Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2019-05-07 23:11:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Tue May 7 23:11:37 2019 rev:39 rq:700982 version:9.27 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2019-03-26 15:37:18.864374873 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.5148/ghostscript-mini.changes 2019-05-07 23:11:42.216013604 +0200 @@ -1,0 +2,57 @@ +Thu Apr 4 14:37:09 CEST 2019 - jsm...@suse.de + +- Version upgrade to 9.27 + Highlights in this release include: + * We (i.e. Ghostscript upstream) have extensively cleaned up + the Postscript name space: removing access to internal and/or + undocumented Postscript operators, procedures and data. + This has benefits for security and maintainability. + Incompatible changes: + The process of "tidying" the Postscript name space should + have removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or + utilities that rely on those non-standard and undocumented + operators may stop working, or may change behaviour. + If you encounter such a case, please contact us (i.e. + Ghostscript upstream) - (either the #ghostscript IRC channel, + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution. + * Fontmap can now reference invidual fonts in a TrueType + Collection for font subsitution. Previously, a Fontmap entry + could only reference a TrueType collection and use the default + (first) font. + Now, the Fontmap syntax allows for specifying a specific index + in a TTC. See the comments at the top of (the default) + Fontmap.GS for details. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + IMPORTANT: It is our intention, within the next 12 months + (ideally sooner, in time for the next release) to make SAFER + the default mode of operation. For many users this will have + no effect, since they use SAFER explicitly, but some niche + uses which rely on SAFER being disabled may need to start + explicitly adding the "-dNOSAFER" option. + IMPORTANT: We (i.e. Ghostscript upstream) are in the process of + forking LittleCMS. LCMS2 is not thread safe, and cannot be made + thread safe without breaking the ABI. Our fork will be thread + safe, and include performance enhancements (these changes have + all be been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, but not + in perpetuity. Our fork will be available as its own package + separately from Ghostscript (and MuPDF). + For a release summary see: + http://www.ghostscript.com/doc/9.27/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.27 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues: + * CVE-2019-3838 forceput in DefineResource is still accessible + https://bugzilla.suse.com/show_bug.cgi?id=1129186 bsc#1129186 + https://bugs.ghostscript.com/show_bug.cgi?id=700576 + * CVE-2019-3835: superexec operator is available + https://bugzilla.suse.com/show_bug.cgi?id=1129180 bsc#1129180 + https://bugs.ghostscript.com/show_bug.cgi?id=700585 +- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch + is no longer needed because it is fixed in the upstream sources. + +------------------------------------------------------------------- ghostscript.changes: same change Old: ---- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch ghostscript-9.26a.tar.gz New: ---- ghostscript-9.27.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.8Ljh25/_old 2019-05-07 23:11:43.896016746 +0200 +++ /var/tmp/diff_new_pack.8Ljh25/_new 2019-05-07 23:11:43.900016753 +0200 @@ -1,7 +1,7 @@ # # spec file for package ghostscript-mini # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,11 +43,7 @@ # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.25pre26rc1 -# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball -# where upstream provides a complete and consistent state of the whole Ghostscript code -# that includes in particular the complete patchset that is really non-trivial -# to fix the Ghostscript upstream bug 700317 CVE-2019-6116: -Version: 9.26a +Version: 9.27 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -59,7 +55,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.26 +%define built_version 9.27 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -71,14 +67,13 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz +# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz # URL for MD5 checksums: -# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS -# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz +# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS +# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: -Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -145,7 +140,6 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -%patch0 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream @@ -165,7 +159,13 @@ # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: +%if 0%{?suse_version} == 1315 +# Again use the freetype sources from Ghostscript upstream because +# Ghostscript 9.27 does no longer build this way for SLE12: +rm -rf jpeg libpng tiff +%else rm -rf freetype jpeg libpng tiff +%endif # In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1 # because that is what Ghostscript upstream recommends according to # https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.8Ljh25/_old 2019-05-07 23:11:43.912016776 +0200 +++ /var/tmp/diff_new_pack.8Ljh25/_new 2019-05-07 23:11:43.916016783 +0200 @@ -1,7 +1,7 @@ # # spec file for package ghostscript # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -63,11 +63,7 @@ # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.25pre26rc1 -# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball -# where upstream provides a complete and consistent state of the whole Ghostscript code -# that includes in particular the complete patchset that is really non-trivial -# to fix the Ghostscript upstream bug 700317 CVE-2019-6116: -Version: 9.26a +Version: 9.27 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -79,7 +75,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.26 +%define built_version 9.27 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -91,14 +87,13 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz +# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz # URL for MD5 checksums: -# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS -# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz +# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS +# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: -Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -223,6 +218,7 @@ %package x11 Summary: X11 library for Ghostscript +Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -230,7 +226,6 @@ # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: -Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -281,7 +276,6 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -%patch0 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream @@ -301,7 +295,13 @@ # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: +%if 0%{?suse_version} == 1315 +# Again use the freetype sources from Ghostscript upstream because +# Ghostscript 9.27 does no longer build this way for SLE12: +rm -rf jpeg libpng tiff +%else rm -rf freetype jpeg libpng tiff +%endif # In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1 # because that is what Ghostscript upstream recommends according to # https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html ++++++ ghostscript-9.26a.tar.gz -> ghostscript-9.27.tar.gz ++++++ /work/SRC/openSUSE:Factory/ghostscript/ghostscript-9.26a.tar.gz /work/SRC/openSUSE:Factory/.ghostscript.new.5148/ghostscript-9.27.tar.gz differ: char 5, line 1
