File ghostscript-mini.spec of Package ghostscript-mini.36165

Overview Repositories Revisions Requests Users Attributes Meta

File ghostscript-mini.spec of Package ghostscript-mini.36165

#
# spec file for package ghostscript-mini
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

Name:           ghostscript-mini
BuildRequires:  freetype2-devel
BuildRequires:  libjpeg-devel
BuildRequires:  liblcms2-devel
BuildRequires:  libpng-devel
BuildRequires:  libtiff-devel
BuildRequires:  libtool
BuildRequires:  pkg-config
BuildRequires:  update-alternatives
BuildRequires:  zlib-devel
Requires(post): update-alternatives
Requires(preun):update-alternatives
Summary:        Minimal Ghostscript for minimal build requirements
License:        AGPL-3.0-only
Group:          System/Libraries
URL:            https://www.ghostscript.com/
# Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
# Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
# would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
# and 9.15.rc.1 is newer than 9.15 (it has one more element in the list while previous elements are equal)
# so that we use an alphabetic prefix 'pre' to make it older than 9.15 (numbers are considered newer than letters).
# But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
# because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version:        9.25pre26rc1
Version:        9.52
Release:        0
# Normal version for Ghostscript releases is the upstream version:
# tarball_version is used below to specify the directory via "setup -n":
# Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
# For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
%define tarball_version %{version}
# built_version is used below in the install and files sections:
# Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
# For Ghostscript releases built_version and version are the same (i.e. the upstream version):
%define built_version %{version}
# Source0...Source9 is for sources from upstream:
# Special URLs for Ghostscript release candidates:
# see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
# URL for Source0:
# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz
# URL for MD5 checksums:
# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS
# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz
# Normal URLs for Ghostscript releases:
# URL for Source0:
# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz
# URL for MD5 checksums:
# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS
# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz
Source0:        ghostscript-%{tarball_version}.tar.gz
# Patch0...Patch9 is for patches from upstream:
# Patch1 CVE-2020-15900.patch is
# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
# that fixes CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
Patch1:         CVE-2020-15900.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
# Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
Patch100:       remove-zlib-h-dependency.patch
# Patch101 CVE-2021-3781.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
# that fixes CVE-2021-3781 Trivial -dSAFER bypass
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381
Patch101:       CVE-2021-3781.patch
# Patch102 CVE-2021-45944.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7861fcad13c497728189feafb41cd57b5b50ea25
# that fixes CVE-2021-45944 use-after-free in sampled_data_sample
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194303
Patch102:       CVE-2021-45944.patch
# Patch103 CVE-2021-45949.patch must be applied on top of Patch102 CVE-2021-45944.patch
# and Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
Patch103:       CVE-2021-45949.patch
# Patch104 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
Patch104:       CVE-2023-28879.patch
# Patch105 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
# that fixes compilation with FreeType 2.10.3+
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702985
# see also the OBS Printing ghostscript ghostscript.changes entry dated
# "Tue Oct 20 16:38:24 CEST 2020 - Ismail Dönmez <idonmez@suse.com>"
Patch105:       41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch
# Patch106 CVE-2023-36664.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
Patch106:       CVE-2023-36664.patch
# Patch107 CVE-2023-38559.patch is for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
Patch107:       CVE-2023-38559.patch
# Patch108 CVE-2023-43115.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
Patch108:       CVE-2023-43115.patch
# Patch109 CVE-2023-46751.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# (there is no "device initialization redesign" in Ghostscript-9.52)
# that fixes CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707264
# and https://bugzilla.suse.com/show_bug.cgi?id=1217871
Patch109:       CVE-2023-46751.patch
# Patch110 txtwrite_use_after_free.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8c7bd787defa071c96289b7da9397f673fddb874
# to fix https://bugs.ghostscript.com/show_bug.cgi?id=702229
# "txtwrite: use after free in 9.51 on some files (regression from 9.50)"
# see also https://bugzilla.opensuse.org/show_bug.cgi?id=1177922
# and https://bugzilla.suse.com/show_bug.cgi?id=1191841
Patch110:       txtwrite_use_after_free.patch
