SHA256
1
0
forked from pool/ghostscript

Compare commits

..

7 Commits

Author SHA256 Message Date
Ana Guerrero
6d31b2d91c Accepting request 1243309 from Printing
OBS-URL: https://build.opensuse.org/request/show/1243309
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=70
2025-02-07 21:56:34 +00:00
ed0cd398de - Add reproducible.patch to not embed timestamp in .h file
- Add 2010_add_build_timestamp_setting.patch to allow overriding timestamp in generated pdf (boo#1236773)

OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=186
2025-02-05 10:42:48 +00:00
Dominique Leuenberger
3c75751adb Accepting request 1219571 from Printing
Ghostscript spec file cleanup and enhanced previous changes entry related to bsc#1232173 (forwarded request 1219570 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1219571
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=69
2024-10-31 15:08:37 +00:00
Johannes Meixner
95fe8833c4 Ghostscript spec file cleanup and enhanced previous changes entry related to bsc#1232173
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=184
2024-10-30 13:05:40 +00:00
Ana Guerrero
2525313e1a Accepting request 1217373 from Printing
- update to 10.04.0 (bsc#1232173):
  * Amongst other general bugs fixes, this release addresses:
    + CVE-2024-46951
    + CVE-2024-46952
    + CVE-2024-46953
    + CVE-2024-46954
    + CVE-2024-46955
    + CVE-2024-46956

OBS-URL: https://build.opensuse.org/request/show/1217373
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=68
2024-10-23 19:08:11 +00:00
dba243cc78 - update to 10.04.0 (bsc#1232173):
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=182
2024-10-23 14:55:07 +00:00
060a007833 - update to 10.04.0:
* Amongst other general bugs fixes, this release addresses:
    + CVE-2024-46951
    + CVE-2024-46952
    + CVE-2024-46953
    + CVE-2024-46954
    + CVE-2024-46955
    + CVE-2024-46956

OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=181
2024-10-23 08:58:28 +00:00
6 changed files with 199 additions and 20 deletions

@ -0,0 +1,120 @@
Description: Allow the build timestamp to be externally set
In order to make Ghostscript output reproducible, we need a way to
set the build timestamp to other values than the current time.
We now consistently use gp_get_realtime() instead of directly calling
time() or gp_get_usertime() and make gp_get_realtime() use the value
found in the SOURCE_DATE_EPOCH environment variable if set. Also,
environment timezone is fixed to UTC if SOURCE_DATE_EPOCH is used to
avoid variations.
Author: Eduard Sanou <dhole@openmailbox.org>
Author: Peter De Wachter <pdewacht@gmail.com>
Bug-Debian: https://bugs.debian.org/794004
Forwarded: not-needed
Last-Update: 2023-09-13
---
This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
--- a/base/gp_unix.c
+++ b/base/gp_unix.c
@@ -19,6 +19,7 @@
#ifdef __MINGW32__
# include "windows_.h"
#endif
+#include "errno_.h"
#include "pipe_.h"
#include "string_.h"
#include "time_.h"
@@ -149,6 +150,7 @@
gp_get_realtime(long *pdt)
{
struct timeval tp;
+ const char *env;
#if gettimeofday_no_timezone /* older versions of SVR4 */
{
@@ -168,6 +170,26 @@
}
#endif
+ env = getenv("SOURCE_DATE_EPOCH");
+ if (env) {
+ char *end;
+ long timestamp;
+
+ errno = 0;
+ timestamp = strtol(env, &end, 10);
+ if (env == end || *end || errno != 0) {
+ lprintf("Ghostscript: SOURCE_DATE_EPOCH is not a number!\n");
+ timestamp = 0;
+ }
+
+ tp.tv_sec = timestamp;
+ tp.tv_usec = 0;
+
+ /* We need to fix the environment timezone to get reproducible */
+ /* results when parsing the result of gp_get_realtime. */
+ setenv("TZ", "UTC", 1);
+ }
+
/* tp.tv_sec is #secs since Jan 1, 1970 */
pdt[0] = tp.tv_sec;
--- a/devices/vector/gdevpdf.c
+++ b/devices/vector/gdevpdf.c
@@ -437,6 +437,7 @@
if (!pdev->OmitInfoDate)
{
struct tm tms;
+ long secs_ns[2];
time_t t;
char buf[1+2+4+2+2+2+2+2+1+2+1+2+1+1+1]; /* (D:yyyymmddhhmmssZhh'mm')\0 */
int timeoffset;
@@ -448,7 +449,8 @@
timesign = 'Z';
timeoffset = 0;
#else
- time(&t);
+ gp_get_realtime(secs_ns);
+ t = secs_ns[0];
tms = *gmtime(&t);
tms.tm_isdst = -1;
timeoffset = (int)difftime(t, mktime(&tms)); /* tz+dst in seconds */
--- a/devices/vector/gdevpdfe.c
+++ b/devices/vector/gdevpdfe.c
@@ -216,6 +216,7 @@
{
/* We don't write a day time because we don't have a time zone. */
struct tm tms;
+ long secs_ns[2];
time_t t;
char buf1[4+1+2+1+2+1]; /* yyyy-mm-dd\0 */
@@ -223,7 +224,8 @@
memset(&t, 0, sizeof(t));
memset(&tms, 0, sizeof(tms));
#else
- time(&t);
+ gp_get_realtime(secs_ns);
+ t = secs_ns[0];
tms = *localtime(&t);
#endif
gs_snprintf(buf1, sizeof(buf1),
--- a/devices/vector/gdevpsu.c
+++ b/devices/vector/gdevpsu.c
@@ -187,6 +187,7 @@
dev->dname);
#endif
{
+ long secs_ns[2];
time_t t;
struct tm tms;
@@ -194,7 +195,8 @@
memset(&t, 0, sizeof(t));
memset(&tms, 0, sizeof(tms));
#else
- time(&t);
+ gp_get_realtime(secs_ns);
+ t = secs_ns[0];
tms = *localtime(&t);
#endif
fprintf(f, "%%%%CreationDate: %d/%02d/%02d %02d:%02d:%02d\n",

