forked from pool/ghostscript
Compare commits
7 Commits
Author | SHA256 | Date | |
---|---|---|---|
|
6d31b2d91c | ||
ed0cd398de | |||
|
3c75751adb | ||
|
95fe8833c4 | ||
|
2525313e1a | ||
dba243cc78 | |||
060a007833 |
120
2010_add_build_timestamp_setting.patch
Normal file
120
2010_add_build_timestamp_setting.patch
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
Description: Allow the build timestamp to be externally set
|
||||||
|
In order to make Ghostscript output reproducible, we need a way to
|
||||||
|
set the build timestamp to other values than the current time.
|
||||||
|
We now consistently use gp_get_realtime() instead of directly calling
|
||||||
|
time() or gp_get_usertime() and make gp_get_realtime() use the value
|
||||||
|
found in the SOURCE_DATE_EPOCH environment variable if set. Also,
|
||||||
|
environment timezone is fixed to UTC if SOURCE_DATE_EPOCH is used to
|
||||||
|
avoid variations.
|
||||||
|
Author: Eduard Sanou <dhole@openmailbox.org>
|
||||||
|
Author: Peter De Wachter <pdewacht@gmail.com>
|
||||||
|
Bug-Debian: https://bugs.debian.org/794004
|
||||||
|
Forwarded: not-needed
|
||||||
|
Last-Update: 2023-09-13
|
||||||
|
---
|
||||||
|
This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
|
||||||
|
--- a/base/gp_unix.c
|
||||||
|
+++ b/base/gp_unix.c
|
||||||
|
@@ -19,6 +19,7 @@
|
||||||
|
#ifdef __MINGW32__
|
||||||
|
# include "windows_.h"
|
||||||
|
#endif
|
||||||
|
+#include "errno_.h"
|
||||||
|
#include "pipe_.h"
|
||||||
|
#include "string_.h"
|
||||||
|
#include "time_.h"
|
||||||
|
@@ -149,6 +150,7 @@
|
||||||
|
gp_get_realtime(long *pdt)
|
||||||
|
{
|
||||||
|
struct timeval tp;
|
||||||
|
+ const char *env;
|
||||||
|
|
||||||
|
#if gettimeofday_no_timezone /* older versions of SVR4 */
|
||||||
|
{
|
||||||
|
@@ -168,6 +170,26 @@
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ env = getenv("SOURCE_DATE_EPOCH");
|
||||||
|
+ if (env) {
|
||||||
|
+ char *end;
|
||||||
|
+ long timestamp;
|
||||||
|
+
|
||||||
|
+ errno = 0;
|
||||||
|
+ timestamp = strtol(env, &end, 10);
|
||||||
|
+ if (env == end || *end || errno != 0) {
|
||||||
|
+ lprintf("Ghostscript: SOURCE_DATE_EPOCH is not a number!\n");
|
||||||
|
+ timestamp = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tp.tv_sec = timestamp;
|
||||||
|
+ tp.tv_usec = 0;
|
||||||
|
+
|
||||||
|
+ /* We need to fix the environment timezone to get reproducible */
|
||||||
|
+ /* results when parsing the result of gp_get_realtime. */
|
||||||
|
+ setenv("TZ", "UTC", 1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* tp.tv_sec is #secs since Jan 1, 1970 */
|
||||||
|
pdt[0] = tp.tv_sec;
|
||||||
|
|
||||||
|
--- a/devices/vector/gdevpdf.c
|
||||||
|
+++ b/devices/vector/gdevpdf.c
|
||||||
|
@@ -437,6 +437,7 @@
|
||||||
|
if (!pdev->OmitInfoDate)
|
||||||
|
{
|
||||||
|
struct tm tms;
|
||||||
|
+ long secs_ns[2];
|
||||||
|
time_t t;
|
||||||
|
char buf[1+2+4+2+2+2+2+2+1+2+1+2+1+1+1]; /* (D:yyyymmddhhmmssZhh'mm')\0 */
|
||||||
|
int timeoffset;
|
||||||
|
@@ -448,7 +449,8 @@
|
||||||
|
timesign = 'Z';
|
||||||
|
timeoffset = 0;
|
||||||
|
#else
|
||||||
|
- time(&t);
|
||||||
|
+ gp_get_realtime(secs_ns);
|
||||||
|
+ t = secs_ns[0];
|
||||||
|
tms = *gmtime(&t);
|
||||||
|
tms.tm_isdst = -1;
|
||||||
|
timeoffset = (int)difftime(t, mktime(&tms)); /* tz+dst in seconds */
|
||||||
|
--- a/devices/vector/gdevpdfe.c
|
||||||
|
+++ b/devices/vector/gdevpdfe.c
|
||||||
|
@@ -216,6 +216,7 @@