# Patch111 bsc1219357.patch is derived for Ghostscript-9.52 from
# https://github.com/ArtifexSoftware/ghostpdl/commit/4ceaf92815302863a8c86fcfcf2347e0118dd3a5
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1219357
# "Ghostscript segfaults in gs_heap_free_object()"
Patch111:       bsc1219357.patch
# Patch112 CVE-2023-52722.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1
# "In SAFER (default) don't allow eexec seeds other than the Type 1 standard"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1223852
# "ghostscript: eexec seeds other than the Type 1 standard are allowed while using SAFER mode"
Patch112:       CVE-2023-52722.patch
# Patch113 CVE-2024-33871.patch is for Ghostscript-9.52 from the Debian patch
# https://sources.debian.org/src/ghostscript/9.53.3~dfsg-7%2Bdeb11u7/debian/patches/020240510~b41477c.patch/
# which is based on Chris Liddell's backport to ghostpdl 9.53.3
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/user/chrisl/ghostpdl.git/commit/?h=ghostpdl-9.53.3_Bug707754
# of the upstream patch
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908
# "OPVP device - prevent unsafe parameter change with SAFER"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1225491
# "OPVP device arbitrary code execution via custom Driver library"
Patch113:       CVE-2024-33871.patch
# Patch114 CVE-2024-29510.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f
# "Uniprint device - prevent string configuration changes when SAFER"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226945
# "format string injection leads to shell command execution (SAFER bypass)"
Patch114:       CVE-2024-29510.patch
# Patch115 CVE-2024-33870.patch is for Ghostscript-9.52 derived from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80
# see https://bugs.ghostscript.com/show_bug.cgi?id=707686
# and adapted to apply after the above bsc1219357.patch and CVE-2023-36664.patch
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226944
# "path traversal to arbitrary files if the current directory is in the permitted paths"
Patch115:       CVE-2024-33870.patch
# Patch116 CVE-2024-33869.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43
# and
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4
# see https://bugs.ghostscript.com/show_bug.cgi?id=707691
# and adapted to apply after the above bsc1219357.patch and CVE-2023-36664.patch and CVE-2024-33870.patch
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226946
# "path traversal and command execution due to path reduction"
Patch116:       CVE-2024-33869.patch
# Patch117 CVE-2024-29508.patch is for Ghostscript-9.52 derived from
# https://git.ghostscript.com/?p=ghostpdl.git;h=ff1013a0ab485b66783b70145e342a82c670906a
# therein only the part that addresses CVE-2024-29508
# i.e. the change in gdevpdtb.c which "uses a fixed name for fonts which have no name
# instead of using the pointer to the address of the font" which is
# https://git.ghostscript.com/?p=ghostpdl.git;a=blobdiff;f=devices/vector/gdevpdtb.c;h=3d7dcae53b722e288b203f827adaabec65db48df;hp=41046aa21fc8ff0042b1d409b84241a05c61dcba;hb=ff1013a0ab485b66783b70145e342a82c670906a;hpb=f6f3ebf96080d186598c55a6c259344cf059aca1
# see https://bugs.ghostscript.com/show_bug.cgi?id=707510
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1227380
# "heap pointer leak in pdf_base_font_alloc()"
Patch117:       CVE-2024-29508.patch
# Patch118 CVE-2024-46951.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa
# that fixes CVE-2024-46951
# "Arbitrary code execution via unchecked 'Implementation' pointer in 'Pattern' color space"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707991
# and https://bugzilla.suse.com/show_bug.cgi?id=1232265
Patch118:       CVE-2024-46951.patch
# Patch119 CVE-2024-46953.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa
# that fixes CVE-2024-46953
# "An integer overflow when parsing the page format results in path truncation, path traversal, code execution"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707793
# and https://bugzilla.suse.com/show_bug.cgi?id=1232267
Patch119:       CVE-2024-46953.patch
# Patch120 CVE-2024-46955.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=85bd9d2f4b79
# that fixes CVE-2024-46955 
# "Out of bounds read when reading color in 'Indexed' color space"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707990
# and https://bugzilla.suse.com/show_bug.cgi?id=1232269
Patch120:       CVE-2024-46955.patch
# Patch121 CVE-2024-46956.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32
# that fixes CVE-2024-46956
# "Arbitrary code execution via out of bounds data access in filenameforall"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707895
# and https://bugzilla.suse.com/show_bug.cgi?id=1232270
Patch121:       CVE-2024-46956.patch
# RPM dependencies:
Conflicts:      ghostscript
Conflicts:      ghostscript-x11
Conflicts:      ghostscript-devel
Conflicts:      ghostscript-library
# Install into this non-root directory (required when norootforbuild is used):
BuildRoot:      %{_tmppath}/%{name}-%{version}-build

%description
Crippled Minimal Ghostscript which is not meant
to be used by end-users.

