rpm/ghostscript
SHA256
1
0
Fork 0
forked from pool/ghostscript
Code Pull Requests Activity

Accepting request 989980 from Printing

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/989980
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=56
This commit is contained in:
Richard Brown 2022-07-29 14:46:49 +00:00 committed by Git OBS Bridge
commit c25d25a587
9 changed files with 175 additions and 2405 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
CVE-2021-3781.patch
View File

@ -1,232 +0,0 @@
From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 7 Sep 2021 20:36:12 +0100
Subject: [PATCH] Bug 704342: Include device specifier strings in access
validation
for the "%pipe%", %handle%" and %printer% io devices.
We previously validated only the part after the "%pipe%" Postscript device
specifier, but this proved insufficient.
This rebuilds the original file name string, and validates it complete. The
slight complication for "%pipe%" is it can be reached implicitly using
"|" so we have to check both prefixes.
Addresses CVE-2021-3781
---
base/gdevpipe.c | 22 +++++++++++++++-
base/gp_mshdl.c | 11 +++++++-
base/gp_msprn.c | 10 ++++++-
base/gp_os2pr.c | 13 +++++++++-
base/gslibctx.c | 69 ++++++++++---------------------------------------
5 files changed, 65 insertions(+), 60 deletions(-)
diff --git a/base/gdevpipe.c b/base/gdevpipe.c
index 96d71f5d8..5bdc485be 100644
--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
#else
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ /* The pipe device can be reached in two ways, explicltly with %pipe%
+ or implicitly with "|", so we have to check for both
+ */
+ char f[gp_file_name_sizeof];
+ const char *pipestr = "|";
+ const size_t pipestrlen = strlen(pipestr);
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
+ int code1;
+
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(f, iodev->dname, preflen);
+ memcpy(f + preflen, fname, nlen + 1);
+
+ code1 = gp_validate_path(mem, f, access);
+
+ memcpy(f, pipestr, pipestrlen);
+ memcpy(f + pipestrlen, fname, nlen + 1);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
return gs_error_invalidfileaccess;
/*
diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
index 2b964ed74..8d87ceadc 100644
--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
long hfile; /* Correct for Win32, may be wrong for Win64 */
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ char f[gp_file_name_sizeof];
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(f, iodev->dname, preflen);
+ memcpy(f + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, f, access) != 0)
return gs_error_invalidfileaccess;
/* First we try the open_handle method. */
diff --git a/base/gp_msprn.c b/base/gp_msprn.c
index ed4827968..746a974f7 100644
--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ const size_t preflen = strlen(iodev->dname);
+ const size_t nlen = strlen(fname);
- if (gp_validate_path(mem, fname, access) != 0)
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(pname, iodev->dname, preflen);
+ memcpy(pname + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, pname, access) != 0)
return gs_error_invalidfileaccess;
/* First we try the open_printer method. */
diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
index f852c71fc..ba54cde66 100644
--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
FILE ** pfile, char *rfname, uint rnamelen)
{
os2_printer_t *pr = (os2_printer_t *)iodev->state;
- char driver_name[256];
+ char driver_name[gp_file_name_sizeof];
gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
gs_fs_list_t *fs = ctx->core->fs;
+ const size_t preflen = strlen(iodev->dname);
+ const int size_t = strlen(fname);
+
+ if (preflen + nlen >= gp_file_name_sizeof)
+ return_error(gs_error_invalidaccess);
+
+ memcpy(driver_name, iodev->dname, preflen);
+ memcpy(driver_name + preflen, fname, nlen + 1);
+
+ if (gp_validate_path(mem, driver_name, access) != 0)
+ return gs_error_invalidfileaccess;
/* First we try the open_printer method. */
/* Note that the loop condition here ensures we don't
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 6dfed6cd5..318039fad 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
int
gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
{
- char *fp, f[gp_file_name_sizeof];
- const int pipe = 124; /* ASCII code for '|' */
- const int len = strlen(fname);
- int i, code;
+ char f[gp_file_name_sizeof];
+ int code;
/* Be sure the string copy will fit */
- if (len >= gp_file_name_sizeof)
+ if (strlen(fname) >= gp_file_name_sizeof)
return gs_error_rangecheck;
strcpy(f, fname);
- fp = f;
/* Try to rewrite any %d (or similar) in the string */
rewrite_percent_specifiers(f);
- for (i = 0; i < len; i++) {
- if (f[i] == pipe) {
- fp = &f[i + 1];
- /* Because we potentially have to check file permissions at two levels
- for the output file (gx_device_open_output_file and the low level
- fopen API, if we're using a pipe, we have to add both the full string,
- (including the '|', and just the command to which we pipe - since at
- the pipe_fopen(), the leading '|' has been stripped.
- */
- code = gs_add_control_path(mem, gs_permit_file_writing, f);
- if (code < 0)
- return code;
- code = gs_add_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
- break;
- }
- if (!IS_WHITESPACE(f[i]))
- break;
- }
- code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+ code = gs_add_control_path(mem, gs_permit_file_control, f);
if (code < 0)
return code;
- return gs_add_control_path(mem, gs_permit_file_writing, fp);
+ return gs_add_control_path(mem, gs_permit_file_writing, f);
}
int
gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
{
- char *fp, f[gp_file_name_sizeof];
- const int pipe = 124; /* ASCII code for '|' */
- const int len = strlen(fname);
- int i, code;
+ char f[gp_file_name_sizeof];
+ int code;
/* Be sure the string copy will fit */
- if (len >= gp_file_name_sizeof)
+ if (strlen(fname) >= gp_file_name_sizeof)
return gs_error_rangecheck;
strcpy(f, fname);
- fp = f;
/* Try to rewrite any %d (or similar) in the string */
- for (i = 0; i < len; i++) {
- if (f[i] == pipe) {
- fp = &f[i + 1];
- /* Because we potentially have to check file permissions at two levels
- for the output file (gx_device_open_output_file and the low level
- fopen API, if we're using a pipe, we have to add both the full string,
- (including the '|', and just the command to which we pipe - since at
- the pipe_fopen(), the leading '|' has been stripped.
- */
- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
- if (code < 0)
- return code;
- code = gs_remove_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
- break;
- }
- if (!IS_WHITESPACE(f[i]))
- break;
- }
- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+ rewrite_percent_specifiers(f);
+
+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
if (code < 0)
return code;
- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
}
int
--
2.17.1