|
||||||
|
{
|
||||||
|
/* We don't write a day time because we don't have a time zone. */
|
||||||
|
struct tm tms;
|
||||||
|
+ long secs_ns[2];
|
||||||
|
time_t t;
|
||||||
|
char buf1[4+1+2+1+2+1]; /* yyyy-mm-dd\0 */
|
||||||
|
|
||||||
|
@@ -223,7 +224,8 @@
|
||||||
|
memset(&t, 0, sizeof(t));
|
||||||
|
memset(&tms, 0, sizeof(tms));
|
||||||
|
#else
|
||||||
|
- time(&t);
|
||||||
|
+ gp_get_realtime(secs_ns);
|
||||||
|
+ t = secs_ns[0];
|
||||||
|
tms = *localtime(&t);
|
||||||
|
#endif
|
||||||
|
gs_snprintf(buf1, sizeof(buf1),
|
||||||
|
--- a/devices/vector/gdevpsu.c
|
||||||
|
+++ b/devices/vector/gdevpsu.c
|
||||||
|
@@ -187,6 +187,7 @@
|
||||||
|
dev->dname);
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
+ long secs_ns[2];
|
||||||
|
time_t t;
|
||||||
|
struct tm tms;
|
||||||
|
|
||||||
|
@@ -194,7 +195,8 @@
|
||||||
|
memset(&t, 0, sizeof(t));
|
||||||
|
memset(&tms, 0, sizeof(tms));
|
||||||
|
#else
|
||||||
|
- time(&t);
|
||||||
|
+ gp_get_realtime(secs_ns);
|
||||||
|
+ t = secs_ns[0];
|
||||||
|
tms = *localtime(&t);
|
||||||
|
#endif
|
||||||
|
fprintf(f, "%%%%CreationDate: %d/%02d/%02d %02d:%02d:%02d\n",
|
BIN
ghostscript-10.03.1.tar.gz
(Stored with Git LFS)
BIN
ghostscript-10.03.1.tar.gz
(Stored with Git LFS)
Binary file not shown.
BIN
ghostscript-10.04.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
ghostscript-10.04.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,49 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 4 09:42:47 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
|
||||||
|
|
||||||
|
- Add reproducible.patch to not embed timestamp in .h file
|
||||||
|
- Add 2010_add_build_timestamp_setting.patch to allow overriding
|
||||||
|
timestamp in generated pdf (boo#1236773)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||||
|
|
||||||
|
- Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024"
|
||||||
|
by adding the individual "bsc" numbers for each CVE, see
|
||||||
|
https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4
|
||||||
|
and by adding the "IMPORTANT" change in Ghostscript 10.04.0
|
||||||
|
- spec file cleanup: removed the special cases for SLE12
|
||||||
|
i.e. rely on "suse_version >= 1500" as given precondition
|
||||||
|
(recent Ghostscript versions fail to build in SLE12 anyway)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 23 08:54:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- Version upgrade to 10.04.0 (bsc#1232173):
|
||||||
|
Highlights in this release include:
|
||||||
|
See 'Recent Changes in Ghostscript' at Ghostscript upstream
|
||||||
|
https://ghostscript.readthedocs.io/en/gs10.04.0/News.html
|
||||||
|
* This release addresses:
|
||||||
|
+ CVE-2024-46951 (bsc#1232265)
|
||||||
|
+ CVE-2024-46952 (bsc#1232266)
|
||||||
|
+ CVE-2024-46953 (bsc#1232267)
|
||||||
|
+ CVE-2024-46954 (bsc#1232268)
|
||||||
|
+ CVE-2024-46955 (bsc#1232269)
|
||||||
|
+ CVE-2024-46956 (bsc#1232270)
|
||||||
|
* IMPORTANT: In this release (10.04.0)
|
||||||
|
we (i.e. Ghostscript upstream) have be added
|
||||||
|
protection for device selection from PostScript input.
|
||||||
|
This will mean that, by default, only the device specified
|
||||||
|
on the command line will be permitted. Similar to the file
|
||||||
|
permissions, there will be a "--permit-devices=" allowing
|
||||||
|
a comma separation list of allowed devices. This will also
|
||||||
|
take a single wildcard "*" allowing any device.