Minimal Ghostscript provides only the file format drivers
in particular to output JPEG PNG PostScript and PDF files
but no printer drivers (in particular neither 'cups'
nor 'ijs') and no X11 drivers.

The ghostscript-mini package is only meant to be used
by the openSUSE build service to avoid possible loops
in the build dependencies because ghostscript-mini
has minimal build dependencies (in particular
neither CUPS nor X11 build dependencies).

For most packages which need to only run
Ghostscript during build, a single line
"BuildRequires: ghostscript-mini"
should be sufficient in the RPM spec file.

For most packages which need Ghostscript
development files to build, a single line
"BuildRequires: ghostscript-mini-devel"
should be sufficient in the RPM spec file.

The ghostscript-mini package in the openSUSE build
service contains no sources and it must not contain
any source files. The ghostscript-mini package is only
a link to its matching ghostscript "parent" package.
Only that ghostscript package must contain all sources
and any changes must happen only for that ghostscript
package. This means any changes for the ghostscript-mini
package will be rejected in the openSUSE build service.

%package devel
Summary:        Development files for Minimal Ghostscript
Group:          Development/Libraries/C and C++
Requires:       ghostscript-mini = %{version}
Conflicts:      ghostscript
Conflicts:      ghostscript-x11
Conflicts:      ghostscript-devel
Conflicts:      ghostscript-library

%description devel
This package contains the development files for Minimal Ghostscript.