36
CVE-2021-45949.patch
View File

@ -1,36 +0,0 @@
--- psi/zfsample.c.orig 2022-01-12 09:16:07.639604741 +0100
+++ psi/zfsample.c 2022-01-12 09:21:45.187952236 +0100
@@ -535,13 +535,16 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
}
pop(num_out); /* Move op to base of result values */
+ /* From here on, we have to use ref_stack_pop() rather than pop()
+ so that it handles stack extension blocks properly, before calling
+ sampled_data_sample() which also uses the op stack.
+ */
/* Check if we are done collecting data. */
-
if (increment_cube_indexes(params, penum->indexes)) {
if (stack_depth_adjust == 0)
- pop(O_STACK_PAD); /* Remove spare stack space */
+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
else
- pop(stack_depth_adjust - num_out);
+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
/* Execute the closing procedure, if given */
code = 0;
if (esp_finish_proc != 0)
@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
if ((O_STACK_PAD - stack_depth_adjust) < 0) {
stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
check_op(stack_depth_adjust);
- pop(stack_depth_adjust);
+ ref_stack_pop(&o_stack, stack_depth_adjust);
}
else {
check_ostack(O_STACK_PAD - stack_depth_adjust);
- push(O_STACK_PAD - stack_depth_adjust);
+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
make_null(op - i);
}

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<flavor>mini</flavor>
</multibuild>

3
ghostscript-9.54.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0646bb97f6f4d10a763f4919c54fa28b4fbdd3dff8e7de3410431c81762cade0
size 69936541

