Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2020-05-08 23:02:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Fri May 8 23:02:56 2020 rev:45 rq:800666 version:9.52 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2019-09-20 14:48:22.070940279 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.2738/ghostscript-mini.changes 2020-05-08 23:03:13.813602227 +0200 @@ -1,0 +2,131 @@ +Wed Apr 29 12:09:39 CEST 2020 - jsm...@suse.de + +- The version upgrade to 9.52 fixes in particular + CVE-2020-12268: jbic2dec: heap-based buffer overflow + in jbig2_image_compose (bsc#1170603) +- Version upgrade to 9.52 + Highlights in this release include: + * The 9.52 release replaces the 9.51 release after a problem + was reported with 9.51 which warranted the quick turnaround. + Thus, like 9.51, 9.52 is primarily a maintenance release, + consolidating the changes we introduced in 9.50. + * IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt + (the "mt" indicating "multi-thread"). + LCMS2 is not thread-safe, and cannot be made thread-safe + without breaking the ABI. Our fork will be thread-safe and + include performance enhancements (these changes have all + been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. If there is sufficient interest, + our fork will be available as its own package separately + from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * New option -dALLOWPSTRANSPARENCY: The transparency compositor + (and related features), whilst we are improving it, remains + sensitive to being driven correctly, and incorrect use + can have unexpected/undefined results. Hence, as part of + improving security, we limited access to these operators, + originally using the -dSAFER feature. As we made "SAFER" + the default mode, that became unacceptable, hence the + new option -dALLOWPSTRANSPARENCY which enables access + to the operators, cf. + https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY + For a release summary see: + https://www.ghostscript.com/doc/9.52/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.51 + Highlights in this release include: + * 9.51 is primarily a maintainance release, consolidating + the changes we introduced in 9.50. + * We have continued our work on code hygiene for this release, + with a focus on the static analysis tool Coverity + (from Synopsys, Inc) and we are now maintaining a policy of + zero Coverity issues in the Ghostscript/GhostPDL source base. + * IMPORTANT: In consultation with a representative of + OpenPrinting (http://www.openprinting.org/) it is our + intention to deprecate and, in the not distant future, + remove the OpenPrinting Vector/Raster Printer Drivers + (that is, the opvp and oprp devices). + If you rely on either of these devices, please get in touch + with us (i.e. Ghostscript upstream), so we can discuss your + use case, and revise our plans accordingly. + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + https://www.ghostscript.com/doc/9.51/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.50 + Highlights in this release include: + * The change to version 9.50 follows recognition + of the extent and importance of the file access control + redesign/reimplementation outlined below. + * The file access control capability (enable with -dSAFER) + has been completely rewritten, with a ground-up rethink + of the design. For more details, see: "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * It is important to note that -dSAFER now only enables the + file access controls, and no longer applies restrictions + to standard Postscript functionality (specifically, + restrictions on setpagedevice). If your application relies + on these Postscript restrictions, see "OLDSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer + and please get in touch, as we do plan to remove those + Postscript restrictions unless we have reason not to. + IMPORTANT: File access controls are now enabled by default. + In order to run Ghostscript without these controls, + see "NOSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * There are a couple of subtle incompatibilities between the old + and new SAFER implementations. Firstly, as mentioned above, + SAFER now leaves standard Postcript functionality unchanged + (except for the file access limitations). Secondly, the + interaction with save/restore operations, see "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * The following is not strictly speaking new to 9.50, + as not much has changed since 9.27 in this area, + but for those who don't upgrade with every release: + The process of "tidying" the Postscript name space should have + removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or utilities + that rely on those non-standard and undocumented operators + may stop working, or may change behaviour. + If you encounter such a case, please contact us + (i.e. Ghostscript upstream, either the #ghostscript IRC channel + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution or return the + previous functionality, if there is genuinely no other option. + One case we know this has occurred is GSView 5 (and earlier). + GSView 5 support for PDF files relied upon internal use only + features which are no longer available. GSView 5 will still + work as previously for Postscript files. For PDF files, + users are encouraged to look at MuPDF https://www.mupdf.com/ + For a release summary see: + https://www.ghostscript.com/doc/9.50/News.htm + For details see the News.htm and History9.htm files. +- CVE-2019-10216.patch + gs-CVE-2019-14811-885444fc.patch + gs-CVE-2019-14817-cd1b1cac.patch + openjpeg4gs-CVE-2018-6616-8ee33522.patch + are fixed in the version 9.52 upstream sources. + +------------------------------------------------------------------- +Fri Jan 31 17:26:37 UTC 2020 - Stefan BrĂ¼ns <stefan.bru...