May 2017 - openSUSE Commits - openSUSE Mailing Lists

commit vala-panel-extras for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package vala-panel-extras for openSUSE:Factory checked in at 2017-05-03 15:54:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vala-panel-extras (Old) and /work/SRC/openSUSE:Factory/.vala-panel-extras.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vala-panel-extras" Wed May 3 15:54:02 2017 rev:5 rq:487953 version:0.1.5 Changes: -------- --- /work/SRC/openSUSE:Factory/vala-panel-extras/vala-panel-extras.changes 2017-04-11 09:39:48.914409083 +0200 +++ /work/SRC/openSUSE:Factory/.vala-panel-extras.new/vala-panel-extras.changes 2017-05-03 15:54:02.662871937 +0200 @@ -1,0 +2,9 @@ +Wed Apr 5 14:54:33 UTC 2017 - sor.alexei(a)meowr.ru + +- Update to version 0.1.5: + * No changelog available. +- Remove the glib-2.0.vapi hack. +- Remove vala-panel-extras-fix-gquarks.patch, + vala-panel-extras-fix-xkb-build.patch: fixed upstream. + +------------------------------------------------------------------- Old: ---- vala-panel-extras-0.1.4.tar.gz vala-panel-extras-fix-gquarks.patch vala-panel-extras-fix-xkb-build.patch New: ---- vala-panel-extras-0.1.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vala-panel-extras.spec ++++++ --- /var/tmp/diff_new_pack.BgLFuA/_old 2017-05-03 15:54:03.530749414 +0200 +++ /var/tmp/diff_new_pack.BgLFuA/_new 2017-05-03 15:54:03.530749414 +0200 @@ -17,26 +17,22 @@ Name: vala-panel-extras -Version: 0.1.4 +Version: 0.1.5 Release: 0 Summary: Vala Panel Extras are applets for StatusNotifierItem License: LGPL-3.0+ Group: System/GUI/Other Url: https://github.com/rilian-la-te/vala-panel-extras Source: https://github.com/rilian-la-te/%{name}/releases/download/%{version}/%{name… -# PATCH-FIX-OPENSUSE vala-panel-extras-fix-xkb-build.patch sor.alexei(a)meowr.ru -- Fix XKB module build in some conditions. -Patch0: %{name}-fix-xkb-build.patch -# PATCH-FIX-OPENSUSE vala-panel-extras-fix-gquarks.patch sor.alexei(a)meowr.ru -- Fix build by using int instead of GQuark. -Patch1: %{name}-fix-gquarks.patch # PATCH-FIX-UPSTREAM vala-panel-extras-0.1.4-vala-0.36.patch -- Fix build with Vala 0.36 and newer. -Patch2: vala-panel-extras-0.1.4-vala-0.36.patch +Patch0: vala-panel-extras-0.1.4-vala-0.36.patch BuildRequires: cmake >= 2.8 BuildRequires: gettext BuildRequires: pkgconfig BuildRequires: vala >= 0.24 BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(gdk-x11-3.0) -BuildRequires: pkgconfig(gtk+-3.0) >= 3.12 +BuildRequires: pkgconfig(gtk+-3.0) >= 3.16 BuildRequires: pkgconfig(gweather-3.0) BuildRequires: pkgconfig(libgtop-2.0) BuildRequires: pkgconfig(x11-xcb) @@ -124,12 +120,6 @@ %prep %setup -q %patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%if 0%{?suse_version} != 1320 -# Use upstream glib-2.0.vapi. -rm vapi/glib-2.0.vapi -%endif %build %cmake \ @@ -175,35 +165,35 @@ %files battery %defattr(-,root,root) -%doc README.md debian/copyright +%doc README.md %{_bindir}/%{name}-battery %{_datadir}/glib-2.0/schemas/org.valapanel.battery.gschema.xml %{_datadir}/applications/org.valapanel.battery.desktop %files gtop %defattr(-,root,root) -%doc README.md debian/copyright +%doc README.md %{_bindir}/%{name}-gtop %{_datadir}/glib-2.0/schemas/org.valapanel.gtop.gschema.xml %{_datadir}/applications/org.valapanel.gtop.desktop %files volume %defattr(-,root,root) -%doc README.md debian/copyright +%doc README.md %{_bindir}/%{name}-volume %{_datadir}/glib-2.0/schemas/org.valapanel.volume.gschema.xml %{_datadir}/applications/org.valapanel.volume.desktop %files weather %defattr(-,root,root) -%doc README.md debian/copyright +%doc README.md %{_bindir}/%{name}-weather %{_datadir}/glib-2.0/schemas/org.valapanel.weather.gschema.xml %{_datadir}/applications/org.valapanel.weather.desktop %files xkb %defattr(-,root,root) -%doc README.md debian/copyright +%doc README.md %{_bindir}/%{name}-xkb %{_datadir}/glib-2.0/schemas/org.valapanel.xkb.gschema.xml %{_datadir}/applications/org.valapanel.xkb.desktop ++++++ vala-panel-extras-0.1.4.tar.gz -> vala-panel-extras-0.1.5.tar.gz ++++++ ++++ 6556 lines of diff (skipped)

1 0

