Accepting request 1269536 from Printing

OBS-URL: https://build.opensuse.org/request/show/1269536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=72

2010_add_build_timestamp_setting.patch

@@ -0,0 +1,120 @@
+Description: Allow the build timestamp to be externally set
+ In order to make Ghostscript output reproducible, we need a way to
+ set the build timestamp to other values than the current time.
+ We now consistently use gp_get_realtime() instead of directly calling
+ time() or gp_get_usertime() and make gp_get_realtime() use the value
+ found in the SOURCE_DATE_EPOCH environment variable if set. Also,
+ environment timezone is fixed to UTC if SOURCE_DATE_EPOCH is used to
+ avoid variations.
+Author: Eduard Sanou <dhole@openmailbox.org>
+Author: Peter De Wachter <pdewacht@gmail.com>
+Bug-Debian: https://bugs.debian.org/794004
+Forwarded: not-needed
+Last-Update: 2023-09-13
+---
+This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
+--- a/base/gp_unix.c
++++ b/base/gp_unix.c
+@@ -19,6 +19,7 @@
+ #ifdef __MINGW32__
+ #  include "windows_.h"
+ #endif
++#include "errno_.h"
+ #include "pipe_.h"
+ #include "string_.h"
+ #include "time_.h"
+@@ -149,6 +150,7 @@
+ gp_get_realtime(long *pdt)
+ {
+     struct timeval tp;
++    const char *env;
+ 
+ #if gettimeofday_no_timezone    /* older versions of SVR4 */
+     {
+@@ -168,6 +170,26 @@
+     }
+ #endif
+ 
++    env = getenv("SOURCE_DATE_EPOCH");
++    if (env) {
++        char *end;
++        long timestamp;
++
++        errno = 0;
++        timestamp = strtol(env, &end, 10);
++        if (env == end || *end || errno != 0) {
++            lprintf("Ghostscript: SOURCE_DATE_EPOCH is not a number!\n");
++            timestamp = 0;
++        }
++
++        tp.tv_sec = timestamp;
++        tp.tv_usec = 0;
++
++        /* We need to fix the environment timezone to get reproducible */
++        /* results when parsing the result of gp_get_realtime. */
++        setenv("TZ", "UTC", 1);
++    }
++
+     /* tp.tv_sec is #secs since Jan 1, 1970 */
+     pdt[0] = tp.tv_sec;
+ 
+--- a/devices/vector/gdevpdf.c
++++ b/devices/vector/gdevpdf.c
+@@ -437,6 +437,7 @@
+     if (!pdev->OmitInfoDate)
+     {
+         struct tm tms;
++        long secs_ns[2];
+         time_t t;
+         char buf[1+2+4+2+2+2+2+2+1+2+1+2+1+1+1]; /* (D:yyyymmddhhmmssZhh'mm')\0 */
+         int timeoffset;
+@@ -448,7 +449,8 @@
+         timesign = 'Z';
+         timeoffset = 0;
+ #else
+-        time(&t);
++        gp_get_realtime(secs_ns);
++        t = secs_ns[0];
+         tms = *gmtime(&t);
+         tms.tm_isdst = -1;
+         timeoffset = (int)difftime(t, mktime(&tms)); /* tz+dst in seconds */
+--- a/devices/vector/gdevpdfe.c
++++ b/devices/vector/gdevpdfe.c
+@@ -216,6 +216,7 @@
+ {
+     /* We don't write a day time because we don't have a time zone. */
+     struct tm tms;
++    long secs_ns[2];
+     time_t t;
+     char buf1[4+1+2+1+2+1]; /* yyyy-mm-dd\0 */
+ 
+@@ -223,7 +224,8 @@
+     memset(&t, 0, sizeof(t));
+     memset(&tms, 0, sizeof(tms));
+ #else
+-    time(&t);
++    gp_get_realtime(secs_ns);
++    t = secs_ns[0];
+     tms = *localtime(&t);
+ #endif
+     gs_snprintf(buf1, sizeof(buf1),
+--- a/devices/vector/gdevpsu.c
++++ b/devices/vector/gdevpsu.c
+@@ -187,6 +187,7 @@
+             dev->dname);
+ #endif
+     {
++        long secs_ns[2];
+         time_t t;
+         struct tm tms;
+ 
+@@ -194,7 +195,8 @@
+         memset(&t, 0, sizeof(t));
+         memset(&tms, 0, sizeof(tms));
+ #else
+-        time(&t);
++        gp_get_realtime(secs_ns);
++        t = secs_ns[0];
+         tms = *localtime(&t);
+ #endif
+         fprintf(f, "%%%%CreationDate: %d/%02d/%02d %02d:%02d:%02d\n",