@rwth-aachen.de> + +- Use system openjpeg2 on Tumbleweed/Factory. + +------------------------------------------------------------------- +Mon Sep 23 08:24:49 UTC 2019 - Johannes Segitz <jseg...@suse.de> + +- Made ghostscript profile enforcing and limit it to the ghostscript + binaries (bsc#1150338) + +------------------------------------------------------------------- @@ -35,0 +167,5 @@ +Wed May 8 08:46:43 UTC 2019 - jseg...@suse.com + +- Set AA profile to complain and added fixes for ps2epsi (boo#1134327) + +------------------------------------------------------------------- @@ -982,0 +1119,5 @@ + +------------------------------------------------------------------- +Mon Aug 18 15:12:28 UTC 2014 - meiss...@suse.com + +- gs does not seem to require libopenssl-devel for building. --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2020-02-06 13:07:00.800296583 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.2738/ghostscript.changes 2020-05-08 23:03:15.321605307 +0200 @@ -1,0 +2,120 @@ +Wed Apr 29 12:09:39 CEST 2020 - jsm...@suse.de + +- The version upgrade to 9.52 fixes in particular + CVE-2020-12268: jbic2dec: heap-based buffer overflow + in jbig2_image_compose (bsc#1170603) +- Version upgrade to 9.52 + Highlights in this release include: + * The 9.52 release replaces the 9.51 release after a problem + was reported with 9.51 which warranted the quick turnaround. + Thus, like 9.51, 9.52 is primarily a maintenance release, + consolidating the changes we introduced in 9.50. + * IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt + (the "mt" indicating "multi-thread"). + LCMS2 is not thread-safe, and cannot be made thread-safe + without breaking the ABI. Our fork will be thread-safe and + include performance enhancements (these changes have all + been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. If there is sufficient interest, + our fork will be available as its own package separately + from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * New option -dALLOWPSTRANSPARENCY: The transparency compositor + (and related features), whilst we are improving it, remains + sensitive to being driven correctly, and incorrect use + can have unexpected/undefined results. Hence, as part of + improving security, we limited access to these operators, + originally using the -dSAFER feature. As we made "SAFER" + the default mode, that became unacceptable, hence the + new option -dALLOWPSTRANSPARENCY which enables access + to the operators, cf. + https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY + For a release summary see: + https://www.ghostscript.com/doc/9.52/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.51 + Highlights in this release include: + * 9.51 is primarily a maintainance release, consolidating + the changes we introduced in 9.50. + * We have continued our work on code hygiene for this release, + with a focus on the static analysis tool Coverity + (from Synopsys, Inc) and we are now maintaining a policy of + zero Coverity issues in the Ghostscript/GhostPDL source base. + * IMPORTANT: In consultation with a representative of + OpenPrinting (http://www.openprinting.org/) it is our + intention to deprecate and, in the not distant future, + remove the OpenPrinting Vector/Raster Printer Drivers + (that is, the opvp and oprp devices). + If you rely on either of these devices, please get in touch + with us (i.e. Ghostscript upstream), so we can discuss your + use case, and revise our plans accordingly. + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + https://www.ghostscript.com/doc/9.51/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.50 + Highlights in this release include: + * The change to version 9.50 follows recognition + of the extent and importance of the file access control + redesign/reimplementation outlined below. + * The file access control capability (enable with -dSAFER) + has been completely rewritten, with a ground-up rethink + of the design. For more details, see: "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * It is important to note that -dSAFER now only enables the + file access controls, and no longer applies restrictions + to standard Postscript functionality (specifically, + restrictions on setpagedevice). If your application relies + on these Postscript restrictions, see "OLDSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer + and please get in touch, as we do plan to remove those + Postscript restrictions unless we have reason not to. + IMPORTANT: File access controls are now enabled by default. + In order to run Ghostscript without these controls, + see "NOSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * There are a couple of subtle incompatibilities between the old + and new SAFER implementations. Firstly, as mentioned above, + SAFER now leaves standard Postcript functionality unchanged + (except for the file access limitations). Secondly, the + interaction with save/restore operations, see "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * The following is not strictly speaking new to 9.50, + as not much has changed since 9.27 in this area, + but for those who don't upgrade with every release: + The process of "tidying" the Postscript name space should have + removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or utilities + that rely on those non-standard and undocumented operators + may stop working, or may change behaviour. + If you encounter such a case, please contact us + (i.e. Ghostscript upstream, either the #ghostscript IRC channel + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution or return the + previous functionality, if there is genuinely no other option. + One case we know this has occurred is GSView 5 (and earlier). + GSView 5 support for PDF files relied upon internal use only + features which are no longer available. GSView 5 will still + work as previously for Postscript files. For PDF files, + users are encouraged to look at MuPDF https://www.mupdf.com/ + For a release summary see: + https://www.ghostscript.com/doc/9.50/News.htm + For details see the News.htm and History9.htm files. +- CVE-2019-10216.patch + gs-CVE-2019-14811-885444fc.patch + gs-CVE-2019-14817-cd1b1cac.patch + openjpeg4gs-CVE-2018-6616-8ee33522.patch + are fixed in the version 9.52 upstream sources. + +------------------------------------------------------------------- Old: ---- CVE-2019-10216.patch ghostscript-9.27.tar.gz gs-CVE-2019-14811-885444fc.patch gs-CVE-2019-14817-cd1b1cac.patch openjpeg4gs-CVE-2018-6616-8ee33522.patch New: ---- ghostscript-9.52.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.GWbhxQ/_old 2020-05-08 23:03:16.893608519 +0200 +++ /var/tmp/diff_new_pack.GWbhxQ/_new 2020-05-08 23:03:16.897608527 +0200 @@ -47,7 +47,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: # Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1. #Version: 9.25pre26rc1 -Version: 9.27 +Version: 9.52 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -59,7 +59,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.27 +%define built_version 9.52 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -71,21 +71,13 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz +# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz # URL for MD5 checksums: -# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS -# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz +# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS +# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -Patch1: CVE-2019-10216.patch -# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -Patch2: gs-CVE-2019-14811-885444fc.patch -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 -Patch3: gs-CVE-2019-14817-cd1b1cac.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -93,6 +85,8 @@ # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch # RPM dependencies: Conflicts: ghostscript @@ -152,21 +146,14 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -# openjpeg4gs-CVE-2018-6616-8ee33522.patch -%patch0 -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -%patch1 -p0 -# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -%patch2 -p1 -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 -%patch3 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.GWbhxQ/_old 2020-05-08 23:03:16.921608576 +0200 +++ /var/tmp/diff_new_pack.GWbhxQ/_new 2020-05-08 23:03:16.925608584 +0200 @@ -71,7 +71,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: # Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1. #Version: 9.25pre26rc1 -Version: 9.27 +Version: 9.52 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -83,7 +83,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.27 +%define built_version 9.52 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -95,21 +95,13 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz +# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz # URL for MD5 checksums: -# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS -# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz +# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS +# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -Patch1: CVE-2019-10216.patch -# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -Patch2: gs-CVE-2019-14811-885444fc.patch -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 -Patch3: gs-CVE-2019-14817-cd1b1cac.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -117,6 +109,8 @@ # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from @@ -289,21 +283,14 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -# openjpeg4gs-CVE-2018-6616-8ee33522.patch -%patch0 -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -%patch1 -p0 -# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -%patch2 -p1 -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 -%patch3 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig +# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem +# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 ++++++ ghostscript-9.27.tar.gz -> ghostscript-9.52.tar.gz ++++++ /work/SRC/openSUSE:Factory/ghostscript/ghostscript-9.27.tar.gz /work/SRC/openSUSE:Factory/.ghostscript.new.2738/ghostscript-9.52.tar.gz differ: char 5, line 1