BIN
ghostscript-9.56.1.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

1441
ghostscript-mini.changes
View File

File diff suppressed because it is too large Load Diff

469
ghostscript-mini.spec
View File

@ -1,469 +0,0 @@
#
# spec file for package ghostscript-mini
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: ghostscript-mini
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
BuildRequires: liblcms2-devel
BuildRequires: libpng-devel
BuildRequires: libtiff-devel
BuildRequires: libtool
BuildRequires: pkg-config
BuildRequires: update-alternatives
BuildRequires: zlib-devel
Requires(post): update-alternatives
Requires(preun):update-alternatives
Summary: Minimal Ghostscript for minimal build requirements
License: AGPL-3.0-only
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
# Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
# would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
# and 9.15.rc.1 is newer than 9.15 (it has one more element in the list while previous elements are equal)
# so that we use an alphabetic prefix 'pre' to make it older than 9.15 (numbers are considered newer than letters).
# But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
# because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.54.0
Release: 0
# Normal version for Ghostscript releases is the upstream version:
# tarball_version is used below to specify the directory via "setup -n":
# Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
# For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
%define tarball_version %{version}
#define tarball_version 9.26rc1
# built_version is used below in the install and files sections:
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
%define built_version %{version}
#define built_version 9.26
# Source0...Source9 is for sources from upstream:
# Special URLs for Ghostscript release candidates:
# see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
# URL for Source0:
# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz
# URL for MD5 checksums:
# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS
# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz
#Source0: ghostscript-%{tarball_version}.tar.gz
# Normal URLs for Ghostscript releases:
# URL for Source0:
# wget -O ghostscript-9.54.0.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9540/ghostscript-9.54.0.tar.gz
# URL for MD5 checksums:
# wget -O gs9540.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9540/MD5SUMS
# MD5 checksum for Source0: 5d571792a8eb826c9f618fb69918d9fc ghostscript-9.54.0.tar.gz
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
# Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# Patch102 CVE-2021-3781.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
# that fixes CVE-2021-3781 Trivial -dSAFER bypass
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381
Patch102: CVE-2021-3781.patch
# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
Patch103: CVE-2021-45949.patch
# RPM dependencies:
# The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
# so other packages can build with any available Ghostscript implementation,
# either ghostscript or ghostscript-mini ("BuildRequires: ghostscript-mini" should not
# be used because ghostscript-mini does not exist outside of OBS so other packages that
# use "BuildRequires: ghostscript-mini" could not be built in published products).
# The "Provides: ghostscript_any" does not affect end-users who should not get
# ghostscript-mini installed (but only the full featured ghostscript package)
# because ghostscript-mini (and ghostscript-mini-devel) are not published
# in openSUSE products, cf. https://build.opensuse.org/request/show/877083
Provides: ghostscript_any = %{version}
Conflicts: ghostscript
Conflicts: ghostscript-devel
Conflicts: ghostscript-library
Conflicts: ghostscript-x11
# Install into this non-root directory (required when norootforbuild is used):
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Crippled Minimal Ghostscript which is not meant
to be used by end-users.
Minimal Ghostscript provides only the file format drivers
in particular to output JPEG PNG PostScript and PDF files
but no printer drivers (in particular neither 'cups'
nor 'ijs') and no X11 drivers.
The ghostscript-mini package is only meant to be used
by the openSUSE build service to avoid possible loops
in the build dependencies because ghostscript-mini
has minimal build dependencies (in particular
neither CUPS nor X11 build dependencies).
For most packages which need to only run
Ghostscript during build, a single line
"BuildRequires: ghostscript-mini"
should be sufficient in the RPM spec file.
For most packages which need Ghostscript
development files to build, a single line
"BuildRequires: ghostscript-mini-devel"
should be sufficient in the RPM spec file.
The ghostscript-mini package in the openSUSE build
service contains no sources and it must not contain
any source files. The ghostscript-mini package is only
a link to its matching ghostscript "parent" package.
Only that ghostscript package must contain all sources
and any changes must happen only for that ghostscript
package. This means any changes for the ghostscript-mini
package will be rejected in the openSUSE build service.
%package devel
Summary: Development files for Minimal Ghostscript
Group: Development/Libraries/C and C++
Requires: ghostscript-mini = %{version}
Conflicts: ghostscript
Conflicts: ghostscript-devel
Conflicts: ghostscript-library
Conflicts: ghostscript-x11
%description devel
This package contains the development files for Minimal Ghostscript.
%prep
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Patch102 CVE-2021-3781.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
# that fixes CVE-2021-3781 Trivial -dSAFER bypass
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381
%patch102 -p1
# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
%patch103
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig
# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball
# because we prefer to use for long-established standard libraries the ones from SUSE
# in particular to automatically get SUSE security updates for standard libraries.
# In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one
# is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE:
#rm -rf freetype jpeg libpng tiff zlib
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
%if 0%{?suse_version} == 1315
# Again use the freetype sources from Ghostscript upstream because
# Ghostscript 9.27 does no longer build this way for SLE12:
rm -rf jpeg libpng tiff
%else
rm -rf freetype jpeg libpng tiff
%endif
%if 0%{?suse_version} >= 1550
rm -rf openjpeg
%endif
# In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1
# because that is what Ghostscript upstream recommends according to
# https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html
# because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript
# but now it is lcms2art (the beginning of a lcms2 fork - see News.htm).
# On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5
# which is too old so that configure fails there with
# checking for local lcms2 library source... no
# checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no
# configure: error: lcms2 not found, or too old
# (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old)
# but there is no configure option to build it without lcms2
# so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript
# i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1
# cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
%if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100
echo "Building it with lcms2art in Ghostscript"
%else
rm -rf lcms2art
%endif
%build
# Derive build timestamp from latest changelog entry
export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
# Set our preferred architecture-specific flags for the compiler and linker:
export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
export LDFLAGS="-pie"
autoreconf -fi
