diff --git a/0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch b/0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch deleted file mode 100644 index 05384e1..0000000 --- a/0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 495b79d8e9a44ad0ada965add3a046120646e7e0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Stefan=20Br=C3=83=C2=BCns?= -Date: Thu, 12 Jan 2017 18:04:57 +0100 -Subject: [PATCH 1/2] mkromfs: make build reproducible, use buildtime from - SOURCE_DATE_EPOCH -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The environment variable SOURCE_DATE_EPOCH is the common approach for -getting reproducible timestamps and thus builds. In case the variable -is not set, keep using the current time of the mkromfs run. - -Signed-off-by: Stefan Brüns ---- - base/mkromfs.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/base/mkromfs.c b/base/mkromfs.c -index b7bc6bf..9b81c46 100644 ---- a/base/mkromfs.c -+++ b/base/mkromfs.c -@@ -2280,6 +2280,8 @@ main(int argc, char *argv[]) - int compaction = 0; - Xlist_element *Xlist_scan = NULL, *Xlist_head = NULL; - char pa[PATH_STR_LEN]; -+ time_t buildtime = 0; -+ char* env_source_date_epoch; - - memset(pa, 0x00, PATH_STR_LEN); - -@@ -2336,7 +2338,13 @@ main(int argc, char *argv[]) - #endif - fprintf(out,"\n#include \"stdint_.h\"\n"); - fprintf(out,"\n#include \"time_.h\"\n\n"); -- fprintf(out," time_t gs_romfs_buildtime = %ld;\n\n", time(NULL)); -+ -+ if ((env_source_date_epoch = getenv("SOURCE_DATE_EPOCH"))) { -+ buildtime = strtoul(env_source_date_epoch, NULL, 10); -+ } -+ if (!buildtime) -+ buildtime = time(NULL); -+ fprintf(out," time_t gs_romfs_buildtime = %ld;\n\n", buildtime); - - /* process the remaining arguments (options interspersed with paths) */ - for (; atarg < argc; atarg++) { --- -2.11.0 - diff --git a/0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch b/0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch deleted file mode 100644 index 7cb1f71..0000000 --- a/0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ec602a6eadfe7680e0a1008a67afa18903a07ad9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Stefan=20Br=C3=BCns?= -Date: Thu, 12 Jan 2017 20:55:11 +0100 -Subject: [PATCH 2/2] mkromfs: sort gp_enumerate_files output for deterministic - ROM contents -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -gp_enumerate_files_next returns dir entries in the same order as returned -by readdir. Sort by name to generate deterministic output. - -Signed-off-by: Stefan Brüns ---- - base/mkromfs.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/base/mkromfs.c b/base/mkromfs.c -index 9b81c46..b7799ae 100644 ---- a/base/mkromfs.c -+++ b/base/mkromfs.c -@@ -344,6 +344,7 @@ const gs_malloc_memory_t minimal_memory = { - 0 /* max used */ - }; - -+int cmpstringp(const void *p1, const void *p2); - void put_uint32(FILE *out, const unsigned int q); - void put_bytes_padded(FILE *out, unsigned char *p, unsigned int len); - void inode_clear(romfs_inode* node); -@@ -1542,6 +1543,15 @@ static unsigned long pscompact_getcompactedblock(pscompstate *psc, unsigned char - return out-ubuf; - } - -+int cmpstringp(const void *p1, const void *p2) -+{ -+ /* The actual arguments to this function are "pointers to -+ pointers to char", but strcmp(3) arguments are "pointers -+ to char", hence the following cast plus dereference */ -+ -+ return strcmp(* (char * const *) p1, * (char * const *) p2); -+} -+ - /* This relies on the gp_enumerate_* which should not return directories, nor */ - /* should it recurse into directories (unlike Adobe's implementation) */ - /* paths are checked to see if they are an ordinary file or a path */ -@@ -1561,6 +1571,8 @@ void process_path(char *path, const char *os_prefix, const char *rom_prefix, - FILE *in; - unsigned long psc_len; - pscompstate psc = { 0 }; -+ unsigned long numfiles = 0; -+ char **foundfiles = NULL; - - prefixed_path = malloc(PATH_STR_LEN); - found_path = malloc(PATH_STR_LEN); -@@ -1598,6 +1610,17 @@ void process_path(char *path, const char *os_prefix, const char *rom_prefix, - if (excluded) - continue; - -+ numfiles++; -+ foundfiles = realloc(foundfiles, sizeof(char *) * numfiles); -+ foundfiles[numfiles - 1] = strdup(found_path); -+ } -+ -+ qsort(foundfiles, numfiles, sizeof(char *), cmpstringp); -+ -+ while (numfiles--) { -+ found_path = *foundfiles; -+ foundfiles++; -+ - /* process a file */ - node = calloc(1, sizeof(romfs_inode)); - /* get info for this file */ --- -2.11.0 - diff --git a/CVE-2016-7976.patch b/CVE-2016-7976.patch deleted file mode 100644 index d7b18ef..0000000 --- a/CVE-2016-7976.