%prep
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch1 CVE-2020-15900.patch is
# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
# that fixes CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
%patch1 -b CVE-2020-15900.orig
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
#patch100 -p1 -b remove-zlib-h-dependency.orig
# Patch101 CVE-2021-3781.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
# that fixes CVE-2021-3781 Trivial -dSAFER bypass
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
# and https://bugzilla.suse.com/show_bug.cgi?id=1190381
%patch101 -b CVE-2021-3781.orig
# Patch102 CVE-2021-45944.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7861fcad13c497728189feafb41cd57b5b50ea25
# that fixes CVE-2021-45944 use-after-free in sampled_data_sample
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194303
%patch102 -b CVE-2021-45944.orig
# Patch103 CVE-2021-45949.patch must be applied on top of Patch102 CVE-2021-45944.patch
# and Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
%patch103 -b CVE-2021-45949.orig
# Patch104 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
%patch104 -b CVE-2023-28879.orig
# Patch105 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
# that fixes compilation with FreeType 2.10.3+
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702985
# see also the OBS Printing ghostscript ghostscript.changes entry dated
# "Tue Oct 20 16:38:24 CEST 2020 - Ismail Dönmez <idonmez@suse.com>"
%patch105 -b 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.orig
# Patch106 CVE-2023-36664.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
# and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# that fixes CVE-2023-36664
# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
%patch106 -b CVE-2023-36664.orig
# Patch107 CVE-2023-38559.patch is for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# that fixes CVE-2023-38559
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# see https://bugzilla.suse.com/show_bug.cgi?id=1213637
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
%patch107 -b CVE-2023-38559.orig
# Patch108 CVE-2023-43115.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
# that fixes CVE-2023-43115
# "remote code execution via crafted PostScript documents in gdevijs.c"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707051
# and https://bugzilla.suse.com/show_bug.cgi?id=1215466
%patch108 -b CVE-2023-43115.orig
# Patch109 CVE-2023-46751.patch is derived for Ghostscript-9.52 from
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13
# (there is no "device initialization redesign" in Ghostscript-9.52)
# that fixes CVE-2023-46751
# "dangling pointer in gdev_prn_open_printer_seekable()"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707264
# and https://bugzilla.suse.com/show_bug.cgi?id=1217871
%patch109 -b CVE-2023-46751.orig
# Patch110 txtwrite_use_after_free.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8c7bd787defa071c96289b7da9397f673fddb874
# to fix https://bugs.ghostscript.com/show_bug.cgi?id=702229
# "txtwrite: use after free in 9.51 on some files (regression from 9.50)"
# see also https://bugzilla.opensuse.org/show_bug.cgi?id=1177922
# and https://bugzilla.suse.com/show_bug.cgi?id=1191841
%patch110 -p1 -b txtwrite_use_after_free.orig
# Patch111 bsc1219357.patch is derived for Ghostscript-9.52 from
# https://github.com/ArtifexSoftware/ghostpdl/commit/4ceaf92815302863a8c86fcfcf2347e0118dd3a5
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1219357
# "Ghostscript segfaults in gs_heap_free_object()"
%patch111 -p1 -b bsc1219357.orig
# Patch112 CVE-2023-52722.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1
# "In SAFER (default) don't allow eexec seeds other than the Type 1 standard"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1223852
# "ghostscript: eexec seeds other than the Type 1 standard are allowed while using SAFER mode"
%patch112 -b CVE-2023-52722.orig
# Patch113 CVE-2024-33871.patch is for Ghostscript-9.52 from the Debian patch
# https://sources.debian.org/src/ghostscript/9.53.3~dfsg-7%2Bdeb11u7/debian/patches/020240510~b41477c.patch/
# which is based on Chris Liddell's backport to ghostpdl 9.53.3
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/user/chrisl/ghostpdl.git/commit/?h=ghostpdl-9.53.3_Bug707754
# of the upstream patch
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908
# "OPVP device - prevent unsafe parameter change with SAFER"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1225491
# "OPVP device arbitrary code execution via custom Driver library"
%patch113 -b CVE-2024-33871.orig
# Patch114 CVE-2024-29510.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f
# "Uniprint device - prevent string configuration changes when SAFER"
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226945
# "format string injection leads to shell command execution (SAFER bypass)"
%patch114 -b CVE-2024-29510.orig
# Patch115 CVE-2024-33870.patch is for Ghostscript-9.52 derived from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80
# see https://bugs.ghostscript.com/show_bug.cgi?id=707686
# and adapted to apply after the above bsc1219357.patch and CVE-2023-36664.patch
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226944
# "path traversal to arbitrary files if the current directory is in the permitted paths"
%patch115 -b CVE-2024-33870.orig
# Patch116 CVE-2024-33869.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43
# and
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4
# see https://bugs.ghostscript.com/show_bug.cgi?id=707691
# and adapted to apply after the above bsc1219357.patch and CVE-2023-36664.patch and CVE-2024-33870.patch
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1226946
# "path traversal and command execution due to path reduction"
%patch116 -b CVE-2024-33869.orig
# Patch117 CVE-2024-29508.patch is for Ghostscript-9.52 derived from
# https://git.ghostscript.com/?p=ghostpdl.git;h=ff1013a0ab485b66783b70145e342a82c670906a
# therein only the part that addresses CVE-2024-29508
# i.e. the change in gdevpdtb.c which "uses a fixed name for fonts which have no name
# instead of using the pointer to the address of the font" which is
# https://git.ghostscript.com/?p=ghostpdl.git;a=blobdiff;f=devices/vector/gdevpdtb.c;h=3d7dcae53b722e288b203f827adaabec65db48df;hp=41046aa21fc8ff0042b1d409b84241a05c61dcba;hb=ff1013a0ab485b66783b70145e342a82c670906a;hpb=f6f3ebf96080d186598c55a6c259344cf059aca1
# see https://bugs.ghostscript.com/show_bug.cgi?id=707510
# to fix https://bugzilla.suse.com/show_bug.cgi?id=1227380
# "heap pointer leak in pdf_base_font_alloc()"
%patch117 -b CVE-2024-29508.orig
# Patch118 CVE-2024-46951.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa
# that fixes CVE-2024-46951
# "Arbitrary code execution via unchecked 'Implementation' pointer in 'Pattern' color space"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707991
# and https://bugzilla.suse.com/show_bug.cgi?id=1232265
%patch118 -b CVE-2024-46951.orig
# Patch119 CVE-2024-46953.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa
# that fixes CVE-2024-46953
# "An integer overflow when parsing the page format results in path truncation, path traversal, code execution"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707793
# and https://bugzilla.suse.com/show_bug.cgi?id=1232267
%patch119 -b CVE-2024-46953.orig
# Patch120 CVE-2024-46955.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=85bd9d2f4b79
# that fixes CVE-2024-46955 
# "Out of bounds read when reading color in 'Indexed' color space"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707990
# and https://bugzilla.suse.com/show_bug.cgi?id=1232269
%patch120 -b CVE-2024-46955.orig
# Patch121 CVE-2024-46956.patch is for Ghostscript-9.52 from
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32
# that fixes CVE-2024-46956
# "Arbitrary code execution via out of bounds data access in filenameforall"
# see https://bugs.ghostscript.com/show_bug.cgi?id=707895
# and https://bugzilla.suse.com/show_bug.cgi?id=1232270
%patch121 -b CVE-2024-46956.orig
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig
# Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball
# because we prefer to use for long-established standard libraries the ones from SUSE
# in particular to automatically get SUSE security updates for standard libraries.
# In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one
# is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE:
#rm -rf freetype jpeg libpng tiff zlib
# Again use the zlib sources from Ghostscript upstream
# and disable remove-zlib-h-dependency.patch because
# Ghostscript 9.21 does no longer build this way:
rm -rf freetype jpeg libpng tiff
# In contrast to the above we use lcms2 from SUSE since Ghostscript 9.23rc1
# because that is what Ghostscript upstream recommends according to
# https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html
# because singe Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript
# but now it is lcms2art (the beginning of a lcms2 fork - see News.htm).
# On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5
# which is too old so that configure fails there with
#   checking for local lcms2 library source... no
#   checking for system lcms2 library... checking for _cmsCreateMutex in -llcms2... no
#   configure: error: lcms2 not found, or too old
# (on SLE12-SP2 there is liblcms2-2-2.7 which is not too old)
# but there is no configure option to build it without lcms2
# so that for SLE11 and SLE12-SP1 it is built with lcms2art in Ghostscript
# i.e. lcms2art in Ghostscript is only removed when not SLE11 or SLE12-SP1
# cf. https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
%if 0%{?suse_version} == 1110 || 0%{?sle_version} == 120100
echo "Building it with lcms2art in Ghostscript"
%else
rm -rf lcms2art
%endif

