Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2019-03-12 09:48:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Tue Mar 12 09:48:10 2019 rev:37 rq:682815 version:9.26a Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2019-03-01 20:25:32.722067091 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.28833/ghostscript.changes 2019-03-12 09:48:15.227599787 +0100 @@ -1,0 +2,7 @@ +Fri Mar 8 10:49:18 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- Fix IJS printing problem (bsc#1128467) + * added ijs_exec_server_dont_use_sh.patch + * allow exec'ing hpijs in apparmor profile + +------------------------------------------------------------------- New: ---- ijs_exec_server_dont_use_sh.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.rp64Uy/_old 2019-03-12 09:48:16.615599511 +0100 +++ /var/tmp/diff_new_pack.rp64Uy/_new 2019-03-12 09:48:16.623599510 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghostscript-mini # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.rp64Uy/_old 2019-03-12 09:48:16.659599503 +0100 +++ /var/tmp/diff_new_pack.rp64Uy/_new 2019-03-12 09:48:16.659599503 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghostscript # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -101,6 +101,7 @@ # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +Patch101: ijs_exec_server_dont_use_sh.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -217,7 +218,6 @@ %package x11 Summary: X11 library for Ghostscript -Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -225,6 +225,7 @@ # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: +Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -282,6 +283,7 @@ # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig +%patch101 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ apparmor_usr.bin.gs ++++++ --- /var/tmp/diff_new_pack.rp64Uy/_old 2019-03-12 09:48:16.695599495 +0100 +++ /var/tmp/diff_new_pack.rp64Uy/_new 2019-03-12 09:48:16.695599495 +0100 @@ -15,4 +15,5 @@ /usr/lib64/ghostscript/** m, /usr/lib64/libgs.so.* m, /usr/lib64/libijs-* m, + /usr/bin/hpijs ix, } ++++++ ijs_exec_server_dont_use_sh.patch ++++++ >From 0d58bab5cdc7e76d7220ce441d39812c85329ba2 Mon Sep 17 00:00:00 2001 From: Martin Wilck <mwi...@suse.com> Date: Fri, 8 Mar 2019 12:01:13 +0100 Subject: [PATCH] ijs: ijs_exec_server(): don't use "sh" If ghostscript is confined using security profiles, executing "sh" must be obviously avoided. So, try to exec the IJS server binary directly. This should enable security profile writers to select which IJS binaries to allow. Signed-off-by: Martin Wilck <mwi...@suse.com> --- ijs/ijs_exec_unix.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/ijs/ijs_exec_unix.c b/ijs/ijs_exec_unix.c index 6225694..e775dc3 100644 --- a/ijs/ijs_exec_unix.c +++ b/ijs/ijs_exec_unix.c @@ -70,9 +70,6 @@ ijs_exec_server(const char *server_cmd, int *pfd_to, int *pfd_from, argv[i++] = "gdb"; #endif - argv[i++] = "sh"; - argv[i++] = "-c"; - argv[i++] = (char *)server_cmd; argv[i++] = NULL; status = execvp (argv[0], (char * const *)argv); -- 2.21.0