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: Chris Liddell -Date: Wed, 5 Oct 2016 08:55:55 +0000 (+0100) -Subject: Bug 697178: Add a file permissions callback -X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=71ac87493b1e445d6c07554d4246cf7d4f44875c;hp=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280 - -Bug 697178: Add a file permissions callback - -For the rare occasions when the graphics library directly opens a file -(currently for reading), this allows us to apply any restrictions on -file access normally applied in the interpteter. ---- - -diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c -index 931c2a6..e9c09c3 100644 ---- a/base/gsicc_manage.c -+++ b/base/gsicc_manage.c -@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc, - } - - /* First just try it like it is */ -- str = sfopen(pname, "r", mem_gc); -- if (str != NULL) { -- *strp = str; -- return 0; -+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { -+ str = sfopen(pname, "r", mem_gc); -+ if (str != NULL) { -+ *strp = str; -+ return 0; -+ } - } - - /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ -diff --git a/base/gslibctx.c b/base/gslibctx.c -index eaa0458..37ce1ca 100644 ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -189,7 +189,7 @@ Failure: - mem->gs_lib_ctx = NULL; - return -1; - } -- -+ pio->client_check_file_permission = NULL; - gp_get_realtime(pio->real_time_0); - - /* Set scanconverter to 1 (default) */ -@@ -343,3 +343,13 @@ void errflush(const gs_memory_t *mem) - fflush(mem->gs_lib_ctx->fstderr); - /* else nothing to flush */ - } -+ -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ int code = 0; -+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) { -+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); -+ } -+ return code; -+} -diff --git a/base/gslibctx.h b/base/gslibctx.h -index 7a4e110..020e2d9 100644 ---- a/base/gslibctx.h -+++ b/base/gslibctx.h -@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server; - # define gs_font_dir_DEFINED - typedef struct gs_font_dir_s gs_font_dir; - #endif -+ -+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); -+ - typedef struct gs_lib_ctx_s - { - gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ -@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s - struct gx_io_device_s **io_device_table; - int io_device_table_count; - int io_device_table_size; -+ client_check_file_permission_t client_check_file_permission; - /* Define the default value of AccurateScreens that affects setscreen - and setcolorscreen. */ - bool screen_accurate_screens; -@@ -133,6 +137,9 @@ int - gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, - int *list_str_len); - -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); -+ - #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) - #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) - -diff --git a/psi/imain.c b/psi/imain.c -index 9a9bb5d..6874128 100644 ---- a/psi/imain.c -+++ b/psi/imain.c -@@ -57,6 +57,7 @@ - #include "ivmspace.h" - #include "idisp.h" /* for setting display device callback */ - #include "iplugin.h" -+#include "zfile.h" - - #ifdef PACIFY_VALGRIND - #include "valgrind.h" -@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) - "the_gs_name_table"); - if (code < 0) - return code; -+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; - } - code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ - if (code < 0) -diff --git a/psi/int.mak b/psi/int.mak -index 4654afc..bb30d51 100644 ---- a/psi/int.mak -+++ b/psi/int.mak -@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\ - $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ - $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ - $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ -- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ -+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ - $(INT_MAK) $(MAKEDIRS) - $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c - -diff --git a/psi/zfile.c b/psi/zfile.c -index 2c6c958..bc6c70f 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len, - return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); - } - -+/* z_check_file_permissions: see zfile.h