%build
# Derive build timestamp from latest changelog entry
export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
# Set our preferred architecture-specific flags for the compiler and linker:
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fPIC"
export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fPIC"
export LDFLAGS="$LDFLAGS -pie"
autoreconf -fi
# --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
# --disable-cups and --without-pdftoraster
#   to have nothing related to CUPS in the minimal Ghostscript.
# --disable-dbus to have nothing related to D-Bus in the minimal Ghostscript.
# --without-ijs to disable IJS printer driver support in the minimal Ghostscript.
# --with-drivers=FILES to have only the file format drivers
#   but no printer drivers in the minimal Ghostscript.
# --without-x to not use the X Window System.
# --enable-openjpeg because since Ghostscript 9.05 JasPer is deprecated
#   (--without-jasper is now an unrecognized option by configure)
#   and Ghostscript now ships modified OpenJPEG sources for JPEG2000 decoding
#   (replacing JasPer - although JasPer is still included for this release)
#   Performance, reliability and memory use whilst decoding JPX streams are all improved.
#   see also http://bugs.ghostscript.com/show_bug.cgi?id=691430
# --without-ufst and --without-luratech because those are relevant to commercial releases only
#   which would require a commercial license.
# --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...)
#   into the library, which is the upstream recommendation for distributions. This also allows
#   unbundling the 35 Postscript Standard fonts, provided by the URW font package
# --without-libpaper disables libpaper support because SUSE does not have libpaper.
%define gs_font_path /usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
# See http://bugs.ghostscript.com/show_bug.cgi?id=693100
export SUSE_ASNEEDED=0
./configure --prefix=%{_prefix} \
            --bindir=%{_bindir} \
            --libdir=%{_libdir} \
            --datadir=%{_datadir} \
            --mandir=%{_mandir} \
            --infodir=%{_infodir} \
            --with-fontpath=%{gs_font_path} \
            --with-libiconv=maybe \
            --enable-freetype \
            --with-jbig2dec \
            --enable-openjpeg \
            --enable-dynamic \
            --disable-compile-inits \
            --without-ijs \
            --disable-cups \
            --disable-dbus \
            --without-pdftoraster \
            --with-drivers=FILES \
            --without-x \
            --disable-gtk \
            --without-ufst \
            --without-luratech \
            --without-libpaper