|
||||||
|
Any application which relies on allowing PostScript
|
||||||
|
to change devices during a job will have to be aware,
|
||||||
|
and take action to deal with this change.
|
||||||
|
The exception is "nulldevice", switching to that requires
|
||||||
|
no special action.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
Mon Jul 1 11:56:34 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||||
|
|
||||||
|
@ -24,19 +24,21 @@
|
|||||||
%bcond_without apparmor
|
%bcond_without apparmor
|
||||||
%endif
|
%endif
|
||||||
Name: ghostscript%{psuffix}
|
Name: ghostscript%{psuffix}
|
||||||
Version: 10.03.1
|
Version: 10.04.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Ghostscript interpreter for PostScript and PDF
|
Summary: The Ghostscript interpreter for PostScript and PDF
|
||||||
License: AGPL-3.0-only
|
License: AGPL-3.0-only
|
||||||
Group: Productivity/Office/Other
|
Group: Productivity/Office/Other
|
||||||
URL: https://www.ghostscript.com/
|
URL: https://www.ghostscript.com/
|
||||||
# How to manually get Source0:
|
# Use "osc service manualrun" to fetch Source0:
|
||||||
|
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-%{version}.tar.gz
|
||||||
|
# How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream
|
||||||
|
# (example for the Ghostscript 10.03.1 release):
|
||||||
# Go to https://www.ghostscript.com
|
# Go to https://www.ghostscript.com
|
||||||
# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
|
# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html
|
||||||
# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
|
# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html
|
||||||
# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
|
# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release"
|
||||||
# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
|
# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
|
||||||
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/ghostscript-10.03.1.tar.gz
|
|
||||||
Source10: apparmor_ghostscript
|
Source10: apparmor_ghostscript
|
||||||
# Patch0...Patch9 is for patches from upstream:
|
# Patch0...Patch9 is for patches from upstream:
|
||||||
# Source10...Source99 is for sources from SUSE which are intended for upstream:
|
# Source10...Source99 is for sources from SUSE which are intended for upstream:
|
||||||
@ -46,6 +48,8 @@ Source10: apparmor_ghostscript
|
|||||||
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
|
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
|
||||||
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
|
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
|
||||||
Patch101: ijs_exec_server_dont_use_sh.patch
|
Patch101: ijs_exec_server_dont_use_sh.patch
|
||||||
|
Patch102: reproducible.patch
|
||||||
|
Patch103: 2010_add_build_timestamp_setting.patch
|
||||||
# Build Requirements:
|
# Build Requirements:
|
||||||
BuildRequires: freetype2-devel
|
BuildRequires: freetype2-devel
|
||||||
BuildRequires: libjpeg-devel
|
BuildRequires: libjpeg-devel
|
||||||
@ -71,6 +75,7 @@ Requires(preun):update-alternatives
|
|||||||
# in openSUSE products, cf. https://build.opensuse.org/request/show/877083
|
# in openSUSE products, cf. https://build.opensuse.org/request/show/877083
|
||||||
Provides: ghostscript_any = %{version}
|
Provides: ghostscript_any = %{version}
|
||||||
%if "%{flavor}" != "mini"
|
%if "%{flavor}" != "mini"
|
||||||
|
BuildRequires: cups-devel
|
||||||
BuildRequires: dbus-1-devel
|
BuildRequires: dbus-1-devel
|
||||||
BuildRequires: libexpat-devel
|
BuildRequires: libexpat-devel
|
||||||
BuildRequires: xorg-x11-fonts
|
BuildRequires: xorg-x11-fonts
|
||||||
@ -80,18 +85,11 @@ BuildRequires: pkgconfig(x11)
|
|||||||
BuildRequires: pkgconfig(xext)
|
BuildRequires: pkgconfig(xext)
|
||||||
BuildRequires: pkgconfig(xproto)
|
BuildRequires: pkgconfig(xproto)
|
||||||
BuildRequires: pkgconfig(xt)
|
BuildRequires: pkgconfig(xt)