for explanation -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; -+ gs_parsed_file_name_t pname; -+ char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; -+ int code = gs_parse_file_name(&pname, fname, len, imemory); -+ if (code < 0) -+ return code; -+ -+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) -+ return gs_error_invalidfileaccess; -+ -+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup); -+ return code; -+} -+ - /* file */ - int /* exported for zsysvm.c */ - zfile(i_ctx_t *i_ctx_p) -diff --git a/psi/zfile.h b/psi/zfile.h -index fdf1373..a9399c7 100644 ---- a/psi/zfile.h -+++ b/psi/zfile.h -@@ -22,4 +22,11 @@ - int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, - const char *file_access, stream **ps, gs_memory_t *mem); - -+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) -+ * to allow applying the above permissions checks when opening file(s) from -+ * the graphics library -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, -+ const int len, const char *permission); - #endif diff --git a/CVE-2016-7977.patch b/CVE-2016-7977.patch deleted file mode 100644 index 6772b00..0000000 --- a/CVE-2016-7977.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Chris Liddell -Date: Mon, 3 Oct 2016 00:46:28 +0000 (+0100) -Subject: Bug 697169: Be rigorous with SAFER permissions -X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280;hp=3826c0c7a4fc781c8222ef458b706360600f1711 - -Bug 697169: Be rigorous with SAFER permissions - -Once we've opened our input file from the command line, enforce the SAFER -rules. ---- - -diff --git a/psi/zfile.c b/psi/zfile.c -index b6caea2..2c6c958 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx - gs_main_instance *minst = get_minst_from_memory(mem); - int code; - -+ if (i_ctx_p && starting_arg_file) -+ i_ctx_p->starting_arg_file = false; -+ - /* when starting arg files (@ files) iodev_default is not yet set */ - if (iodev == 0) - iodev = (gx_io_device *)gx_io_device_table[0]; diff --git a/CVE-2016-7978.patch b/CVE-2016-7978.patch deleted file mode 100644 index 398f163..0000000 --- a/CVE-2016-7978.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Chris Liddell -Date: Wed, 5 Oct 2016 08:59:25 +0000 (+0100) -Subject: Bug 697179: Reference count device icc profile -X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=d5ad1e0298e1c193087c824eb4f79628b182e28b;hp=71ac87493b1e445d6c07554d4246cf7d4f44875c - -Bug 697179: Reference count device icc profile - -when copying a device ---- - -diff --git a/base/gsdevice.c b/base/gsdevice.c -index 778106f..aea986a 100644 ---- a/base/gsdevice.c -+++ b/base/gsdevice.c -@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, - dev->memory = mem; - dev->retained = !internal; - rc_init(dev, mem, (internal ? 0 : 1)); -+ rc_increment(dev->icc_struct); - } - - void diff --git a/CVE-2016-7979.patch b/CVE-2016-7979.patch deleted file mode 100644 index 363b1a6..0000000 --- a/CVE-2016-7979.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Ken Sharp -Date: Wed, 5 Oct 2016 09:10:58 +0000 (+0100) -Subject: DSC parser - validate parameters -X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=875a0095f37626a721c7ff57d606a0f95af03913;hp=aef8f6cfbff9080e4b9c54053bc909875c09a2be - -DSC parser - validate parameters - -Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it." - -Regardless of any security implications, its simply wrong for a PostScript -operator not to validate its parameter(s). - -No differences expected. ---- - -diff --git a/psi/zdscpars.c b/psi/zdscpars.c -index c05e154..9b4b605 100644 ---- a/psi/zdscpars.c -+++ b/psi/zdscpars.c -@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) - ref local_ref; - int code; - os_ptr const op = osp; -- dict * const pdict = op->value.pdict; -- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); -- dsc_data_t * const data = -- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); -+ dict *pdict; -+ gs_memory_t *mem; -+ dsc_data_t *data; - -+ check_read_type(*op, t_dictionary); -+ -+ pdict = op->value.pdict; -+ mem = (gs_memory_t *)dict_memory(pdict); -+ -+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); - if (!data) - return_error(gs_error_VMerror); - data->document_level = 0; diff --git a/CVE-2016-8602.patch b/CVE-2016-8602.patch deleted file mode 100644 index b2c55ae..0000000 --- a/CVE-2016-8602.