on the same package repository where the ghostscript-x11 sub-package is because
 # all are built simulaneously from the same Ghostscript source package:
+Group:          Productivity/Publishing/PS
 Requires:       ghostscript = %{version}-%{release}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both
@ -282,6 +283,7 @@ This package contains the development files for Ghostscript.
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 #patch100 -p1 -b remove-zlib-h-dependency.orig
+%patch101 -p1
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig
--- a/ijs_exec_server_dont_use_sh.patch
+++ b/ijs_exec_server_dont_use_sh.patch
@ -0,0 +1,32 @@
+From 0d58bab5cdc7e76d7220ce441d39812c85329ba2 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Fri, 8 Mar 2019 12:01:13 +0100
+Subject: [PATCH] ijs: ijs_exec_server(): don't use "sh"
+
+If ghostscript is confined using security profiles, executing "sh"
+must be obviously avoided. So, try to exec the IJS server binary
+directly. This should enable security profile writers to select
+which IJS binaries to allow.
+
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+---
+ ijs/ijs_exec_unix.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/ijs/ijs_exec_unix.c b/ijs/ijs_exec_unix.c
+index 6225694..e775dc3 100644
+--- a/ijs/ijs_exec_unix.c
+++ b/ijs/ijs_exec_unix.c
+@@ -70,9 +70,6 @@ ijs_exec_server(const char *server_cmd, int *pfd_to, int *pfd_from,
+       argv[i++] = "gdb";
+ #endif
+ 
+-      argv[i++] = "sh";
+-      argv[i++] = "-c";
+-
+       argv[i++] = (char *)server_cmd;
+       argv[i++] = NULL;
+       status = execvp (argv[0], (char * const *)argv);
+-- 
+2.21.0
+