# --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
# --disable-cups and --without-pdftoraster
# to have nothing related to CUPS in the minimal Ghostscript.
# --disable-dbus to have nothing related to D-Bus in the minimal Ghostscript.
# --without-ijs to disable IJS printer driver support in the minimal Ghostscript.
# --with-drivers=FILES to have only the file format drivers
# but no printer drivers in the minimal Ghostscript.
# --without-x to not use the X Window System.
# --enable-openjpeg because since Ghostscript 9.05 JasPer is deprecated
# (--without-jasper is now an unrecognized option by configure)
# and Ghostscript now ships modified OpenJPEG sources for JPEG2000 decoding
# (replacing JasPer - although JasPer is still included for this release)
# Performance, reliability and memory use whilst decoding JPX streams are all improved.
# see also http://bugs.ghostscript.com/show_bug.cgi?id=691430
# --without-ufst and --without-luratech because those are relevant to commercial releases only
# which would require a commercial license.
# --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...)
# into the library, which is the upstream recommendation for distributions. This also allows
# unbundling the 35 Postscript Standard fonts, provided by the URW font package
# --without-libpaper disables libpaper support because SUSE does not have libpaper.
%define gs_font_path /usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
# See http://bugs.ghostscript.com/show_bug.cgi?id=693100
export SUSE_ASNEEDED=0
./configure --prefix=%{_prefix} \
--bindir=%{_bindir} \
--libdir=%{_libdir} \
--datadir=%{_datadir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--with-fontpath=%{gs_font_path} \
--with-libiconv=maybe \
--enable-freetype \
--with-jbig2dec \
--enable-openjpeg \
--enable-dynamic \
--disable-compile-inits \
--without-ijs \
--disable-cups \
--disable-dbus \
--without-pdftoraster \
--with-drivers=FILES \
--without-x \
--disable-gtk \
--without-ufst \
--without-luratech \
--without-libpaper
# Make libgs.so and two programs which use it, gsx and gsc:
# With --disable-gtk, gsx and gsc are identical. It provides a command line
# frontend to libgs equivalent (functional and command line arguments) to
# the gs binary, but uses the shared libgs instead of static linking
make so
# Configure and make libijs (that is not done regardless whether or not --with-ijs is used above):
pushd ijs
./autogen.sh
autoreconf -fi
./configure --prefix=%{_prefix} \
--bindir=%{_bindir} \
--libdir=%{_libdir} \
--datadir=%{_datadir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--enable-shared \
--disable-static
make
popd
%install
# Install libgs.so gsx gsc and some header files:
make soinstall DESTDIR=%{buildroot}
# Use gsc instead of gs, and remove duplicate gsx (see above)
mv %{buildroot}/%{_bindir}/{gsc,gs}
rm %{buildroot}/%{_bindir}/gsx
# Install libijs and its header files:
pushd ijs
make install DESTDIR=%{buildroot}
popd
# Remove installed ijs example client and server and its .la file:
rm %{buildroot}%{_bindir}/ijs_client_example
rm %{buildroot}%{_bindir}/ijs_server_example
rm %{buildroot}%{_libdir}/libijs.la
# Install examples:
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples
test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
for E in examples/*
do install -m 644 $E $EXAMPLESDIR || :
done
test -d $EXAMPLESDIR/cjk || install -d $EXAMPLESDIR/cjk
for E in examples/cjk/*
do install -m 644 $E $EXAMPLESDIR/cjk || :
done
# Install documentation which is not installed by default
# see http://bugs.ghostscript.com/show_bug.cgi?id=693002
# and fail intentionally as notification if something changed:
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version}
for D in LICENSE
do test -e $DOCDIR/$( basename $D ) && exit 99
install -m 644 $D $DOCDIR
done
# Add a link named 'ghostscript' from SUSE's usual documentation directory /usr/share/doc/packages
# with link target Ghostscript's documentation directory e.g. /usr/share/doc/ghostscript/9.23
# as relative link to get the link independent of the buildroot prefix
# i.e. in /usr/share/doc/packages add the link ghostscript -> ../ghostscript/9.23
# because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above):
install -d -m 755 %{buildroot}%{_defaultdocdir}
pushd %{buildroot}%{_defaultdocdir}
ln -s ../ghostscript/%{built_version} ghostscript
popd
# Extract the catalog of devices which are actually built-in in exactly this Ghostscript:
# If a needed source file is no longer accessible fail intentionally as notification
# that something changed which needs adaptions here:
catalog_devices_source_files="devices/devs.mak devices/dcontrib.mak contrib/contrib.mak"
for F in $catalog_devices_source_files
do test -r $F || exit 99
done
# Do not pollute the build log file with zillions of meaningless messages:
set +x
cat /dev/null >catalog.devices
for D in $( LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}/usr/bin/gs -h | sed -n -e '/^Available devices:/,/^Search path:/p' | egrep -v '^Available devices:|^Search path:' )
do for F in $catalog_devices_source_files
do sed -n -e '/ Catalog /,/ End of catalog /p' $F | grep "[[:space:]]$D[[:space:]]" | grep -o '[[:alnum:]].*' | tr -s '[:blank:]' ' ' | sed -e 's/ /\t/' | expand -t16 >>catalog.devices
done
done
# Switch back to the usual build log messages:
set -x
install -m 644 catalog.devices $DOCDIR
# Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
install -d %buildroot%{_sysconfdir}/alternatives
mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
%post
/sbin/ldconfig
%{_sbindir}/update-alternatives \
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15
%postun -p /sbin/ldconfig
%preun
if test $1 -eq 0 ; then
%{_sbindir}/update-alternatives \
--remove gs %{_bindir}/gs.bin
fi
%files
%defattr(-, root, root)
%ghost %config %{_sysconfdir}/alternatives/gs
%{_bindir}/dvipdf
%{_bindir}/eps2eps
%{_bindir}/gs
%{_bindir}/gs.bin
%{_bindir}/gsbj
%{_bindir}/gsdj
%{_bindir}/gsdj500
%{_bindir}/gslj
%{_bindir}/gslp
%{_bindir}/gsnd
%{_bindir}/lprsetup.sh
%{_bindir}/pdf2dsc
%{_bindir}/pdf2ps
%{_bindir}/pf2afm
%{_bindir}/pfbtopfa
%{_bindir}/pphs
%{_bindir}/printafm
%{_bindir}/ps2ascii
%{_bindir}/ps2epsi
%{_bindir}/ps2pdf
%{_bindir}/ps2pdf12
%{_bindir}/ps2pdf13
%{_bindir}/ps2pdf14
%{_bindir}/ps2pdfwr
%{_bindir}/ps2ps
%{_bindir}/ps2ps2
%{_bindir}/unix-lpr.sh
%doc %{_mandir}/man1/dvipdf.1.gz
%doc %{_mandir}/man1/eps2eps.1.gz
%doc %{_mandir}/man1/gs.1.gz
%doc %{_mandir}/man1/gsbj.1.gz
%doc %{_mandir}/man1/gsdj.1.gz
%doc %{_mandir}/man1/gsdj500.1.gz
%doc %{_mandir}/man1/gslj.1.gz
%doc %{_mandir}/man1/gslp.1.gz
%doc %{_mandir}/man1/gsnd.1.gz
%doc %{_mandir}/man1/pdf2dsc.1.gz
%doc %{_mandir}/man1/pdf2ps.1.gz
%doc %{_mandir}/man1/pf2afm.1.gz
%doc %{_mandir}/man1/pfbtopfa.1.gz
%doc %{_mandir}/man1/printafm.1.gz
%doc %{_mandir}/man1/ps2ascii.1.gz
%doc %{_mandir}/man1/ps2epsi.1.gz
%doc %{_mandir}/man1/ps2pdf.1.gz
%doc %{_mandir}/man1/ps2pdf12.1.gz
%doc %{_mandir}/man1/ps2pdf13.1.gz
%doc %{_mandir}/man1/ps2pdf14.1.gz
%doc %{_mandir}/man1/ps2pdfwr.1.gz
%doc %{_mandir}/man1/ps2ps.1.gz
%doc %{_mandir}/de/man1/dvipdf.1.gz
%doc %{_mandir}/de/man1/eps2eps.1.gz
%doc %{_mandir}/de/man1/gsnd.1.gz
%doc %{_mandir}/de/man1/pdf2dsc.1.gz
%doc %{_mandir}/de/man1/pdf2ps.1.gz
%doc %{_mandir}/de/man1/printafm.1.gz
%doc %{_mandir}/de/man1/ps2ascii.1.gz
%doc %{_mandir}/de/man1/ps2pdf.1.gz
%doc %{_mandir}/de/man1/ps2pdf12.1.gz
%doc %{_mandir}/de/man1/ps2pdf13.1.gz
%doc %{_mandir}/de/man1/ps2pdf14.1.gz
%doc %{_mandir}/de/man1/ps2ps.1.gz
%doc %{_defaultdocdir}/ghostscript
%dir %{_datadir}/doc/ghostscript
%doc %{_datadir}/doc/ghostscript/%{built_version}
%dir %{_datadir}/ghostscript
%dir %{_datadir}/ghostscript/%{built_version}
%{_datadir}/ghostscript/%{built_version}/Resource
%{_datadir}/ghostscript/%{built_version}/iccprofiles
%{_datadir}/ghostscript/%{built_version}/examples/
%{_datadir}/ghostscript/%{built_version}/lib/
%{_libdir}/libgs.so.*
%{_libdir}/ghostscript/
%{_libdir}/libijs-0.35.so
%files devel
%defattr(-,root,root)
%{_includedir}/ghostscript/
%{_libdir}/libgs.so
%{_includedir}/ijs/
%{_libdir}/libijs.so
%{_libdir}/pkgconfig/ijs.pc
%changelog