# Make libgs.so and two programs which use it, gsx and gsc:
# With --disable-gtk, gsx and gsc are identical. It provides a command line
# frontend to libgs equivalent (functional and command line arguments) to
# the gs binary, but uses the shared libgs instead of static linking
make so
# Configure and make libijs (that is not done regardless whether or not --with-ijs is used above):
pushd ijs
./autogen.sh
autoreconf -fi
./configure --prefix=%{_prefix} \
            --bindir=%{_bindir} \
            --libdir=%{_libdir} \
            --datadir=%{_datadir} \
            --mandir=%{_mandir} \
            --infodir=%{_infodir} \
            --enable-shared \
            --disable-static
make
popd

%install
# Install libgs.so gsx gsc and some header files:
make soinstall DESTDIR=%{buildroot}
# Use gsc instead of gs, and remove duplicate gsx (see above)
mv %{buildroot}/%{_bindir}/{gsc,gs}
rm %{buildroot}/%{_bindir}/gsx
# Install libijs and its header files:
pushd ijs
make install DESTDIR=%{buildroot}
popd
# Remove installed ijs example client and server and its .la file:
rm %{buildroot}%{_bindir}/ijs_client_example
rm %{buildroot}%{_bindir}/ijs_server_example
rm %{buildroot}%{_libdir}/libijs.la
# Install examples:
EXAMPLESDIR=%{buildroot}%{_datadir}/ghostscript/%{built_version}/examples
test -d $EXAMPLESDIR || install -d $EXAMPLESDIR
for E in examples/*
do install -m 644 $E $EXAMPLESDIR || :
done
test -d $EXAMPLESDIR/cjk || install -d $EXAMPLESDIR/cjk
for E in examples/cjk/*
do install -m 644 $E $EXAMPLESDIR/cjk || :
done
# Install documentation which is not installed by default
# see http://bugs.ghostscript.com/show_bug.cgi?id=693002
# and fail intentionally as notification if something changed:
DOCDIR=%{buildroot}%{_datadir}/doc/ghostscript/%{built_version}
for D in LICENSE
do test -e $DOCDIR/$( basename $D ) && exit 99
   install -m 644 $D $DOCDIR
done
# Add a link named 'ghostscript' from SUSE's usual documentation directory /usr/share/doc/packages
# with link target Ghostscript's documentation directory e.g. /usr/share/doc/ghostscript/9.23
# as relative link to get the link independent of the buildroot prefix
# i.e. in /usr/share/doc/packages add the link ghostscript -> ../ghostscript/9.23
# because "configure --docdir=%%{_defaultdocdir}/%%{name}" does not work (see above):
install -d -m 755 %{buildroot}%{_defaultdocdir}
pushd %{buildroot}%{_defaultdocdir}
ln -s ../ghostscript/%{built_version} ghostscript
popd
# Extract the catalog of devices which are actually built-in in exactly this Ghostscript:
# If a needed source file is no longer accessible fail intentionally as notification
# that something changed which needs adaptions here:
for F in devices/devs.mak devices/contrib.mak contrib/contrib.mak
do test -r $F || exit 99
done
# Do not pollute the build log file with zillions of meaningless messages:
set +x
cat /dev/null >catalog.devices
for D in $( LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}/usr/bin/gs -h | sed -n -e '/^Available devices:/,/^Search path:/p' | egrep -v '^Available devices:|^Search path:' )
do for F in devices/devs.mak devices/contrib.mak contrib/contrib.mak
   do sed -n -e '/ Catalog /,/ End of catalog /p' $F | grep "[[:space:]]$D[[:space:]]" | grep -o '[[:alnum:]].*' | tr -s '[:blank:]' ' ' | sed -e 's/ /\t/' | expand -t16 >>catalog.devices
   done
done
# Switch back to the usual build log messages:
set -x
install -m 644 catalog.devices $DOCDIR

# Move /usr/bin/gs to /usr/bin/gs.bin to be able to use update-alternatives
install -d %buildroot%{_sysconfdir}/alternatives
mv %{buildroot}%{_bindir}/gs %{buildroot}%{_bindir}/gs.bin
ln -sf %{_bindir}/gs.bin %{buildroot}%{_sysconfdir}/alternatives/gs
ln -sf %{_sysconfdir}/alternatives/gs %{buildroot}%{_bindir}/gs

%post
/sbin/ldconfig
%{_sbindir}/update-alternatives \
  --install %{_bindir}/gs gs %{_bindir}/gs.bin 15

%postun -p /sbin/ldconfig

%preun
if test $1 -eq 0 ; then
    %{_sbindir}/update-alternatives \
    --remove gs %{_bindir}/gs.bin
fi