BIN
ghostscript-10.03.1.tar.gz (Stored with Git LFS)

Binary file not shown.

BIN
ghostscript-10.04.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

@ -1,3 +1,49 @@
-------------------------------------------------------------------
Tue Feb 4 09:42:47 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
- Add reproducible.patch to not embed timestamp in .h file
- Add 2010_add_build_timestamp_setting.patch to allow overriding
timestamp in generated pdf (boo#1236773)
-------------------------------------------------------------------
Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024"
by adding the individual "bsc" numbers for each CVE, see
https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4
and by adding the "IMPORTANT" change in Ghostscript 10.04.0
- spec file cleanup: removed the special cases for SLE12
i.e. rely on "suse_version >= 1500" as given precondition
(recent Ghostscript versions fail to build in SLE12 anyway)
-------------------------------------------------------------------
Wed Oct 23 08:54:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
- Version upgrade to 10.04.0 (bsc#1232173):
Highlights in this release include:
See 'Recent Changes in Ghostscript' at Ghostscript upstream
https://ghostscript.readthedocs.io/en/gs10.04.0/News.html
* This release addresses:
+ CVE-2024-46951 (bsc#1232265)
+ CVE-2024-46952 (bsc#1232266)
+ CVE-2024-46953 (bsc#1232267)
+ CVE-2024-46954 (bsc#1232268)
+ CVE-2024-46955 (bsc#1232269)
+ CVE-2024-46956 (bsc#1232270)
* IMPORTANT: In this release (10.04.0)
we (i.e. Ghostscript upstream) have be added
protection for device selection from PostScript input.
This will mean that, by default, only the device specified
on the command line will be permitted. Similar to the file
permissions, there will be a "--permit-devices=" allowing
a comma separation list of allowed devices. This will also
take a single wildcard "*" allowing any device.
Any application which relies on allowing PostScript
to change devices during a job will have to be aware,
and take action to deal with this change.
The exception is "nulldevice", switching to that requires
no special action.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com> Mon Jul 1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>