ghostscript.changes

@@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Thu Apr 10 19:39:55 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
+  still allow build on Leap 15.6
+
+-------------------------------------------------------------------
+Tue Apr  1 09:56:06 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 10.05.0
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.05.0/News.html
+  * This release addresses:
+    + CVE-2025-27830 (bsc#1240074)
+    + CVE-2025-27831 (bsc#1240075)
+    + CVE-2025-27832 (bsc#1240077)
+    + CVE-2025-27833 (bsc#1240078)
+    + CVE-2025-27834 (bsc#1240079)
+    + CVE-2025-27835 (bsc#1240080)
+    + CVE-2025-27836 (bsc#1240081)
+    + CVE-2025-27837 (bsc#1240082 - affects only Windows)
+  * The 10.05.0 release deprecates the non-standard operator
+    "selectdevice", all code should now be using the standard
+    "setpagedevice" operator. "selectdevice" will be removed
+    in the 10.06.0 release.
+  * We now support production of PDF/X-1a and PDF/X-4a
+    in addition to the existing support for PDF/X-3
+  * The usual round of bug fixes, compatibility changes,
+    and incremental improvements. 
+- In Ghostscript 10.05.0 the pdf2dsc utility is removed because
+  its PostScript program pdf2dsc.ps uses chunks of the old PDF
+  interpreter which is replaced with a new implementation
+  (in C instead of PostScript) in the 10.x series of Ghostscript
+  so pdf2dsc can no longer work as intended. For details see the
+  "Please restore PDF2DSC for preview-latex" mail thread e.g. on
+  https://mail.gnu.org/archive/html/auctex-devel/2025-03/threads.html
+
+-------------------------------------------------------------------
+Tue Feb  4 09:42:47 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add reproducible.patch to not embed timestamp in .h file
+- Add 2010_add_build_timestamp_setting.patch to allow overriding
+  timestamp in generated pdf (boo#1236773)
+
+-------------------------------------------------------------------
+Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
+
+- Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024"
+  by adding the individual "bsc" numbers for each CVE, see
+  https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4
+  and by adding the "IMPORTANT" change in Ghostscript 10.04.0
+- spec file cleanup: removed the special cases for SLE12
+  i.e. rely on "suse_version >= 1500" as given precondition
+  (recent Ghostscript versions fail to build in SLE12 anyway)
+
+-------------------------------------------------------------------
+Wed Oct 23 08:54:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- Version upgrade to 10.04.0 (bsc#1232173):
+  Highlights in this release include:
+  See 'Recent Changes in Ghostscript' at Ghostscript upstream
+  https://ghostscript.readthedocs.io/en/gs10.04.0/News.html
+  * This release addresses:
+    + CVE-2024-46951 (bsc#1232265)
+    + CVE-2024-46952 (bsc#1232266)
+    + CVE-2024-46953 (bsc#1232267)
+    + CVE-2024-46954 (bsc#1232268)
+    + CVE-2024-46955 (bsc#1232269)
+    + CVE-2024-46956 (bsc#1232270)
+  * IMPORTANT: In this release (10.04.0)
+    we (i.e. Ghostscript upstream) have be added
+    protection for device selection from PostScript input.
+    This will mean that, by default, only the device specified
+    on the command line will be permitted. Similar to the file
+    permissions, there will be a "--permit-devices=" allowing
+    a comma separation list of allowed devices. This will also
+    take a single wildcard "*" allowing any device.
+    Any application which relies on allowing PostScript
+    to change devices during a job will have to be aware,
+    and take action to deal with this change.
+    The exception is "nulldevice", switching to that requires
+    no special action. 
+
 -------------------------------------------------------------------
 Mon Jul  1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 