|
||||||
%if 0%{?suse_version} == 1315
|
|
||||||
BuildRequires: cups154-devel
|
|
||||||
%else
|
|
||||||
BuildRequires: cups-devel
|
|
||||||
%endif
|
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
%if 0%{?suse_version} >= 1500
|
|
||||||
BuildRequires: apparmor-abstractions
|
BuildRequires: apparmor-abstractions
|
||||||
BuildRequires: apparmor-rpm-macros
|
BuildRequires: apparmor-rpm-macros
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
%endif
|
|
||||||
# Always check if latest version of openjpeg becomes compatible with ghostscript
|
# Always check if latest version of openjpeg becomes compatible with ghostscript
|
||||||
%if 0%{?suse_version} >= 1550
|
%if 0%{?suse_version} >= 1550
|
||||||
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
|
BuildRequires: pkgconfig(libopenjp2) >= 2.3.1
|
||||||
@ -113,10 +111,8 @@ Obsoletes: ghostscript-library < %{version}
|
|||||||
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because
|
# The "Obsoletes: ghostscript-mini" is intentionally unversioned because
|
||||||
# this package ghostscript should replace any version of ghostscript-mini.
|
# this package ghostscript should replace any version of ghostscript-mini.
|
||||||
Obsoletes: ghostscript-mini
|
Obsoletes: ghostscript-mini
|
||||||
%if 0%{?suse_version} > 1210
|
|
||||||
Recommends: (cups-filters-ghostscript if cups)
|
Recommends: (cups-filters-ghostscript if cups)
|
||||||
%endif
|
%endif
|
||||||
%endif
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Ghostscript is a package of software that provides:
|
Ghostscript is a package of software that provides:
|
||||||
@ -176,6 +172,8 @@ rm -rf freetype jpeg libpng lcms2art zlib tiff
|
|||||||
%if 0%{?suse_version} >= 1550
|
%if 0%{?suse_version} >= 1550
|
||||||
rm -rf openjpeg
|
rm -rf openjpeg
|
||||||
%endif
|
%endif
|
||||||
|
%patch -P102 -p1
|
||||||
|
%patch -P103 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Derive build timestamp from latest changelog entry
|
# Derive build timestamp from latest changelog entry
|
||||||
@ -330,11 +328,9 @@ ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs
|
|||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
%if "%{flavor}" != "mini"
|
%if "%{flavor}" != "mini"
|
||||||
%if 0%{?suse_version} >= 1500
|
|
||||||
%apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
|
%apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
%endif
|
|
||||||
%{_sbindir}/update-alternatives \
|
%{_sbindir}/update-alternatives \
|
||||||
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15
|
--install %{_bindir}/gs gs %{_bindir}/gs.bin 15
|
||||||
|
|
||||||
@ -413,9 +409,6 @@ fi
|
|||||||
%if "%{flavor}" != "mini"
|
%if "%{flavor}" != "mini"
|
||||||
%exclude %{_libdir}/ghostscript/%{version}/X11.so
|
%exclude %{_libdir}/ghostscript/%{version}/X11.so
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
%if 0%{?suse_version} < 1500
|
|
||||||
%dir %{_sysconfdir}/apparmor.d
|
|
||||||
%endif
|
|
||||||
%{_sysconfdir}/apparmor.d/ghostscript
|
%{_sysconfdir}/apparmor.d/ghostscript
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
20
reproducible.patch
Normal file
20
reproducible.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
Date: 2024-09-20
|
||||||
|
Author: Bernhard M. Wiedemann <bwiedemann suse de>
|
||||||
|
|
||||||
|
Drop build date from generated .h file
|
||||||
|
so that openSUSE's ghostscript-debugsource package
|
||||||
|
does not vary between builds.
|
||||||
|
|
||||||
|
Index: ghostscript-10.03.1/base/pack_ps.c
|
||||||
|
===================================================================
|
||||||
|
--- ghostscript-10.03.1.orig/base/pack_ps.c
|
||||||
|
+++ ghostscript-10.03.1/base/pack_ps.c
|
||||||
|
@@ -344,7 +344,7 @@ main(int argc, char *argv[])
|
||||||
|
if (!buildtime) {
|
||||||
|
buildtime = time(NULL);
|
||||||
|
}
|
||||||
|
- fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" at time %ld */\n", infilename, (long)buildtime);
|
||||||
|
+ fprintf(outfile,"/* Auto-generated from PostScript file \"%s\" */\n", infilename);
|
||||||
|
|
||||||
|
while (readline(infile, inputline, INPUT_LINE_LENGTH_MAX)) {
|
||||||
|
|
Loading…
x
Reference in New Issue
Block a user