diff --git a/Bugfix-for-CVE-2024-29510.patch b/Bugfix-for-CVE-2024-29510.patch deleted file mode 100644 index f3f6e7fbc7e53312936d1d7d0e43d151a005ec14..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-29510.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 6084990327177c0e3409d063e4d40c7dfed2e97d Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:26:10 +0800 -Subject: [PATCH] Bugfix for CVE-2024-29510 - ---- - devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/devices/gdevupd.c b/devices/gdevupd.c -index 740dae0..0eac02b 100644 ---- a/devices/gdevupd.c -+++ b/devices/gdevupd.c -@@ -1887,6 +1887,16 @@ out on this copies. - if(!upd_strings[i]) continue; - UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (strings[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRINGS; - UPD_MM_DEL_PARAM(udev->memory, strings[i]); - if(!value.size) { -@@ -1904,6 +1914,26 @@ out on this copies. - if(!upd_string_a[i]) continue; - UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (string_a[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ int loop; -+ for (loop = 0;loop < string_a[i].size;loop++) { -+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); -+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; -+ -+ if (tmp1->size != tmp2->size) -+ error = gs_error_invalidaccess; -+ else { -+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ } -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRING_A; - UPD_MM_DEL_APARAM(udev->memory, string_a[i]); - if(!value.size) { -@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may - if(0 > code) error = code; - } - -+exit: - if(0 < error) { /* Actually something loaded without error */ - - if(!(upd = udev->upd)) { --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33869.patch b/Bugfix-for-CVE-2024-33869.patch deleted file mode 100644 index eee4be6416b688c020721f5a09fe8c9f5a318465..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33869.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0b257385e39b1213e5e971add5476b7da330b963 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:33:19 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33869 - ---- - base/gpmisc.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index c4a69b0..b0d5c71 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem, - rlen = len; - } - else { -+ char *test = (char *)path, *test1; -+ uint tlen = len, slen; -+ -+ /* Look for any pipe (%pipe% or '|' specifications between path separators -+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. -+ */ -+ while (tlen > 0) { -+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ test1 = test; -+ slen = search_separator((const char **)&test, path + len, test1, 1); -+ if(slen == 0) -+ break; -+ test += slen; -+ tlen -= test - test1; -+ if (test >= path + len) -+ break; -+ } -+ - rlen = len+1; - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); - if (bufferfull == NULL) -@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem, - - continue; - } -- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -- buffer = bufferfull + cdirstrl + dirsepstrl; -+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull -+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { - continue; - } - break; --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33870.patch b/Bugfix-for-CVE-2024-33870.patch deleted file mode 100644 index f13ae6d09c3ff2b8c8c0ffc2fdeecbae8e92af31..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33870.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 26b9b4262dcd6a5d2c0a494c80ba38c216a44151 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:30:42 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33870 - ---- - base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++---- - 1 file changed, 32 insertions(+), 4 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index 2b0064b..c4a69b0 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2001-2023 Artifex Software, Inc. -+/* Copyright (C) 2001-2024 Artifex Software, Inc. - All Rights Reserved. - - This software is provided AS-IS with no warranty, either express or -@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, - const uint len, - const char *mode) - { -- char *buffer, *bufferfull; -+ char *buffer, *bufferfull = NULL; - uint rlen; - int code = 0; - const char *cdirstr = gp_file_name_current(); -@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem, - return gs_error_VMerror; - - buffer = bufferfull + prefix_len; -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } - buffer[rlen] = 0; - } - while (1) { -@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem, - code = gs_note_error(gs_error_invalidfileaccess); - } - if (code < 0 && prefix_len > 0 && buffer > bufferfull) { -+ uint newlen = rlen + cdirstrl + dirsepstrl; -+ char *newbuffer; -+ int code; -+ - buffer = bufferfull; - memcpy(buffer, cdirstr, cdirstrl); - memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); -+ -+ /* We've prepended a './' or similar for the current working directory. We need -+ * to execute file_name_reduce on that, to eliminate any '../' or similar from -+ * the (new) full path. -+ */ -+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); -+ if (newbuffer == NULL) { -+ code = gs_note_error(gs_error_VMerror); -+ goto exit; -+ } -+ -+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); -+ newbuffer[newlen] = 0x00; -+ -+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); -+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); -+ if (code != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ - continue; - } - else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem, - gs_path_control_flag_is_scratch_file); - } - -+exit: - gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); - #ifdef EACCES - if (code == gs_error_invalidfileaccess) --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33871.patch b/Bugfix-for-CVE-2024-33871.patch deleted file mode 100644 index f4af83b70ee642d9c97a728d00321976a26304fb..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33871.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6afe688e06ca700dd4f187a80777eb1947a534a5 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:36:21 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33871 - ---- - contrib/opvp/gdevopvp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c -index 74200cf..80eb23b 100644 ---- a/contrib/opvp/gdevopvp.c -+++ b/contrib/opvp/gdevopvp.c -@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) - code = param_read_string(plist, pname, &vdps); - switch (code) { - case 0: -+ if (gs_is_path_control_active(dev->memory) -+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size -+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { -+ param_signal_error(plist, pname, gs_error_invalidaccess); -+ return_error(gs_error_invalidaccess); -+ } - buff = realloc(buff, vdps.size + 1); - memcpy(buff, vdps.data, vdps.size); - buff[vdps.size] = 0; --- -2.27.0 - diff --git a/ghostscript-10.01.0-fix-linkage.patch b/ghostscript-10.01.0-fix-linkage.patch deleted file mode 100644 index deac484839b5935101c6f533e4c9ac23daaf1287..0000000000000000000000000000000000000000 --- a/ghostscript-10.01.0-fix-linkage.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- ghostscript-10.01.0/devices/devs.mak.orig 2023-03-23 12:23:25.642893279 +0800 -+++ ghostscript-10.01.0/devices/devs.mak 2023-03-23 12:23:56.089893279 +0800 -@@ -396,8 +396,8 @@ - ### Shared library object supporting X11. - ### NON PORTABLE, ONLY UNIX WITH GCC SUPPORT - --$(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS) -- $(CCLD) $(LDFLAGS) -shared -o $(DEVOBJ)X11.so $(x11alt_) $(x11_) -L/usr/X11R6/lib -lXt -lSM -lICE -lXext -lX11 $(XLIBDIRS) -+$(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS) $(GS_XE) -+ $(CCLD) $(LDFLAGS) -shared -o $(DEVOBJ)X11.so $(x11alt_) $(x11_) -L/usr/X11R6/lib $(GS_XE) -lXt -lSM -lICE -lXext -lX11 $(XLIBDIRS) - - ###### --------------- Memory-buffered printer devices --------------- ###### - diff --git a/ghostscript-10.02.1.tar.xz b/ghostscript-10.04.0.tar.xz similarity index 84% rename from ghostscript-10.02.1.tar.xz rename to ghostscript-10.04.0.tar.xz index 54364a456a2a57d31e02d57719a54ce6edb02e3d..c3b4c540f5dc7568d9d05563649f4db3e884fc5d 100644 Binary files a/ghostscript-10.02.1.tar.xz and b/ghostscript-10.04.0.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 37b6df7b6daa433ab7cc6c6e403b408240f1dd32..709fdf687bc67f6dafd32a99ac72760eeffa0461 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,87 +1,120 @@ -%define anolis_release 2 +%define anolis_release 1 %global _hardened_build 1 %global _docdir_fmt %{name} -%global jbig2dec_version 0.19 %global version_short %%(echo "%{version}" | tr -d '.') %global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback")) +# ============================================================================= Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 10.02.1 +Version: 10.04.0 Release: %{anolis_release}%{?dist} -License: AGPLv3+ + +License: AGPL-3.0-or-later + URL: https://ghostscript.com/ -Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz - -BuildRequires: gcc gcc-c++ automake autoconf -BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel -BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel -BuildRequires: cups-devel dbus-devel fontconfig-devel freetype-devel -BuildRequires: jbig2dec-devel = %{jbig2dec_version} jbig2dec-libs = %{jbig2dec_version} -BuildRequires: lcms2-devel libidn2-devel libjpeg-turbo-devel libpng-devel -BuildRequires: libpaper-devel libtiff-devel openjpeg2-devel zlib-devel -BuildRequires: gtk3-devel libXt-devel make -Requires: libgs = %{version}-%{release} jbig2dec-libs = %{jbig2dec_version} +Source: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz + +Requires: libgs = %{version}-%{release} Requires: %{name}-tools-fonts = %{version}-%{release} Requires: %{name}-tools-printing = %{version}-%{release} Provides: ghostscript-core = %{version}-%{release} - Obsoletes: ghostscript-core < 9.53.3-6 +#Provides: ghostscript-x11 = %{version}-%{release} +#Obsoletes: ghostscript-x11 < 10.01.0-1 + +# Auxiliary build requirements: +BuildRequires: automake +BuildRequires: gcc +BuildRequires: git + +# Already packaged Resources -- needed to build package correctly: +BuildRequires: adobe-mappings-cmap-devel +BuildRequires: adobe-mappings-pdf-devel +BuildRequires: google-droid-sans-fonts +BuildRequires: urw-base35-fonts-devel + +# Already packaged software -- needed for debundling of Ghostscript: +BuildRequires: cups-devel +BuildRequires: dbus-devel +# we use fc-list in generating macros at the top of SPEC file +BuildRequires: fontconfig +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +# jbig2dec has no valid soname at the moment, they check jbig2dec version at runtime +# so any jbig2dec rebase means basically a soname bump - ghostscript has to be rebuilt +# with it and released at the same time to prevent issues +# +# How does the check work: +# GS has jbig.h from jbig2dec-devel compiled in, which has the jbig2dec version +# as macro at the moment of gs build - if the jbig2dec is rebased, its shared library +# has the new version saved internally - when jbig2dec context is going to be initialized, +# the version from jbig.h in gs is compared with the version in the shared library, requiring +# the exact match. +BuildRequires: jbig2dec-devel +BuildRequires: lcms2-devel +BuildRequires: libidn2-devel +BuildRequires: libijs-devel +BuildRequires: libjpeg-turbo-devel +BuildRequires: libpng-devel +BuildRequires: libpaper-devel +BuildRequires: libtiff-devel +BuildRequires: openjpeg2-devel +BuildRequires: zlib-devel + +# Enabling the GUI possibilities of Ghostscript: +BuildRequires: gtk3-devel +BuildRequires: libXt-devel +BuildRequires: make + +# ============================================================================= + +Patch001: ps2epsi-permit-devices.patch -Patch0: ghostscript-10.01.0-fix-linkage.patch - -# CVE-2024-29510 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-29510 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f -Patch1: Bugfix-for-CVE-2024-29510.patch - -# CVE-2024-33870 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33870 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 -Patch2: Bugfix-for-CVE-2024-33870.patch - -# CVE-2024-33869 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33869 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 -Patch3: Bugfix-for-CVE-2024-33869.patch - -# CVE-2024-33871 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33871 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 -Patch4: Bugfix-for-CVE-2024-33871.patch - %description -Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. +This package provides useful conversion utilities based on Ghostscript software, +for converting PS, PDF and other document formats between each other. + +Ghostscript is a suite of software providing an interpreter for Adobe Systems' +PostScript (PS) and Portable Document Format (PDF) page description languages. +Its primary purpose includes displaying (rasterization & rendering) and printing +of document pages, as well as conversions between different document formats. -Ghostscript consists of a PostScript interpreter layer, and a graphics library. -The graphics library is shared with all the other products in the Ghostscript family, -so all of these technologies are sometimes referred to as Ghostscript, -rather than the more correct GhostPDL. +# === SUBPACKAGES ============================================================= +# Below requirements are resources, which are not detected by RPM automatically: %package -n libgs Summary: Library providing Ghostcript's core functionality -Requires: adobe-mappings-cmap adobe-mappings-cmap-deprecated adobe-mappings-pdf -Requires: google-droid-sans-fonts urw-base35-fonts -Provides: bundled(ijs) = 0.35 +Requires: adobe-mappings-cmap +Requires: adobe-mappings-cmap-deprecated +Requires: adobe-mappings-pdf +Requires: google-droid-sans-fonts +Requires: urw-base35-fonts %description -n libgs -This library provides Ghostscript's core functionality, based on Ghostscript's API, -which is useful for many packages that are build on top of Ghostscript. +This library provides Ghostscript's core functionality, based on Ghostscript's +API, which is useful for many packages that are build on top of Ghostscript. + +It also provides an X11-based driver for Ghostscript, which enables displaying +of various document files (including PS and PDF). + +# --------------- %package -n libgs-devel Summary: Development files for Ghostscript's