29
ghostscript.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 9.56.1:
* New PDF Interpreter: This is an entirely new implementation written in C
(rather than PostScript, as before)
* Calling Ghostscript via the GS API is now thread safe. The one limitation
is that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk,
x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be
made thread safe, due to their interaction with the X11 server, those
devices have been modified to only allow one instance in an executable.
* The PSD output device now writes ICC profiles to their output files, for
improved color fidelity.
* Our efforts in code hygiene and maintainability continue.
* The usual round of bug fixes, compatibility changes, and incremental
improvements.
* We have added the capability to build with the Tesseract OCR
engine. In such a build, new devices are available (pdfocr8/pdfocr24/
pdfocr32) which render the output file to an image, OCR that image, and
output the image "wrapped" up as a PDF file, with the OCR generated text
information included as "invisible" text (in PDF terms, text rendering mode
3).
- drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream
-------------------------------------------------------------------
Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller <dmueller@suse.com>
- use _multibuild
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller <dmueller@suse.com> Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller <dmueller@suse.com>

332
ghostscript.spec
View File

@ -1,5 +1,5 @@
# #
# spec file for package ghostscript # spec file
# #
# Copyright (c) 2022 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
@ -16,90 +16,26 @@
# #
Name: ghostscript %global flavor @BUILD_FLAVOR@%{nil}
# SLE12 needs special BuildRequires. %if "%{flavor}" == "mini"
# For suse_version values see https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto %global psuffix -mini
%if 0%{?suse_version} == 1315
# For SLE12 by default CUPS 1.7.5 is provided and alternatively CUPS 1.5.4 is provided in the "legacy" module.
# For SLE12 build it with traditional CUPS 1.5.4 to ensure it works on SLE12 both with CUPS 1.7.5 and CUPS 1.5.4
# because libcups and libcupsimage in CUPS 1.7.5 are backward compatible with CUPS 1.5.4 so that applications
# that have been built with CUPS 1.5.4 also work under CUPS 1.7.5 but the libraries in CUPS 1.7.5 provide
# some additional functions so that applications that have been built with CUPS 1.7.5 and use those
# additional functions would not work under CUPS 1.7.5.
# Only in the Printing project for SLE12 use cups154-ddk (a sub package of the cups154-SLE12 source package):
BuildRequires: cups154-devel
%else %else
# Anything what is not SLE12 (i.e. SLE11 and all openSUSE versions) have "normal" BuildRequires: %global psuffix %{nil}
BuildRequires: cups-devel
%endif %endif
# dbus-1-devel is needed for "configure --enable-dbus" (see below):
BuildRequires: dbus-1-devel
BuildRequires: freetype2-devel
BuildRequires: libexpat-devel
BuildRequires: libjpeg-devel
BuildRequires: liblcms2-devel
BuildRequires: libpng-devel
BuildRequires: libtiff-devel
BuildRequires: libtool
BuildRequires: pkg-config
BuildRequires: update-alternatives
BuildRequires: xorg-x11-devel
BuildRequires: xorg-x11-fonts
BuildRequires: zlib-devel
# Always check if latest version of penjpeg becomes compatible with ghostscript
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
%endif
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
%endif
Requires(post): update-alternatives
Requires(preun):update-alternatives
Summary: The Ghostscript interpreter for PostScript and PDF
License: AGPL-3.0-only
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
# Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
# would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
# and 9.15.rc.1 is newer than 9.15 (it has one more element in the list while previous elements are equal)
# so that we use an alphabetic prefix 'pre' to make it older than 9.15 (numbers are considered newer than letters).
# But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
# because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.54.0
Release: 0
# Normal version for Ghostscript releases is the upstream version:
# tarball_version is used below to specify the directory via "setup -n":
# Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
# For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
%define tarball_version %{version}
#define tarball_version 9.26rc1
# built_version is used below in the install and files sections: # built_version is used below in the install and files sections:
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version): # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
%define built_version %{version} %define built_version %{version}
#define built_version 9.26 Name: ghostscript%{psuffix}
# Source0...Source9 is for sources from upstream: Version: 9.56.1
# Special URLs for Ghostscript release candidates: Release: 0
# see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases Summary: The Ghostscript interpreter for PostScript and PDF
# URL for Source0: License: AGPL-3.0-only
# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz Group: Productivity/Office/Other
# URL for MD5 checksums: URL: https://www.ghostscript.com/
# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS # sha512:fe5a5103c081dd87cf8b3e0bbbd0df004c0e4e04e41bded7c70372916e6e26249a0e8fa434b561292964c5f3820ee6c60ef1557827a6efb5676012ccb73ded85
# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9561/ghostscript-%{version}.tar.xz
#Source0: ghostscript-%{tarball_version}.tar.gz Source10: apparmor_ghostscript
# Normal URLs for Ghostscript releases:
# URL for Source0:
# wget -O ghostscript-9.54.0.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9540/ghostscript-9.54.0.tar.gz
# URL for MD5 checksums:
# wget -O gs9540.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9540/MD5SUMS
# MD5 checksum for Source0: 5d571792a8eb826c9f618fb69918d9fc ghostscript-9.54.0.tar.gz
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream: # Patch0...Patch9 is for patches from upstream:
# Source10...Source99 is for sources from SUSE which are intended for upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
@ -111,18 +47,17 @@ Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch Patch101: ijs_exec_server_dont_use_sh.patch
# Patch102 CVE-2021-3781.patch is BuildRequires: freetype2-devel
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde BuildRequires: libjpeg-devel
# that fixes CVE-2021-3781 Trivial -dSAFER bypass BuildRequires: liblcms2-devel
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 BuildRequires: libpng-devel
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 BuildRequires: libtiff-devel
Patch102: CVE-2021-3781.patch BuildRequires: libtool
# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from BuildRequires: pkgconfig
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 BuildRequires: update-alternatives
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish BuildRequires: zlib-devel
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml Requires(post): update-alternatives
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304 Requires(preun):update-alternatives
Patch103: CVE-2021-45949.patch
# RPM dependencies: # RPM dependencies:
# Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
# "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@ -170,54 +105,49 @@ Patch103: CVE-2021-45949.patch
# ghostscript-mini installed (but only the full featured ghostscript package) # ghostscript-mini installed (but only the full featured ghostscript package)
# because ghostscript-mini (and ghostscript-mini-devel) are not published # because ghostscript-mini (and ghostscript-mini-devel) are not published
# in openSUSE products, cf. https://build.opensuse.org/request/show/877083 # in openSUSE products, cf. https://build.opensuse.org/request/show/877083
Provides: ghostscript_any Provides: ghostscript_any = %{version}
Provides: gs %if "%{flavor}" != "mini"
Provides: gs_lib BuildRequires: dbus-1-devel
BuildRequires: libexpat-devel
BuildRequires: xorg-x11-devel
BuildRequires: xorg-x11-fonts
%if 0%{?suse_version} == 1315
BuildRequires: cups154-devel
%else
BuildRequires: cups-devel
%endif
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
%endif
%endif
# Always check if latest version of openjpeg becomes compatible with ghostscript
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
%endif
%if "%{flavor}" == "mini"
Conflicts: ghostscript
Conflicts: ghostscript-devel
Conflicts: ghostscript-library
Conflicts: ghostscript-x11
%else
Recommends: ghostscript-x11 = %{version}-%{release}
Conflicts: ghostscript-x11 < %{version}-%{release}
Provides: gs = %{version}
Provides: gs_lib = %{version}
# There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4. # There is a needless requirement for pstoraster in gutenprint up to openSUSE 11.4.
# Satisfy it to be backward compatible with installed gutenprint packages: # Satisfy it to be backward compatible with installed gutenprint packages:
Provides: pstoraster Provides: pstoraster
# Replace any version of the packages ghostscript-library and ghostscript-mini silently. Provides: %{version}
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because
# this package ghostscript should replace any version of ghostscript-mini.
# There is intentionally no "Provides: ghostscript-mini" here because this
# would cause a conflict when this package ghostscript should be re-replaced
# by ghostscript-library because ghostscript-library conflicts with ghostscript-mini
# so that there would be no easy way back from ghostscript to ghostscript-library.
# Different versions must be explicitly specified in Provides and Obsoletes
# to avoid a RPMLINT warning that the package obsoletes itself
# because an unversioned RPM dependency means "all versions".
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two obsoletes are used:
Provides: ghostscript-library = %{version} Provides: ghostscript-library = %{version}
Obsoletes: ghostscript-library < %{version} Obsoletes: ghostscript-library < %{version}
Obsoletes: ghostscript-library > %{version} # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
# this package ghostscript should replace any version of ghostscript-mini.
Obsoletes: ghostscript-mini Obsoletes: ghostscript-mini
# The ghostscript-x11 sub-package requires the exact matching version-release
# of the ghostscript main-package (see below) so that the ghostscript main-package
# should conflict with a non-matching ghostscript-x11 package to make sure
# that the ghostscript main-package is not changed without changing
# the ghostscript-x11 sub-package accordingly.
# The RPM documentation http://www.rpm.org/max-rpm/s1-rpm-depend-manual-dependencies.html
# and /usr/share/doc/packages/rpm/manual/dependencies (in rpm-4.8.0 in openSUSE 11.4)
# does not show a comparison operator for "not equal" so that two conflicts are used:
Conflicts: ghostscript-x11 < %{version}-%{release}
Conflicts: ghostscript-x11 > %{version}-%{release}
# When the ghostscript main-package is installed, usually the exact matching
# version-release of the ghostscript-x11 sub-package should be also installed:
Recommends: ghostscript-x11 = %{version}-%{release}
# When the ghostscript main-package is installed, usually the CUPS filters gstoraster and gstopxl
# should be also installed. Since version 9.10 those CUPS filters are removed from Ghostscript
# and are now provided by the binary RPM sub-package cups-filters-ghostscript
# (see the cups-filters-ghostscript sub-package description).
# No RPM requirement because Ghostscript can be used without those CUPS filters
# and cups-filters-ghostscript is only available for newer openSUSE versions
# (currently since openSUSE 12.2) but in particular not for SLE11:
%if 0%{?suse_version} > 1210 %if 0%{?suse_version} > 1210
Recommends: cups-filters-ghostscript Recommends: cups-filters-ghostscript
%endif %endif