@ -24,19 +24,21 @@
%bcond_without apparmor %bcond_without apparmor
%endif %endif
Name: ghostscript%{psuffix} Name: ghostscript%{psuffix}
Version: 10.03.1 Version: 10.04.0
Release: 0 Release: 0
Summary: The Ghostscript interpreter for PostScript and PDF Summary: The Ghostscript interpreter for PostScript and PDF
License: AGPL-3.0-only License: AGPL-3.0-only
Group: Productivity/Office/Other Group: Productivity/Office/Other
URL: https://www.ghostscript.com/ URL: https://www.ghostscript.com/
# How to manually get Source0: # Use "osc service manualrun" to fetch Source0:
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-%{version}.tar.gz
# How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
# (example for the Ghostscript 10.03.1 release):
# Go to https://www.ghostscript.com # Go to https://www.ghostscript.com
# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html # -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html # -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release" # -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz # https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
Source10: apparmor_ghostscript Source10: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream: # Patch0...Patch9 is for patches from upstream:
# Source10...Source99 is for sources from SUSE which are intended for upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream:
@ -46,6 +48,8 @@ Source10: apparmor_ghostscript
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch Patch101: ijs_exec_server_dont_use_sh.patch
Patch102: reproducible.patch
Patch103: 2010_add_build_timestamp_setting.patch
# Build Requirements: # Build Requirements:
BuildRequires: freetype2-devel BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
@ -71,6 +75,7 @@ Requires(preun):update-alternatives
# in openSUSE products, cf. https://build.opensuse.org/request/show/877083 # in openSUSE products, cf. https://build.opensuse.org/request/show/877083
Provides: ghostscript_any = %{version} Provides: ghostscript_any = %{version}
%if "%{flavor}" != "mini" %if "%{flavor}" != "mini"
BuildRequires: cups-devel
BuildRequires: dbus-1-devel BuildRequires: dbus-1-devel
BuildRequires: libexpat-devel BuildRequires: libexpat-devel
BuildRequires: xorg-x11-fonts BuildRequires: xorg-x11-fonts
@ -80,18 +85,11 @@ BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xext)
BuildRequires: pkgconfig(xproto) BuildRequires: pkgconfig(xproto)
BuildRequires: pkgconfig(xt) BuildRequires: pkgconfig(xt)
%if 0%{?suse_version} == 1315
BuildRequires: cups154-devel
%else
BuildRequires: cups-devel
%endif
%if %{with apparmor} %if %{with apparmor}
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros BuildRequires: apparmor-rpm-macros
%endif %endif
%endif %endif
%endif
# Always check if latest version of openjpeg becomes compatible with ghostscript # Always check if latest version of openjpeg becomes compatible with ghostscript
%if 0%{?suse_version} >= 1550 %if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1 BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
@ -113,10 +111,8 @@ Obsoletes: ghostscript-library < %{version}
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because # The "Obsoletes: ghostscript-mini" is intentionally unversioned because
# this package ghostscript should replace any version of ghostscript-mini. # this package ghostscript should replace any version of ghostscript-mini.
Obsoletes: ghostscript-mini Obsoletes: ghostscript-mini
%if 0%{?suse_version} > 1210
Recommends: (cups-filters-ghostscript if cups) Recommends: (cups-filters-ghostscript if cups)
%endif %endif
%endif
%description %description
Ghostscript is a package of software that provides: Ghostscript is a package of software that provides:
@ -176,6 +172,8 @@ rm -rf freetype jpeg libpng lcms2art zlib tiff
%if 0%{?suse_version} >= 1550 %if 0%{?suse_version} >= 1550
rm -rf openjpeg rm -rf openjpeg
%endif %endif
%patch -P102 -p1
%patch -P103 -p1
%build %build
# Derive build timestamp from latest changelog entry # Derive build timestamp from latest changelog entry
@ -330,11 +328,9 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
/sbin/ldconfig /sbin/ldconfig
%if %{with apparmor} %if %{with apparmor}
%if "%{flavor}" != "mini" %if "%{flavor}" != "mini"
%if 0%{?suse_version} >= 1500
%apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
%endif %endif
%endif %endif
%endif
%{_sbindir}/update-alternatives \ %{_sbindir}/update-alternatives \
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15 --install %{_bindir}/gs gs %{_bindir}/gs.bin 15
@ -413,9 +409,6 @@ fi
%if "%{flavor}" != "mini" %if "%{flavor}" != "mini"
%exclude %{_libdir}/ghostscript/%{version}/X11.so %exclude %{_libdir}/ghostscript/%{version}/X11.so
%if %{with apparmor} %if %{with apparmor}
%if 0%{?suse_version} < 1500
%dir %{_sysconfdir}/apparmor.d
%endif
%{_sysconfdir}/apparmor.d/ghostscript %{_sysconfdir}/apparmor.d/ghostscript
%endif %endif

20
reproducible.patch Normal file

@ -0,0 +1,20 @@
Date: 2024-09-20
Author: Bernhard M. Wiedemann <bwiedemann suse de>
Drop build date from generated .h file
so that openSUSE's ghostscript-debugsource package
does not vary between builds.
Index: ghostscript-10.03.1/base/pack_ps.c
===================================================================
--- ghostscript-10.03.1.orig/base/pack_ps.c
+++ ghostscript-10.03.1/base/pack_ps.c
@@ -344,7 +344,7 @@ main(int argc, char *argv[])
if (!buildtime) {
buildtime = time(NULL);
}
- fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" at time %ld */\n", infilename, (long)buildtime);
+ fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" */\n", infilename);
while (readline(infile, inputline, INPUT_LINE_LENGTH_MAX)) {