library Requires: libgs = %{version}-%{release} -Provides: %{name}-devel = %{version}-%{release} +Provides: %{name}-devel = %{version}-%{release} %description -n libgs-devel This package contains development files that are useful for building packages against Ghostscript's library, which provides Ghostscript's core functionality. +# --------------- + %package tools-dvipdf Summary: Ghostscript's 'dvipdf' utility Requires: %{name} = %{version}-%{release} @@ -91,6 +124,8 @@ Requires: %{_bindir}/dvips This package provides the utility 'dvipdf' for converting of TeX DVI files into PDF files using Ghostscript and dvips. +# --------------- + %package tools-fonts Summary: Ghostscript's font utilities Requires: %{name} = %{version}-%{release} @@ -99,15 +134,20 @@ Requires: %{name} = %{version}-%{release} This package provides utilities which are useful when you are working with AFM, PFB or PFA files, mostly for conversion purposes. +# --------------- + %package tools-printing Summary: Ghostscript's printing utilities Requires: %{name} = %{version}-%{release} %description tools-printing -This package provides utilities for formatting and printing text files -using either Ghostscript, or BubbleJet, DeskJet, DeskJet 500, and LaserJet printers. -It also provides the utility 'pphs', which is useful for printing of -Primary Hint Stream of a linearized PDF file. +This package provides utilities for formatting and printing text files using +either Ghostscript, or BubbleJet, DeskJet, DeskJet 500, and LaserJet printers. + +It also provides the utility 'pphs', which is useful for printing of Primary +Hint Stream of a linearized PDF file. + +# --------------- %package gtk Summary: Ghostscript's GTK-based document renderer @@ -117,6 +157,8 @@ Requires: libgs = %{version}-%{release} This package provides GTK-based utility 'gsx', which can be used for displaying of various document files (including PS and PDF). +# --------------- + %package x11 Summary: Ghostscript's X11-based driver for document rendering Requires: %{name} = %{version}-%{release} @@ -125,6 +167,8 @@ Requires: %{name} = %{version}-%{release} This package provides X11-based driver for Ghostscript, which enables displaying of various document files (including PS and PDF). +# --------------- + %package doc Summary: Documentation files for Ghostscript Requires: %{name} = %{version}-%{release} @@ -133,48 +177,115 @@ BuildArch: noarch %description doc This package provides detailed documentation files for Ghostscript software. +# === BUILD INSTRUCTIONS ====================================================== + +# Call the 'autosetup' macro to prepare the environment, but do not patch the +# source code yet -- we need to remove bundled software before the build first: %prep +#%%autosetup -N -S git %autosetup -p1 -for f in cups/libs freetype jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib -do - rm -rf $f -done +# Libraries that we already have packaged in Fedora (see Build Requirements): +rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib +# Add the remaining source code to the initial commit, patch the source code: +#git add --all --force . +#git commit --all --amend --no-edit > /dev/null +#%%autopatch -p1 +# --------------- %build -%configure --enable-dynamic --disable-hidden-visibility --disable-compile-inits \ - --without-versioned-path --with-ijs \ +# --enable-dynamic +# ... enables dynamically loaded drivers +# +# --disable-compile-inits +# ... disables compiling of init files (PS code, fonts, etc.) into resulting +# binaries, so they are loaded dynamically +# +# --without-versioned-path +# ... tells configure to not use version string in the resulting paths after +# 'make_install' macro - this is safe, because only one version of +# package can be installed at a given time on Fedora distribution, +# so we won't end up with conflicting folders when doing rebase +# +# --with-fonthpath +# ... searches for necessary fonts in these column-separated directories, +# not just default ones +# +# --without-x +# ... builds gs library without X functionality (previously provided by ghostscript-x11) +# +# NOTE: In RHEL we need to keep the /usr/share/ghostscript/conf.d/ folder +# for China's GB18030 official certification: + +%configure --without-x --disable-compile-inits --without-versioned-path \ --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/" -%make_build so +#%configure --disable-compile-inits --without-versioned-path \ +# --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}" +%make_build so %{?flatpak:XCFLAGS=-I%{_includedir} XTRALIBS=-L%{_libdir}} +# --------------- %install +# Using the 'make_install' macro with 'soinstall' target would result in some +# files being installed unnecessary, so we are using traditional way: make DESTDIR=%{buildroot} soinstall + +# Remove files that we do not want ship / support: +# ------------------------------------------------ +# LPR-related scripts: rm -f %{buildroot}%{_bindir}/{lprsetup.sh,unix-lpr.sh} + +# Rename the dynamic binary to be used by default as 'gs' binary. mv -f %{buildroot}%{_bindir}/{gsc,gs} + +# Remove useless files from doc/ directory and doc/ symlink: rm -f %{buildroot}%{_docdir}/%{name}/{AUTHORS,COPYING,*.tex,*.hlp,*.txt} rm -f %{buildroot}%{_datadir}/%{name}/doc +# --------------- + +# Move html documentation into html/ subdir: install -m 0755 -d %{buildroot}%{_docdir}/%{name}/html mv -f %{buildroot}%{_docdir}/%{name}/{*.htm*,html} +# --------------- + +# Create 'ghostscript' symlink for its binary: ln -s %{_bindir}/gs %{buildroot}%{_bindir}/ghostscript + +# Create a man page symlink for 'ghostscript': ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1 -ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf \ - %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf + +# --------------- + +# According to upstream, using fontconfig for fonts lookup is quite a slow +# process for Ghostscript startup, and they advise using the symlinks where +# possible. The fontconfig (Ghostscript's search path) should be used preferably +# as a fallback only. +ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font} done +# Using the system-wide available CMap files from Adobe via Ghostscript's search +# path is not safe (nor was ever intended to be supported) way of doing so +# according to upstream. Their preferred solution is to just create symlink for +# each of the CMap files in Ghostscript's Resources/CMap folder. for file in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/CMap/*); do find %{adobe_mappings_rootpath} -type f -name ${file} -exec ln -fs {} %{buildroot}%{_datadir}/%{name}/Resource/CMap/${file} \; done +# Create the configuration folder fo RHEL: install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ -%generate_compatibility_deps +# === INSTALLATION INSTRUCTIONS =============================================== + +%ldconfig_scriptlets -n libgs +# === PACKAGING INSTRUCTIONS ================================================== + +%generate_compatibility_deps %files -n libgs %license LICENSE doc/COPYING @@ -184,11 +295,13 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{abidir}/*.dump %{_datadir}/%{name}/ +# --------------- %files -n libgs-devel %{_libdir}/libgs.so %{_includedir}/%{name}/ +# --------------- %files %{_bindir}/gs @@ -200,26 +313,30 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/pdf2* %{_bindir}/ps2* %{abidir}/ps2*-option.list -%{_mandir}/man1/gs.1* -%{_mandir}/man1/gsnd* -%{_mandir}/man1/ghostscript* +%{_mandir}/man1/gs.1.* +%{_mandir}/man1/gsnd.1.* +%{_mandir}/man1/ghostscript.1.* %{_mandir}/man1/eps2* %{_mandir}/man1/pdf2* %{_mandir}/man1/ps2* +# --------------- %files tools-dvipdf %{_bindir}/dvipdf -%{_mandir}/man1/dvipdf* +%{_mandir}/man1/dvipdf.1.* + +# --------------- %files tools-fonts %{_bindir}/pf2afm %{_bindir}/pfbtopfa %{_bindir}/printafm -%{_mandir}/man1/pf2afm* -%{_mandir}/man1/pfbtopfa* -%{_mandir}/man1/printafm* +%{_mandir}/man1/pf2afm.1.* +%{_mandir}/man1/pfbtopfa.1.* +%{_mandir}/man1/printafm.1.* +# --------------- %files tools-printing %{_bindir}/gsbj @@ -228,26 +345,37 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/gslj %{_bindir}/gslp %{_bindir}/pphs -%{_mandir}/man1/gsbj* -%{_mandir}/man1/gsdj* -%{_mandir}/man1/gslj* -%{_mandir}/man1/gslp* +%{_mandir}/man1/gsbj.1.* +%{_mandir}/man1/gsdj.1.* +%{_mandir}/man1/gsdj500.1.* +%{_mandir}/man1/gslj.1.* +%{_mandir}/man1/gslp.1.* +# --------------- %files gtk %{_bindir}/gsx %{abidir}/gsx-option.list +# --------------- %files x11 -%{_libdir}/%{name}/ +#%%{_libdir}/%{name}/ +# --------------- %files doc %doc %{_docdir}/%{name}/ +# ============================================================================= %changelog +* Thu Sep 19 2024 Zdenek Dohnal - 10.04.0-1 +- to #IAR5N0 , #IBGXKA +- update to 10.04.0 for CVE-2024-46955 CVE-2024-29508 +- Project: TC2024080204 +- Signed-off-by: mgb01105731 mgb01105731@alibaba-inc.com + * Tue Jul 09 2024 lidongyue 10.02.1-2 - Fix CVE-2024-29510 CVE-2024-33870 CVE-2024-33869 CVE-2024-33871 diff --git a/ps2epsi-permit-devices.patch b/ps2epsi-permit-devices.patch new file mode 100644 index 0000000000000000000000000000000000000000..7bccbe5f07065f97da69081ce1799934a0003e31 --- /dev/null +++ b/ps2epsi-permit-devices.patch @@ -0,0 +1,12 @@ +diff --git a/lib/ps2epsi b/lib/ps2epsi +index dbfc9fb..0db8959 100755 +--- a/lib/ps2epsi ++++ b/lib/ps2epsi +@@ -42,6 +42,6 @@ fi + + # Note, we expect 'ps2epsi.ps' to be on one of the search paths which can be seen by: gs -h + "$GS_EXECUTABLE" -q -dNOOUTERSAVE -dNODISPLAY -dLastPage=1 -sOutputFile="${outfile}" \ +- --permit-file-all="${infile}" -- ps2epsi.ps "${infile}" 1>&2 ++ --permit-file-all="${infile}" --permit-devices="eps2write:bit" -- ps2epsi.ps "${infile}" 1>&2 + + exit 0