Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2018-12-05 09:37:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Wed Dec 5 09:37:36 2018 rev:34 rq:652827 version:9.26 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2018-09-26 15:59:40.072676627 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.19453/ghostscript-mini.changes 2018-12-05 09:37:45.245075427 +0100 @@ -1,0 +2,65 @@ +Fri Nov 30 09:01:17 CET 2018 - jsm...@suse.de + +- Version upgrade to 9.26 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) real and potential + exploits. + Thanks to Man Yue Mo of Semmle Security Research Team, + Jens Mueller of Ruhr-Universitaet Bochum and + Tavis Ormandy of Google's Project Zero + for their help to identify specific security issues. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.26/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.26 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues (bsc#1117331) + * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass + intended access restrictions + https://bugs.ghostscript.com/show_bug.cgi?id=700153 + https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327 + * CVE-2018-19476: psi/zicc.c allows attackers to bypass + intended access restrictions because of a setcolorspace + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700169 + https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313 + * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass + intended access restrictions because of a JBIG2Decode + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700168 + https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274 + * CVE-2018-19409: LockSafetyParams is not checked correctly + if another device is used + https://bugs.ghostscript.com/show_bug.cgi?id=700176 + https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022 + and those security issues + * CVE-2018-18284: 1Policy operator gives access to .forceput + https://bugs.ghostscript.com/show_bug.cgi?id=69963 + https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229 + * CVE-2018-18073: saved execution stacks can leak operator arrays + https://bugs.ghostscript.com/show_bug.cgi?id=699927 + https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480 + * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox + https://bugs.ghostscript.com/show_bug.cgi?id=699816 + https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479 + * CVE-2018-17183: remote attackers could be able to supply + crafted PostScript to potentially overwrite or replace + error handlers to inject code + https://bugs.ghostscript.com/show_bug.cgi?id=699708 + https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105 + +------------------------------------------------------------------- +Fri Nov 9 11:25:19 CET 2018 - jsm...@suse.de + +- Version upgrade to 9.26rc1 (first release candidate for 9.26). + Highlights in this release include: + * Purely security and a few bug fixes, there are no new features, + and no API changes to report. + +------------------------------------------------------------------- ghostscript.changes: same change Old: ---- ghostscript-9.25.tar.gz New: ---- ghostscript-9.26.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.gMUd2w/_old 2018-12-05 09:37:49.385070894 +0100 +++ /var/tmp/diff_new_pack.gMUd2w/_new 2018-12-05 09:37:49.385070894 +0100 @@ -26,7 +26,7 @@ BuildRequires: pkg-config BuildRequires: zlib-devel Summary: Minimal Ghostscript for minimal build requirements -License: AGPL-3.0 +License: AGPL-3.0-only Group: System/Libraries Url: http://www.ghostscript.com/ # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1). @@ -37,35 +37,35 @@ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.24pre25rc1 +#Version: 9.25pre26rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.25 +Version: 9.26 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): %define tarball_version %{version} -#define tarball_version 9.25rc1 +#define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#define built_version 9.25 +#define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases # URL for Source0: -# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/ghostscript-9.25rc1.tar.gz +# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz # URL for MD5 checksums: -# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/MD5SUMS -# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz +# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS +# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz +# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz # URL for MD5 checksums: -# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS -# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz +# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS +# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.gMUd2w/_old 2018-12-05 09:37:49.409070868 +0100 +++ /var/tmp/diff_new_pack.gMUd2w/_new 2018-12-05 09:37:49.413070864 +0100 @@ -46,7 +46,7 @@ BuildRequires: xorg-x11-fonts BuildRequires: zlib-devel Summary: The Ghostscript interpreter for PostScript and PDF -License: AGPL-3.0 +License: AGPL-3.0-only Group: System/Libraries Url: http://www.ghostscript.com/ # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1). @@ -57,35 +57,35 @@ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.24pre25rc1 +#Version: 9.25pre26rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.25 +Version: 9.26 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): %define tarball_version %{version} -#define tarball_version 9.25rc1 +#define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#define built_version 9.25 +#define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases # URL for Source0: -# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/ghostscript-9.25rc1.tar.gz +# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz # URL for MD5 checksums: -# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/MD5SUMS -# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz +# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS +# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz +# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz # URL for MD5 checksums: -# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS -# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz +# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS +# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: ++++++ ghostscript-9.25.tar.gz -> ghostscript-9.26.tar.gz ++++++ /work/SRC/openSUSE:Factory/ghostscript/ghostscript-9.25.tar.gz /work/SRC/openSUSE:Factory/.ghostscript.new.19453/ghostscript-9.26.tar.gz differ: char 5, line 1