Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2019-03-01 20:25:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Fri Mar 1 20:25:28 2019 rev:36 rq:679465 version:9.26a Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2019-01-26 22:19:33.990994121 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.28833/ghostscript-mini.changes 2019-03-01 20:25:31.374067406 +0100 @@ -1,0 +2,7 @@ +Thu Feb 7 09:27:44 UTC 2019 - jseg...@suse.com + +- Added apparmor_usr.bin.gs. This profile prevents execution of + executables to serve as hardening for the binaries that process + ghostscript. This is of limited use but prevents simple exploits. + +------------------------------------------------------------------- ghostscript.changes: same change New: ---- apparmor_usr.bin.gs ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.Odml8g/_old 2019-03-01 20:25:33.890066817 +0100 +++ /var/tmp/diff_new_pack.Odml8g/_new 2019-03-01 20:25:33.894066816 +0100 @@ -71,6 +71,7 @@ # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz +Source1: apparmor_usr.bin.gs # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -311,6 +312,7 @@ # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs %post -p /sbin/ldconfig @@ -390,6 +392,8 @@ %{_libdir}/libgs.so.* %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/* %files devel %defattr(-,root,root) ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.Odml8g/_old 2019-03-01 20:25:33.906066813 +0100 +++ /var/tmp/diff_new_pack.Odml8g/_new 2019-03-01 20:25:33.910066812 +0100 @@ -91,6 +91,7 @@ # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz +Source1: apparmor_usr.bin.gs # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -447,6 +448,7 @@ # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs %post -p /sbin/ldconfig @@ -527,6 +529,8 @@ %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so %exclude %{_libdir}/ghostscript/%{built_version}/X11.so +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/* %files x11 %defattr(-,root,root) ++++++ apparmor_usr.bin.gs ++++++ #include <tunables/global> # this profile is mainly intended to prevent easy exploitation of # issues in ghostscript. This is mainly intended as a hardening # measure and doesn't alleviate the need for regular updates profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/X> # needed to read gc/write pdfs/eps/.. everywhere /** wr, /usr/lib64/ghostscript/** m, /usr/lib64/libgs.so.* m, /usr/lib64/libijs-* m, }