ghostscript.spec

@@ -1,7 +1,7 @@
 #
-# spec file
+# spec file for package ghostscript
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,19 +24,25 @@
 %bcond_without  apparmor
 %endif
 Name:           ghostscript%{psuffix}
-Version:        10.03.1
+Version:        10.05.0
 Release:        0
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          Productivity/Office/Other
 URL:            https://www.ghostscript.com/
-# How to manually get Source0:
+# Use "osc service manualrun" to fetch Source0:
+Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-%{version}.tar.gz
+# How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
+# (example for the Ghostscript 10.05.1 release):
 # Go to https://www.ghostscript.com
-# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
+# -> [Download] or "Releases" https://ghostscript.com/releases/index.html
-# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
+# -> "Ghostscript" https://ghostscript.com/releases/gsdnld.htm
-# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
+# -> "Ghostscript 10.05.0 Source for all platforms / Ghostscript AGPL Release"
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/ghostscript-10.05.0.tar.gz
-Source0:        https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
+# and "MD5 Checksums"
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/MD5SUMS
+# and on https://ghostscript.com/releases/index.html
+# -> "release notes" https://ghostscript.readthedocs.io/en/gs10.05.0/News.html
 Source10:       apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -46,6 +52,8 @@ Source10:       apparmor_ghostscript
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 Patch101:       ijs_exec_server_dont_use_sh.patch
+Patch102:       reproducible.patch
+Patch103:       2010_add_build_timestamp_setting.patch
 # Build Requirements:
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@@ -57,7 +65,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  update-alternatives
 BuildRequires:  zlib-devel
 Requires(post): update-alternatives
-Requires(preun):update-alternatives
+Requires(preun): update-alternatives
 # Provide the additional RPM Provides of the ghostscript-library package
 # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below).
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
@@ -71,6 +79,7 @@ Requires(preun):update-alternatives
 # in openSUSE products, cf. https://build.opensuse.org/request/show/877083
 Provides:       ghostscript_any = %{version}
 %if "%{flavor}" != "mini"
+BuildRequires:  cups-devel
 BuildRequires:  dbus-1-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  xorg-x11-fonts
@@ -80,18 +89,11 @@ BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xext)
 BuildRequires:  pkgconfig(xproto)
 BuildRequires:  pkgconfig(xt)
-%if 0%{?suse_version} == 1315
-BuildRequires:  cups154-devel
-%else
-BuildRequires:  cups-devel
-%endif
 %if %{with apparmor}
-%if 0%{?suse_version} >= 1500
 BuildRequires:  apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
 %endif
 %endif
-%endif
 # Always check if latest version of openjpeg becomes compatible with ghostscript
 %if 0%{?suse_version} >= 1550
 BuildRequires:  pkgconfig(libopenjp2) >= 2.3.1
@@ -113,10 +115,8 @@ Obsoletes:      ghostscript-library < %{version}
 # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
 # this package ghostscript should replace any version of ghostscript-mini.
 Obsoletes:      ghostscript-mini
-%if 0%{?suse_version} > 1210
 Recommends:     (cups-filters-ghostscript if cups)
 %endif
-%endif
 
 %description
 Ghostscript is a package of software that provides:
@@ -176,12 +176,14 @@ rm -rf freetype jpeg libpng lcms2art zlib tiff
 %if 0%{?suse_version} >= 1550
 rm -rf openjpeg
 %endif
+%patch -P102 -p1
+%patch -P103 -p1
 
 %build
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%{s})
 # Set our preferred architecture-specific flags for the compiler and linker:
-export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
+export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -std=gnu11"
 export CXXFLAGS="%{optflags} -fno-strict-aliasing -fPIC"
 export LDFLAGS="-pie"
 autoreconf -fi
@@ -330,11 +332,9 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
 /sbin/ldconfig
 %if %{with apparmor}
 %if "%{flavor}" != "mini"
-%if 0%{?suse_version} >= 1500
 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 %endif
-%endif
 %{_sbindir}/update-alternatives \
   --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
 
@@ -360,7 +360,6 @@ fi
 %{_bindir}/gslp
 %{_bindir}/gsnd
 %{_bindir}/lprsetup.sh
-%{_bindir}/pdf2dsc
 %{_bindir}/pdf2ps
 %{_bindir}/pf2afm
 %{_bindir}/pfbtopfa
@@ -385,7 +384,6 @@ fi
 %{_mandir}/man1/gslj.1%{?ext_man}
 %{_mandir}/man1/gslp.1%{?ext_man}
 %{_mandir}/man1/gsnd.1%{?ext_man}
-%{_mandir}/man1/pdf2dsc.1%{?ext_man}
 %{_mandir}/man1/pdf2ps.1%{?ext_man}
 %{_mandir}/man1/pf2afm.1%{?ext_man}
 %{_mandir}/man1/pfbtopfa.1%{?ext_man}
@@ -413,9 +411,6 @@ fi
 %if "%{flavor}" != "mini"
 %exclude %{_libdir}/ghostscript/%{version}/X11.so
 %if %{with apparmor}
-%if 0%{?suse_version} < 1500
-%dir %{_sysconfdir}/apparmor.d
-%endif
 %{_sysconfdir}/apparmor.d/ghostscript
 %endif
 

reproducible.patch

@@ -0,0 +1,20 @@
+Date: 2024-09-20
+Author: Bernhard M. Wiedemann <bwiedemann suse de>
+
+Drop build date from generated .h file
+so that openSUSE's ghostscript-debugsource package
+does not vary between builds.
+
+Index: ghostscript-10.03.1/base/pack_ps.c
+===================================================================
+--- ghostscript-10.03.1.orig/base/pack_ps.c
++++ ghostscript-10.03.1/base/pack_ps.c
+@@ -344,7 +344,7 @@ main(int argc, char *argv[])
+     if (!buildtime) {
+         buildtime = time(NULL);
+     }
+-    fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" at time %ld */\n", infilename, (long)buildtime);
++    fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" */\n", infilename);
+ 
+     while (readline(infile, inputline, INPUT_LINE_LENGTH_MAX)) {
+