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Chris Liddell -Date: Sat, 8 Oct 2016 15:10:27 +0000 (+0100) -Subject: Bug 697203: check for sufficient params in .sethalftone5 -X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78;hp=a5360401495654e89301b2516703c1d2877fc5ba - -Bug 697203: check for sufficient params in .sethalftone5 - -and param types ---- - -diff --git a/psi/zht2.c b/psi/zht2.c -index fb4a264..dfa27a4 100644 ---- a/psi/zht2.c -+++ b/psi/zht2.c -@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) - gs_memory_t *mem; - uint edepth = ref_stack_count(&e_stack); - int npop = 2; -- int dict_enum = dict_first(op); -+ int dict_enum; - ref rvalue[2]; - int cname, colorant_number; - byte * pname; - uint name_size; - int halftonetype, type = 0; - gs_gstate *pgs = igs; -- int space_index = r_space_index(op - 1); -+ int space_index; -+ -+ if (ref_stack_count(&o_stack) < 2) -+ return_error(gs_error_stackunderflow); -+ check_type(*op, t_dictionary); -+ check_type(*(op - 1), t_dictionary); -+ -+ dict_enum = dict_first(op); -+ space_index = r_space_index(op - 1); - - mem = (gs_memory_t *) idmemory->spaces_indexed[space_index]; - diff --git a/CVE-2017-5951.patch b/CVE-2017-5951.patch new file mode 100644 index 0000000..6047b9e --- /dev/null +++ b/CVE-2017-5951.patch @@ -0,0 +1,19 @@ +--- psi/iparam.c.orig 2017-03-16 11:12:02.000000000 +0100 ++++ psi/iparam.c 2017-04-12 11:42:57.000000000 +0200 +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * pli + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } diff --git a/ghostscript-9.20.tar.gz b/ghostscript-9.20.tar.gz deleted file mode 100644 index 5a49859..0000000 --- a/ghostscript-9.20.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:949b64b46ecf8906db54a94ecf83ab97534ebf946f770d3c3f283cb469cb6e14 -size 36080631 diff --git a/ghostscript-9.21.tar.gz b/ghostscript-9.21.tar.gz new file mode 100644 index 0000000..024b1b1 --- /dev/null +++ b/ghostscript-9.21.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02bceadbc4dddeb6f2eec9c8b1623d945d355ca11b8b4df035332b217d58ce85 +size 38398778 diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index 7174d74..5cdd1bf 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Wed Apr 12 11:12:27 CEST 2017 - jsmeix@suse.de + +- CVE-2016-10317 (bsc#1032230) + heap buffer overflow in fill_threshhold_buffer() + is not yet fixed because there is no fix available at + https://bugs.ghostscript.com/show_bug.cgi?id=697459 +- CVE-2016-10219 (bsc#1032138) + divide by zero in intersect() + https://bugs.ghostscript.com/show_bug.cgi?id=697453 + is fixed in the version 9.21 upstream sources +- CVE-2016-10218 (bsc#1032135) + null pointer dereference in pdf14_pop_transparency_group() + https://bugs.ghostscript.com/show_bug.cgi?id=697444 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10217 (bsc#1032130) + use-after-free in pdf14_cleanup_parent_color_profiles() + that is related to pdf14_open() in base/gdevp14.c + https://bugs.ghostscript.com/show_bug.cgi?id=697456 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10220 (bsc#1032120) + null pointer dereference in gx_device_finalize() that is + related to gs_makewordimagedevice() in base/gsdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697450 + is fixed in the version 9.21 upstream sources. +- CVE-2017-5951.patch fixes + null pointer dereference in ref_stack_index() that is + related to mem_get_bits_rectangle() in base/gdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697548 + (bsc#1032114) + +------------------------------------------------------------------- +Mon Apr 10 14:06:09 CEST 2017 - jsmeix@suse.de + +- Version upgrade to 9.21. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * pdfwrite now preserves annotations from + input PDFs (where possible). + * The GhostXPS interpreter now provides the pdfwrite device + with the data it requires to emit a ToUnicode CMap: thus + allowing fully searchable PDFs to be created from XPS + input (in the vast majority of cases). + * Ghostscript now allows the default color space + for PDF transparency blends. + * The Ghostscript/GhostPDL configure script now has much + better/fuller support for cross compiling. + * The tiffscaled and tiffscaled4 devices can now + use ETS (Even Tone Screening) + * The toolbin/pdf_info.ps utility can now emit + the PDF XML metadata. + * Ghostscript has a new scan converter available + (currently optional, but will become the default in a near + future release). It can be enabled by using the command line + option: '-dSCANCONVERTERTYPE=2'. This new implementation + provides vastly improved performance with large and complex + paths. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * The planned device API tidy (still!) did not happen for + this release, due to time pressures, but we still intend + to undertake the following: We plan to somewhat tidy up + the device API. We intend to remove deprecated device + procs (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter + (rather than the current scheme where only a very few procs + take an imager state parameter). This should serve as notice + to anyone maintaining a Ghostscript device outside the + canonical source tree that you may (probably will) need to + update your device(s) when these changes happen. Devices using + only the non-deprecated procs should be trivial to update. +- CVE-2016-7976.patch and CVE-2016-7977.patch and + CVE-2016-7978.patch and CVE-2016-7979.patch and + CVE-2016-8602.patch are no longer needed because + those issues are fixed in the upstream sources. +- 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch + and + 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch + are no longer needed because both are included + in the upstream sources, see the upstream issue + https://bugs.ghostscript.com/show_bug.cgi?id=697484 +- Again use the zlib sources from Ghostscript upstream + and disable remove-zlib-h-dependency.patch because + Ghostscript 9.21 does no longer build this way, + cf. the entry below dated "Wed Nov 18 11:46:58 UTC 2015" + ------------------------------------------------------------------- Thu Jan 12 17:13:58 UTC 2017 - stefan.bruens@rwth-aachen.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index 57279b3..24ef9a2 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -38,7 +38,7 @@ Url: http://www.ghostscript.com/ # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.19pre20rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.20 +Version: 9.21 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". @@ -49,7 +49,7 @@ Release: 0 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#%define built_version 9.20 +#define built_version 9.20 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920rc1/ghostscript-9.20rc1.tar.gz @@ -57,37 +57,13 @@ Release: 0 # wget -O ghostscript-9.20rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920rc1/ghostscript-9.20rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/ghostscript-9.20.tar.gz +# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21.tar.gz # How to download it: -# wget -O ghostscript-9.20.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/ghostscript-9.20.tar.gz -# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/MD5SUMS -# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe +# wget -O ghostscript-9.21.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21.tar.gz +# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/MD5SUMS +# MD5 checksum for Source0: 5f213281761d2750fcf27476c404d17f Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch1: CVE-2016-7976.patch -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch2: CVE-2016-7977.patch -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch3: CVE-2016-7978.patch -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch4: CVE-2016-7979.patch -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -96,16 +72,17 @@ Patch5: CVE-2016-8602.patch # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 Patch11: ppc64le-support.patch -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -Patch12: 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch -# Patch13 sorts the ROM contents by name for deterministic contents -Patch13: 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +Patch101: CVE-2017-5951.patch # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -174,50 +151,28 @@ This package contains the development files for Minimal Ghostscript. # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch1 -p1 -b CVE-2016-7976.orig -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch2 -p1 -b CVE-2016-7977.orig -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch3 -p1 -b CVE-2016-7978.orig -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch4 -p1 -b CVE-2016-7979.orig -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 %patch11 -p1 -b ppc64le-support.orig -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -%patch12 -p1 -b mkromfs-buildtime.orig -# Patch13 sorts the ROM contents by name for deterministic contents -%patch13 -p1 -b mkromfs-sort-contents.orig # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: -%patch100 -p1 -b remove-zlib-h-dependency.orig +#patch100 -p1 -b remove-zlib-h-dependency.orig # Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball # because we prefer to use for long-established standard libraries the ones from SUSE # in particular to automatically get SUSE security updates for standard libraries. # In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one # is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE: -rm -rf freetype jpeg libpng tiff zlib +#rm -rf freetype jpeg libpng tiff zlib +rm -rf freetype jpeg libpng tiff +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +%patch101 -b CVE-2017-5951.orig %build # Derive build timestamp from latest changelog entry diff --git a/ghostscript.changes b/ghostscript.changes index fcf4c92..88085b2 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Wed Apr 12 11:12:27 CEST 2017 - jsmeix@suse.de + +- CVE-2016-10317 (bsc#1032230) + heap buffer overflow in fill_threshhold_buffer() + is not yet fixed because there is no fix available at + https://bugs.ghostscript.com/show_bug.cgi?id=697459 +- CVE-2016-10219 (bsc#1032138) + divide by zero in intersect() + https://bugs.ghostscript.com/show_bug.cgi?id=697453 + is fixed in the version 9.21 upstream sources +- CVE-2016-10218 (bsc#1032135) + null pointer dereference in pdf14_pop_transparency_group() + https://bugs.ghostscript.com/show_bug.cgi?id=697444 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10217 (bsc#1032130) + use-after-free in pdf14_cleanup_parent_color_profiles() + that is related to pdf14_open() in base/gdevp14.c + https://bugs.ghostscript.com/show_bug.cgi?id=697456 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10220 (bsc#1032120) + null pointer dereference in gx_device_finalize() that is + related to gs_makewordimagedevice() in base/gsdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697450 + is fixed in the version 9.21 upstream sources. +- CVE-2017-5951.patch fixes + null pointer dereference in ref_stack_index() that is + related to mem_get_bits_rectangle() in base/gdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697548 + (bsc#1032114) + +------------------------------------------------------------------- +Mon Apr 10 14:06:09 CEST 2017 - jsmeix@suse.de + +- Version upgrade to 9.21. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * pdfwrite now preserves annotations from + input PDFs (where possible). + * The GhostXPS interpreter now provides the pdfwrite device + with the data it requires to emit a ToUnicode CMap: thus + allowing fully searchable PDFs to be created from XPS + input (in the vast majority of cases). + * Ghostscript now allows the default color space + for PDF transparency blends. + * The Ghostscript/GhostPDL configure script now has much + better/fuller support for cross compiling. + * The tiffscaled and tiffscaled4 devices can now + use ETS (Even Tone Screening) + * The toolbin/pdf_info.ps utility can now emit + the PDF XML metadata. + * Ghostscript has a new scan converter available + (currently optional, but will become the default in a near + future release). It can be enabled by using the command line + option: '-dSCANCONVERTERTYPE=2'. This new implementation + provides vastly improved performance with large and complex + paths. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * The planned device API tidy (still!) did not happen for + this release, due to time pressures, but we still intend + to undertake the following: We plan to somewhat tidy up + the device API. We intend to remove deprecated device + procs (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter + (rather than the current scheme where only a very few procs + take an imager state parameter). This should serve as notice + to anyone maintaining a Ghostscript device outside the + canonical source tree that you may (probably will) need to + update your device(s) when these changes happen. Devices using + only the non-deprecated procs should be trivial to update. +- CVE-2016-7976.patch and CVE-2016-7977.patch and + CVE-2016-7978.patch and