Accepting request 1219571 from Printing

Ghostscript spec file cleanup and enhanced previous changes entry related to bsc#1232173 (forwarded request 1219570 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1219571
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=69

ghostscript.changes

@@ -1,14 +1,41 @@
+-------------------------------------------------------------------
+Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
+
+- Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024"
+  by adding the individual "bsc" numbers for each CVE, see
+  https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4
+  and by adding the "IMPORTANT" change in Ghostscript 10.04.0
+- spec file cleanup: removed the special cases for SLE12
+  i.e. rely on "suse_version >= 1500" as given precondition
+  (recent Ghostscript versions fail to build in SLE12 anyway)
+
 -------------------------------------------------------------------
 Wed Oct 23 08:54:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
 
-- update to 10.04.0 (bsc#1232173):
+- Version upgrade to 10.04.0 (bsc#1232173):
-  * Amongst other general bugs fixes, this release addresses:
+  Highlights in this release include:
-    + CVE-2024-46951
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
-    + CVE-2024-46952
+  https://ghostscript.readthedocs.io/en/gs10.04.0/News.html
-    + CVE-2024-46953
+  * This release addresses:
-    + CVE-2024-46954
+    + CVE-2024-46951 (bsc#1232265)
-    + CVE-2024-46955
+    + CVE-2024-46952 (bsc#1232266)
-    + CVE-2024-46956
+    + CVE-2024-46953 (bsc#1232267)
+    + CVE-2024-46954 (bsc#1232268)
+    + CVE-2024-46955 (bsc#1232269)
+    + CVE-2024-46956 (bsc#1232270)
+  * IMPORTANT: In this release (10.04.0)
+    we (i.e. Ghostscript upstream) have be added
+    protection for device selection from PostScript input.
+    This will mean that, by default, only the device specified
+    on the command line will be permitted. Similar to the file
+    permissions, there will be a "--permit-devices=" allowing
+    a comma separation list of allowed devices. This will also
+    take a single wildcard "*" allowing any device.
+    Any application which relies on allowing PostScript
+    to change devices during a job will have to be aware,
+    and take action to deal with this change.
+    The exception is "nulldevice", switching to that requires
+    no special action. 
 
 -------------------------------------------------------------------
 Mon Jul  1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>

ghostscript.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package ghostscript
+# spec file
 #
 # Copyright (c) 2024 SUSE LLC
 #
@@ -30,8 +30,15 @@ Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
-# use "osc service manualrun" to fetch
+# Use "osc service manualrun" to fetch Source0:
 Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-%{version}.tar.gz
+# How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
+# (example for the Ghostscript 10.03.1 release):
+# Go to https://www.ghostscript.com
+# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
+# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
+# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -66,6 +73,7 @@ Requires(preun): update-alternatives
 # in openSUSE products, cf. https://build.opensuse.org/request/show/877083
 Provides:       ghostscript_any = %{version}
 %if "%{flavor}" != "mini"
+BuildRequires:  cups-devel
 BuildRequires:  dbus-1-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  xorg-x11-fonts
@@ -75,18 +83,11 @@ BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xext)
 BuildRequires:  pkgconfig(xproto)
 BuildRequires:  pkgconfig(xt)
-%if 0%{?suse_version} == 1315
-BuildRequires:  cups154-devel
-%else
-BuildRequires:  cups-devel
-%endif
 %if %{with apparmor}
-%if 0%{?suse_version} >= 1500
 BuildRequires:  apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
 %endif
 %endif
-%endif
 # Always check if latest version of openjpeg becomes compatible with ghostscript
 %if 0%{?suse_version} >= 1550
 BuildRequires:  pkgconfig(libopenjp2) >= 2.3.1
@@ -108,10 +109,8 @@ Obsoletes:      ghostscript-library < %{version}
 # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
 # this package ghostscript should replace any version of ghostscript-mini.
 Obsoletes:      ghostscript-mini
-%if 0%{?suse_version} > 1210
 Recommends:     (cups-filters-ghostscript if cups)
 %endif
-%endif
 
 %description
 Ghostscript is a package of software that provides:
@@ -325,11 +324,9 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 /sbin/ldconfig
 %if %{with apparmor}
 %if "%{flavor}" != "mini"
-%if 0%{?suse_version} >= 1500
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
-%endif
 %{_sbindir}/update-alternatives \
   --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
 
@@ -408,9 +405,6 @@ fi
 %if "%{flavor}" != "mini"
 %exclude %{_libdir}/ghostscript/%{version}/X11.so
 %if %{with apparmor}
-%if 0%{?suse_version} < 1500
-%dir %{_sysconfdir}/apparmor.d
-%endif
 %{_sysconfdir}/apparmor.d/ghostscript
 %endif