%files
%defattr(-, root, root)
%ghost %config %{_sysconfdir}/alternatives/gs
%{_bindir}/dvipdf
%{_bindir}/eps2eps
%{_bindir}/gs
%{_bindir}/gs.bin
%{_bindir}/gsbj
%{_bindir}/gsdj
%{_bindir}/gsdj500
%{_bindir}/gslj
%{_bindir}/gslp
%{_bindir}/gsnd
%{_bindir}/lprsetup.sh
%{_bindir}/pdf2dsc
%{_bindir}/pdf2ps
%{_bindir}/pf2afm
%{_bindir}/pfbtopfa
%{_bindir}/pphs
%{_bindir}/printafm
%{_bindir}/ps2ascii
%{_bindir}/ps2epsi
%{_bindir}/ps2pdf
%{_bindir}/ps2pdf12
%{_bindir}/ps2pdf13
%{_bindir}/ps2pdf14
%{_bindir}/ps2pdfwr
%{_bindir}/ps2ps
%{_bindir}/ps2ps2
%{_bindir}/unix-lpr.sh
%doc %{_mandir}/man1/dvipdf.1.gz
%doc %{_mandir}/man1/eps2eps.1.gz
%doc %{_mandir}/man1/gs.1.gz
%doc %{_mandir}/man1/gsbj.1.gz
%doc %{_mandir}/man1/gsdj.1.gz
%doc %{_mandir}/man1/gsdj500.1.gz
%doc %{_mandir}/man1/gslj.1.gz
%doc %{_mandir}/man1/gslp.1.gz
%doc %{_mandir}/man1/gsnd.1.gz
%doc %{_mandir}/man1/pdf2dsc.1.gz
%doc %{_mandir}/man1/pdf2ps.1.gz
%doc %{_mandir}/man1/pf2afm.1.gz
%doc %{_mandir}/man1/pfbtopfa.1.gz
%doc %{_mandir}/man1/printafm.1.gz
%doc %{_mandir}/man1/ps2ascii.1.gz
%doc %{_mandir}/man1/ps2epsi.1.gz
%doc %{_mandir}/man1/ps2pdf.1.gz
%doc %{_mandir}/man1/ps2pdf12.1.gz
%doc %{_mandir}/man1/ps2pdf13.1.gz
%doc %{_mandir}/man1/ps2pdf14.1.gz
%doc %{_mandir}/man1/ps2pdfwr.1.gz
%doc %{_mandir}/man1/ps2ps.1.gz
%doc %{_mandir}/de/man1/dvipdf.1.gz
%doc %{_mandir}/de/man1/eps2eps.1.gz
%doc %{_mandir}/de/man1/gsnd.1.gz
%doc %{_mandir}/de/man1/pdf2dsc.1.gz
%doc %{_mandir}/de/man1/pdf2ps.1.gz
%doc %{_mandir}/de/man1/printafm.1.gz
%doc %{_mandir}/de/man1/ps2ascii.1.gz
%doc %{_mandir}/de/man1/ps2pdf.1.gz
%doc %{_mandir}/de/man1/ps2pdf12.1.gz
%doc %{_mandir}/de/man1/ps2pdf13.1.gz
%doc %{_mandir}/de/man1/ps2pdf14.1.gz
%doc %{_mandir}/de/man1/ps2ps.1.gz
%doc %{_defaultdocdir}/ghostscript
%dir %{_datadir}/doc/ghostscript
%doc %{_datadir}/doc/ghostscript/%{built_version}
%dir %{_datadir}/ghostscript
%dir %{_datadir}/ghostscript/%{built_version}
%{_datadir}/ghostscript/%{built_version}/Resource
%{_datadir}/ghostscript/%{built_version}/iccprofiles
%{_datadir}/ghostscript/%{built_version}/examples/
%{_datadir}/ghostscript/%{built_version}/lib/
%{_libdir}/libgs.so.*
%{_libdir}/ghostscript/
%{_libdir}/libijs-0.35.so

%files devel
%defattr(-,root,root)
%{_includedir}/ghostscript/
%{_libdir}/libgs.so
%{_includedir}/ijs/
%{_libdir}/libijs.so
%{_libdir}/pkgconfig/ijs.pc

%changelog

Places

File ghostscript-mini.spec of Package ghostscript-mini.36165

Places