# Install into this non-root directory (required when norootforbuild is used): %endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
Ghostscript is a package of software that provides: Ghostscript is a package of software that provides:
@ -241,7 +171,7 @@ capabilities that appear as primitive operations
in the PostScript language and in PDF. in the PostScript language and in PDF.
For information how to use Ghostscript see For information how to use Ghostscript see
/usr/share/ghostscript/%{version}/doc/Use.htm %{_datadir}/ghostscript/%{version}/doc/Use.htm
%package x11 %package x11
Summary: X11 library for Ghostscript Summary: X11 library for Ghostscript
@ -268,8 +198,7 @@ Requires: ghostscript = %{version}-%{release}
Conflicts: ghostscript-library < %{version} Conflicts: ghostscript-library < %{version}
Conflicts: ghostscript-library > %{version} Conflicts: ghostscript-library > %{version}
Conflicts: ghostscript-mini Conflicts: ghostscript-mini
# In openSUSE:Factory (dated 22 Feb. 2012) ghostview gv and texlive-bin require ghostscript_x11 (see above): Provides: ghostscript_x11 = %{version}
Provides: ghostscript_x11
%description x11 %description x11
This package contains the X11 library which is needed This package contains the X11 library which is needed
@ -300,9 +229,8 @@ Conflicts: ghostscript-mini-devel
This package contains the development files for Ghostscript. This package contains the development files for Ghostscript.
%prep %prep
# Be quiet when unpacking and %setup -q -n ghostscript-%{version}
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream # Again use the zlib sources from Ghostscript upstream
@ -312,18 +240,6 @@ This package contains the development files for Ghostscript.
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1 %patch101 -p1
# Patch102 CVE-2021-3781.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
# that fixes CVE-2021-3781 Trivial -dSAFER bypass
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381
%patch102 -p1
# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
%patch103
# Remove patch backup files to avoid packaging # Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052 # cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig rm -f Resource/Init/*.ps.orig
@ -370,7 +286,7 @@ rm -rf lcms2art
%build %build
# Derive build timestamp from latest changelog entry # Derive build timestamp from latest changelog entry
export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s) export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s})
# Set our preferred architecture-specific flags for the compiler and linker: # Set our preferred architecture-specific flags for the compiler and linker:
export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC" export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC" export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
@ -398,15 +314,10 @@ autoreconf -fi
# into the library, which is the upstream recommendation for distributions. This also allows # into the library, which is the upstream recommendation for distributions. This also allows
# unbundling the 35 Postscript Standard fonts, provided by the URW font package # unbundling the 35 Postscript Standard fonts, provided by the URW font package
# --without-libpaper disables libpaper support because SUSE does not have libpaper. # --without-libpaper disables libpaper support because SUSE does not have libpaper.
%define gs_font_path /usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW
# See http://bugs.ghostscript.com/show_bug.cgi?id=693100 # See http://bugs.ghostscript.com/show_bug.cgi?id=693100
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0
./configure --prefix=%{_prefix} \ %configure \
--bindir=%{_bindir} \
--libdir=%{_libdir} \
--datadir=%{_datadir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--with-fontpath=%{gs_font_path} \ --with-fontpath=%{gs_font_path} \
--with-libiconv=maybe \ --with-libiconv=maybe \
--enable-freetype \ --enable-freetype \
@ -414,11 +325,20 @@ export SUSE_ASNEEDED=0
--enable-openjpeg \ --enable-openjpeg \
--enable-dynamic \ --enable-dynamic \
--disable-compile-inits \ --disable-compile-inits \
%if "%{flavor}" == "mini"
--without-ijs \
--disable-cups \
--disable-dbus \
--without-pdftoraster \
--with-drivers=FILES \
--without-x \
%else
--without-local-zlib \ --without-local-zlib \
--with-ijs \ --with-ijs \
--enable-cups \ --enable-cups \
--with-drivers=ALL \ --with-drivers=ALL \
--with-x \ --with-x \
%endif
--disable-gtk \ --disable-gtk \
--without-ufst \ --without-ufst \
--without-luratech \ --without-luratech \
@ -428,20 +348,13 @@ export SUSE_ASNEEDED=0
# With --disable-gtk, gsx and gsc are identical. It provides a command line # With --disable-gtk, gsx and gsc are identical. It provides a command line
# frontend to libgs equivalent (functional and command line arguments) to # frontend to libgs equivalent (functional and command line arguments) to
# the gs binary, but uses the shared libgs instead of static linking # the gs binary, but uses the shared libgs instead of static linking
make so %make_build so
# Configure and make libijs (that is not done regardless whether or not --with-ijs is used above): # Configure and make libijs (that is not done regardless whether or not --with-ijs is used above):
pushd ijs pushd ijs
./autogen.sh ./autogen.sh
autoreconf -fi autoreconf -fi
./configure --prefix=%{_prefix} \ %configure --enable-shared --disable-static
--bindir=%{_bindir} \ %make_build
--libdir=%{_libdir} \
--datadir=%{_datadir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--enable-shared \
--disable-static
make
popd popd
%install %install
@ -452,7 +365,7 @@ mv %{buildroot}/%{_bindir}/{gsc,gs}
rm %{buildroot}/%{_bindir}/gsx rm %{buildroot}/%{_bindir}/gsx
# Install libijs and its header files: # Install libijs and its header files:
pushd ijs pushd ijs
make install DESTDIR=%{buildroot} %make_install
popd popd
# Remove installed ijs example client and server and its .la file: # Remove installed ijs example client and server and its .la file:
rm %{buildroot}%{_bindir}/ijs_client_example rm %{buildroot}%{_bindir}/ijs_client_example
@ -495,7 +408,7 @@ done