CVE-2016-7979.patch and + CVE-2016-8602.patch are no longer needed because + those issues are fixed in the upstream sources. +- 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch + and + 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch + are no longer needed because both are included + in the upstream sources, see the upstream issue + https://bugs.ghostscript.com/show_bug.cgi?id=697484 +- Again use the zlib sources from Ghostscript upstream + and disable remove-zlib-h-dependency.patch because + Ghostscript 9.21 does no longer build this way, + cf. the entry below dated "Wed Nov 18 11:46:58 UTC 2015" + ------------------------------------------------------------------- Thu Jan 12 17:13:58 UTC 2017 - stefan.bruens@rwth-aachen.de diff --git a/ghostscript.spec b/ghostscript.spec index d93c89a..529c666 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -58,7 +58,7 @@ Url: http://www.ghostscript.com/ # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.19pre20rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.20 +Version: 9.21 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". @@ -69,7 +69,7 @@ Release: 0 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#%define built_version 9.20 +#define built_version 9.20 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920rc1/ghostscript-9.20rc1.tar.gz @@ -77,37 +77,13 @@ Release: 0 # wget -O ghostscript-9.20rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920rc1/ghostscript-9.20rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/ghostscript-9.20.tar.gz +# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21.tar.gz # How to download it: -# wget -O ghostscript-9.20.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/ghostscript-9.20.tar.gz -# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs920/MD5SUMS -# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe +# wget -O ghostscript-9.21.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21.tar.gz +# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/MD5SUMS +# MD5 checksum for Source0: 5f213281761d2750fcf27476c404d17f Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch1: CVE-2016-7976.patch -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch2: CVE-2016-7977.patch -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch3: CVE-2016-7978.patch -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch4: CVE-2016-7979.patch -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -116,16 +92,17 @@ Patch5: CVE-2016-8602.patch # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 Patch11: ppc64le-support.patch -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -Patch12: 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch -# Patch13 sorts the ROM contents by name for deterministic contents -Patch13: 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +Patch101: CVE-2017-5951.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -310,50 +287,28 @@ This package contains the development files for Ghostscript. # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch1 -p1 -b CVE-2016-7976.orig -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch2 -p1 -b CVE-2016-7977.orig -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch3 -p1 -b CVE-2016-7978.orig -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch4 -p1 -b CVE-2016-7979.orig -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 %patch11 -p1 -b ppc64le-support.orig -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -%patch12 -p1 -b mkromfs-buildtime.orig -# Patch13 sorts the ROM contents by name for deterministic contents -%patch13 -p1 -b mkromfs-sort-contents.orig # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: -%patch100 -p1 -b remove-zlib-h-dependency.orig +#patch100 -p1 -b remove-zlib-h-dependency.orig # Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball # because we prefer to use for long-established standard libraries the ones from SUSE # in particular to automatically get SUSE security updates for standard libraries. # In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one # is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE: -rm -rf freetype jpeg libpng tiff zlib +#rm -rf freetype jpeg libpng tiff zlib +rm -rf freetype jpeg libpng tiff +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +%patch101 -b CVE-2017-5951.orig %build # Derive build timestamp from latest changelog entry