# Do not pollute the build log file with zillions of meaningless messages: # Do not pollute the build log file with zillions of meaningless messages:
set +x set +x
cat /dev/null >catalog.devices cat /dev/null >catalog.devices
for D in $( LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}/usr/bin/gs -h | sed -n -e '/^Available devices:/,/^Search path:/p' | egrep -v '^Available devices:|^Search path:' ) for D in $( LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}%{_bindir}/gs -h | sed -n -e '/^Available devices:/,/^Search path:/p' | grep -E -v '^Available devices:|^Search path:' )
do for F in $catalog_devices_source_files do for F in $catalog_devices_source_files
do sed -n -e '/ Catalog /,/ End of catalog /p' $F | grep "[[:space:]]$D[[:space:]]" | grep -o '[[:alnum:]].*' | tr -s '[:blank:]' ' ' | sed -e 's/ /\t/' | expand -t16 >>catalog.devices do sed -n -e '/ Catalog /,/ End of catalog /p' $F | grep "[[:space:]]$D[[:space:]]" | grep -o '[[:alnum:]].*' | tr -s '[:blank:]' ' ' | sed -e 's/ /\t/' | expand -t16 >>catalog.devices
done done
@ -503,18 +416,22 @@ done
# Switch back to the usual build log messages: # Switch back to the usual build log messages:
set -x set -x
install -m 644 catalog.devices $DOCDIR install -m 644 catalog.devices $DOCDIR
install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript %if "%{flavor}" != "mini"
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
%endif
# Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives # Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
install -d %buildroot%{_sysconfdir}/alternatives install -d %{buildroot}%{_sysconfdir}/alternatives
mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
%post %post
/sbin/ldconfig /sbin/ldconfig
%if "%{flavor}" != "mini"
%if 0%{?suse_version} >= 1500 %if 0%{?suse_version} >= 1500
%apparmor_reload /etc/apparmor.d/ghostscript %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
%endif
%endif %endif
%{_sbindir}/update-alternatives \ %{_sbindir}/update-alternatives \
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15 --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
@ -528,7 +445,6 @@ if test $1 -eq 0 ; then
fi fi
%files %files
%defattr(-, root, root)
%ghost %config %{_sysconfdir}/alternatives/gs %ghost %config %{_sysconfdir}/alternatives/gs
%{_bindir}/dvipdf %{_bindir}/dvipdf
%{_bindir}/eps2eps %{_bindir}/eps2eps
@ -557,40 +473,40 @@ fi
%{_bindir}/ps2ps %{_bindir}/ps2ps
%{_bindir}/ps2ps2 %{_bindir}/ps2ps2
%{_bindir}/unix-lpr.sh %{_bindir}/unix-lpr.sh
%doc %{_mandir}/man1/dvipdf.1.gz %{_mandir}/man1/dvipdf.1%{?ext_man}
%doc %{_mandir}/man1/eps2eps.1.gz %{_mandir}/man1/eps2eps.1%{?ext_man}
%doc %{_mandir}/man1/gs.1.gz %{_mandir}/man1/gs.1%{?ext_man}
%doc %{_mandir}/man1/gsbj.1.gz %{_mandir}/man1/gsbj.1%{?ext_man}
%doc %{_mandir}/man1/gsdj.1.gz %{_mandir}/man1/gsdj.1%{?ext_man}
%doc %{_mandir}/man1/gsdj500.1.gz %{_mandir}/man1/gsdj500.1%{?ext_man}
%doc %{_mandir}/man1/gslj.1.gz %{_mandir}/man1/gslj.1%{?ext_man}
%doc %{_mandir}/man1/gslp.1.gz %{_mandir}/man1/gslp.1%{?ext_man}
%doc %{_mandir}/man1/gsnd.1.gz %{_mandir}/man1/gsnd.1%{?ext_man}
%doc %{_mandir}/man1/pdf2dsc.1.gz %{_mandir}/man1/pdf2dsc.1%{?ext_man}
%doc %{_mandir}/man1/pdf2ps.1.gz %{_mandir}/man1/pdf2ps.1%{?ext_man}
%doc %{_mandir}/man1/pf2afm.1.gz %{_mandir}/man1/pf2afm.1%{?ext_man}
%doc %{_mandir}/man1/pfbtopfa.1.gz %{_mandir}/man1/pfbtopfa.1%{?ext_man}
%doc %{_mandir}/man1/printafm.1.gz %{_mandir}/man1/printafm.1%{?ext_man}
%doc %{_mandir}/man1/ps2ascii.1.gz %{_mandir}/man1/ps2ascii.1%{?ext_man}
%doc %{_mandir}/man1/ps2epsi.1.gz %{_mandir}/man1/ps2epsi.1%{?ext_man}
%doc %{_mandir}/man1/ps2pdf.1.gz %{_mandir}/man1/ps2pdf.1%{?ext_man}
%doc %{_mandir}/man1/ps2pdf12.1.gz %{_mandir}/man1/ps2pdf12.1%{?ext_man}
%doc %{_mandir}/man1/ps2pdf13.1.gz %{_mandir}/man1/ps2pdf13.1%{?ext_man}
%doc %{_mandir}/man1/ps2pdf14.1.gz %{_mandir}/man1/ps2pdf14.1%{?ext_man}
%doc %{_mandir}/man1/ps2pdfwr.1.gz %{_mandir}/man1/ps2pdfwr.1%{?ext_man}
%doc %{_mandir}/man1/ps2ps.1.gz %{_mandir}/man1/ps2ps.1%{?ext_man}
%doc %{_mandir}/de/man1/dvipdf.1.gz %{_mandir}/de/man1/dvipdf.1%{?ext_man}
%doc %{_mandir}/de/man1/eps2eps.1.gz %{_mandir}/de/man1/eps2eps.1%{?ext_man}
%doc %{_mandir}/de/man1/gsnd.1.gz %{_mandir}/de/man1/gsnd.1%{?ext_man}
%doc %{_mandir}/de/man1/pdf2dsc.1.gz %{_mandir}/de/man1/pdf2dsc.1%{?ext_man}
%doc %{_mandir}/de/man1/pdf2ps.1.gz %{_mandir}/de/man1/pdf2ps.1%{?ext_man}
%doc %{_mandir}/de/man1/printafm.1.gz %{_mandir}/de/man1/printafm.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2ascii.1.gz %{_mandir}/de/man1/ps2ascii.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2pdf.1.gz %{_mandir}/de/man1/ps2pdf.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2pdf12.1.gz %{_mandir}/de/man1/ps2pdf12.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2pdf13.1.gz %{_mandir}/de/man1/ps2pdf13.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2pdf14.1.gz %{_mandir}/de/man1/ps2pdf14.1%{?ext_man}
%doc %{_mandir}/de/man1/ps2ps.1.gz %{_mandir}/de/man1/ps2ps.1%{?ext_man}
%doc %{_defaultdocdir}/ghostscript %doc %{_defaultdocdir}/ghostscript
%dir %{_datadir}/doc/ghostscript %dir %{_datadir}/doc/ghostscript
%doc %{_datadir}/doc/ghostscript/%{built_version} %doc %{_datadir}/doc/ghostscript/%{built_version}
@ -603,6 +519,7 @@ fi
%{_libdir}/libgs.so.* %{_libdir}/libgs.so.*
%{_libdir}/ghostscript/ %{_libdir}/ghostscript/
%{_libdir}/libijs-0.35.so %{_libdir}/libijs-0.35.so
%if "%{flavor}" != "mini"
%exclude %{_libdir}/ghostscript/%{built_version}/X11.so %exclude %{_libdir}/ghostscript/%{built_version}/X11.so
%if 0%{?suse_version} < 1500 %if 0%{?suse_version} < 1500
%dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d
@ -610,11 +527,10 @@ fi
%{_sysconfdir}/apparmor.d/ghostscript %{_sysconfdir}/apparmor.d/ghostscript
%files x11 %files x11
%defattr(-,root,root)
%{_libdir}/ghostscript/%{built_version}/X11.so %{_libdir}/ghostscript/%{built_version}/X11.so
%endif
%files devel %files devel
%defattr(-,root,root)
%{_includedir}/ghostscript/ %{_includedir}/ghostscript/
%{_libdir}/libgs.so %{_libdir}/libgs.so
%{_includedir}/ijs/ %{_includedir}/ijs/