commit vala-panel for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package vala-panel for openSUSE:Factory checked in at 2017-05-03 15:53:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vala-panel (Old) and /work/SRC/openSUSE:Factory/.vala-panel.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vala-panel" Wed May 3 15:53:57 2017 rev:5 rq:487952 version:0.3.8 Changes: -------- --- /work/SRC/openSUSE:Factory/vala-panel/vala-panel.changes 2017-04-11 09:39:44.814988180 +0200 +++ /work/SRC/openSUSE:Factory/.vala-panel.new/vala-panel.changes 2017-05-03 15:54:01.135087622 +0200 @@ -1,0 +2,9 @@ +Wed Apr 5 14:54:33 UTC 2017 - sor.alexei(a)meowr.ru + +- Update to version 0.3.8: + * No changelog available. +- Remove vala-panel-0.3.6-vala-0.36.patch: fixed upstream. +- Add vala-panel-lower-reqs.patch: lower requirements for + openSUSE Leap 42.x. + +------------------------------------------------------------------- Old: ---- vala-panel-0.3.6-vala-0.36.patch vala-panel-0.3.6.tar.gz New: ---- vala-panel-0.3.8.tar.gz vala-panel-lower-reqs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vala-panel.spec ++++++ --- /var/tmp/diff_new_pack.kZ614y/_old 2017-05-03 15:54:01.846987120 +0200 +++ /var/tmp/diff_new_pack.kZ614y/_new 2017-05-03 15:54:01.846987120 +0200 @@ -17,21 +17,21 @@ Name: vala-panel -Version: 0.3.6 +Version: 0.3.8 Release: 0 Summary: A Gtk3 desktop panel based on Vala License: GPL-3.0+ Group: System/GUI/Other Url: https://github.com/rilian-la-te/vala-panel Source: https://github.com/rilian-la-te/%{name}/releases/download/%{version}/%{name… -# PATCH-FIX-UPSTREAM vala-panel-0.3.6-vala-0.36.patch -- Fix build with Vala 0.36 and newer (commits 01bb0cd, 466bc4b). -Patch0: vala-panel-0.3.6-vala-0.36.patch +# PATCH-FIX-OPENSUSE vala-panel-lower-reqs.patch sor.alexei(a)meowr.ru -- Lower requirements for openSUSE Leap 42.x. +Patch0: vala-panel-lower-reqs.patch BuildRequires: cmake >= 2.8 BuildRequires: fdupes BuildRequires: gettext BuildRequires: pkgconfig -BuildRequires: vala >= 0.24 -BuildRequires: pkgconfig(gtk+-3.0) >= 3.16.0 +BuildRequires: vala >= 0.32 +BuildRequires: pkgconfig(gtk+-3.0) >= 3.20.0 BuildRequires: pkgconfig(libpeas-1.0) >= 1.2.0 BuildRequires: pkgconfig(libwnck-3.0) >= 3.4.0 Recommends: %{name}-lang @@ -56,9 +56,9 @@ Summary: Development files for vala-panel Group: Development/Libraries/Other Requires: %{name} = %{version} -Requires: pkgconfig(gtk+-3.0) >= 3.16.0 -Requires: pkgconfig(libpeas-1.0) >= 1.2.0 -Requires: pkgconfig(libwnck-3.0) >= 3.4.0 +Requires: pkgconfig(gtk+-3.0) +Requires: pkgconfig(libpeas-1.0) +Requires: pkgconfig(libwnck-3.0) %description devel Vala Panel is a desktop panel written in Vala and Gtk3. @@ -86,8 +86,12 @@ %patch0 -p1 %build +%if 0%{?suse_version} <= 1320 +export CFLAGS="%{optflags} -std=gnu99" +%endif %cmake \ -DCMAKE_INSTALL_SYSCONFDIR=%{_sysconfdir} \ + -DCMAKE_SHARED_LINKER_FLAGS="" \ -DGSETTINGS_COMPILE=OFF make %{?_smp_mflags} V=1 @@ -122,14 +126,15 @@ %defattr(-,root,root) %doc LICENSE README.md %config %{_sysconfdir}/xdg/vala-panel/ -%{_mandir}/man?/vala-panel.?%{?ext_man} -%{_bindir}/vala-panel +%{_bindir}/vala-panel* %{_datadir}/glib-2.0/schemas/org.valapanel.gschema.xml %{_libdir}/libvalapanel.so.* +%{_libdir}/vala-panel/*.so.* %{_datadir}/vala/ %{_datadir}/vala-panel/ %{_datadir}/glib-2.0/schemas/org.valapanel.toplevel.gschema.xml %{_datadir}/icons/hicolor/*/apps/vala-panel.* +%{_mandir}/man?/vala-panel.?%{?ext_man} %files lang -f %{name}.lang %defattr(-,root,root) @@ -137,6 +142,7 @@ %files devel %defattr(-,root,root) %{_libdir}/libvalapanel.so +%{_libdir}/vala-panel/*.so %{_includedir}/vala-panel/ %{_libdir}/pkgconfig/vala-panel.pc @@ -172,11 +178,13 @@ %{_libdir}/vala-panel/applets/libwincmd.so %{_libdir}/vala-panel/applets/libpager.so %{_libdir}/vala-panel/applets/libbuttons.so +%{_libdir}/vala-panel/applets/libicontasks.so %{_libdir}/vala-panel/applets/xembed.plugin %{_libdir}/vala-panel/applets/deskno.plugin %{_libdir}/vala-panel/applets/tasklist.plugin %{_libdir}/vala-panel/applets/wincmd.plugin %{_libdir}/vala-panel/applets/pager.plugin %{_libdir}/vala-panel/applets/buttons.plugin +%{_libdir}/vala-panel/applets/icontasks.plugin %changelog ++++++ vala-panel-0.3.6.tar.gz -> vala-panel-0.3.8.tar.gz ++++++ ++++ 16329 lines of diff (skipped) ++++++ vala-panel-lower-reqs.patch ++++++ --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -82,7 +82,7 @@ add_definitions(-DGETTEXT_PACKAGE=\"${GE # Vala find_package (Vala REQUIRED) include (ValaVersion) -ensure_vala_version ("0.34" MINIMUM) +ensure_vala_version ("0.32" MINIMUM) include (ValaPrecompile) add_definitions(-DVALA_VERSION="${VALA_SHORTVER}") @@ -96,13 +96,13 @@ add_definitions(-Wall -Wno-unused # Vala find_package (PkgConfig) pkg_check_modules (A - gtk+-3.0>=3.22) + gtk+-3.0>=3.20) pkg_check_modules (B - glib-2.0>=2.50) + glib-2.0>=2.48) pkg_check_modules (C - gio-2.0>=2.50 + gio-2.0>=2.48 ) pkg_check_modules (GLIB_OLD QUIET @@ -110,10 +110,10 @@ pkg_check_modules (GLIB_OLD QUIET ) pkg_check_modules (D - gio-unix-2.0>=2.50) + gio-unix-2.0>=2.48) pkg_check_modules (E - gthread-2.0>=2.50) + gthread-2.0>=2.48) pkg_check_modules (F libpeas-1.0>=1.2) @@ -122,17 +122,17 @@ pkg_check_modules (G libpeas-gtk-1.0>=1.2) pkg_check_modules (H - gmodule-2.0>=2.50) + gmodule-2.0>=2.48) pkg_check_modules (CORE REQUIRED QUIET - gtk+-3.0>=3.22 - glib-2.0>=2.50 - gio-2.0>=2.50 - gio-unix-2.0>=2.50 - gthread-2.0>=2.50 + gtk+-3.0>=3.20 + glib-2.0>=2.48 + gio-2.0>=2.48 + gio-unix-2.0>=2.48 + gthread-2.0>=2.48 libpeas-1.0>=1.2 libpeas-gtk-1.0>=1.2 - gmodule-2.0>=2.50) + gmodule-2.0>=2.48) set(CORE_PACKAGES gtk+-3.0

1 0

commit ghostscript for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2017-05-03 15:53:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ghostscript" Wed May 3 15:53:38 2017 rev:27 rq:492485 version:9.21 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2017-02-04 17:57:08.913012190 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-mini.changes 2017-05-03 15:53:53.168212350 +0200 @@ -1,0 +2,96 @@ +Tue May 2 14:27:22 CEST 2017 - jsmeix(a)suse.de + +- CVE-2017-8291.patch fixes + a type confusion in .rsdparams and .eqproc + see https://bugs.ghostscript.com/show_bug.cgi?id=697808 + and https://bugs.ghostscript.com/show_bug.cgi?id=697799 + (bsc#1036453). + +------------------------------------------------------------------- +Wed Apr 12 11:12:27 CEST 2017 - jsmeix(a)suse.de + +- CVE-2016-10317 (bsc#1032230) + heap buffer overflow in fill_threshhold_buffer() + is not yet fixed because there is no fix available at + https://bugs.ghostscript.com/show_bug.cgi?id=697459 +- CVE-2016-10219 (bsc#1032138) + divide by zero in intersect() + https://bugs.ghostscript.com/show_bug.cgi?id=697453 + is fixed in the version 9.21 upstream sources +- CVE-2016-10218 (bsc#1032135) + null pointer dereference in pdf14_pop_transparency_group() + https://bugs.ghostscript.com/show_bug.cgi?id=697444 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10217 (bsc#1032130) + use-after-free in pdf14_cleanup_parent_color_profiles() + that is related to pdf14_open() in base/gdevp14.c + https://bugs.ghostscript.com/show_bug.cgi?id=697456 + is fixed in the version 9.21 upstream sources. +- CVE-2016-10220 (bsc#1032120) + null pointer dereference in gx_device_finalize() that is + related to gs_makewordimagedevice() in base/gsdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697450 + is fixed in the version 9.21 upstream sources. +- CVE-2017-5951.patch fixes + null pointer dereference in ref_stack_index() that is + related to mem_get_bits_rectangle() in base/gdevmem.c + https://bugs.ghostscript.com/show_bug.cgi?id=697548 + (bsc#1032114) + +------------------------------------------------------------------- +Mon Apr 10 14:06:09 CEST 2017 - jsmeix(a)suse.de + +- Version upgrade to 9.21. + For details see the News.htm and History9.htm files. + Highlights in this release include: + * pdfwrite now preserves annotations from + input PDFs (where possible). + * The GhostXPS interpreter now provides the pdfwrite device + with the data it requires to emit a ToUnicode CMap: thus + allowing fully searchable PDFs to be created from XPS + input (in the vast majority of cases). + * Ghostscript now allows the default color space + for PDF transparency blends. + * The Ghostscript/GhostPDL configure script now has much + better/fuller support for cross compiling. + * The tiffscaled and tiffscaled4 devices can now + use ETS (Even Tone Screening) + * The toolbin/pdf_info.ps utility can now emit + the PDF XML metadata. + * Ghostscript has a new scan converter available + (currently optional, but will become the default in a near + future release). It can be enabled by using the command line + option: '-dSCANCONVERTERTYPE=2'. This new implementation + provides vastly improved performance with large and complex + paths. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * The planned device API tidy (still!) did not happen for + this release, due to time pressures, but we still intend + to undertake the following: We plan to somewhat tidy up + the device API. We intend to remove deprecated device + procs (methods/function pointers) and change the device API + so every device proc takes a graphics state parameter + (rather than the current scheme where only a very few procs + take an imager state parameter). This should serve as notice + to anyone maintaining a Ghostscript device outside the + canonical source tree that you may (probably will) need to + update your device(s) when these changes happen. Devices using + only the non-deprecated procs should be trivial to update. +- CVE-2016-7976.patch and CVE-2016-7977.patch and + CVE-2016-7978.patch and CVE-2016-7979.patch and + CVE-2016-8602.patch are no longer needed because + those issues are fixed in the upstream sources. +- 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch + and + 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch + are no longer needed because both are included + in the upstream sources, see the upstream issue + https://bugs.ghostscript.com/show_bug.cgi?id=697484 +- Again use the zlib sources from Ghostscript upstream + and disable remove-zlib-h-dependency.patch because + Ghostscript 9.21 does no longer build this way, + cf. the entry below dated "Wed Nov 18 11:46:58 UTC 2015" + +------------------------------------------------------------------- ghostscript.changes: same change Old: ---- 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch CVE-2016-7976.patch CVE-2016-7977.patch CVE-2016-7978.patch CVE-2016-7979.patch CVE-2016-8602.patch ghostscript-9.20.tar.gz New: ---- CVE-2017-5951.patch CVE-2017-8291.patch ghostscript-9.21.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.V62YRs/_old 2017-05-03 15:53:55.371901243 +0200 +++ /var/tmp/diff_new_pack.V62YRs/_new 2017-05-03 15:53:55.371901243 +0200 @@ -38,7 +38,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.19pre20rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.20 +Version: 9.21 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". @@ -49,7 +49,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#%define built_version 9.20 +#define built_version 9.20 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… @@ -57,37 +57,13 @@ # wget -O ghostscript-9.20rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… # How to download it: -# wget -O ghostscript-9.20.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… -# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… -# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe +# wget -O ghostscript-9.21.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# MD5 checksum for Source0: 5f213281761d2750fcf27476c404d17f Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch1: CVE-2016-7976.patch -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch2: CVE-2016-7977.patch -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch3: CVE-2016-7978.patch -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch4: CVE-2016-7979.patch -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -96,16 +72,22 @@ # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 Patch11: ppc64le-support.patch -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -Patch12: 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch -# Patch13 sorts the ROM contents by name for deterministic contents -Patch13: 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +Patch101: CVE-2017-5951.patch +# Patch102 CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc +# see https://bugs.ghostscript.com/show_bug.cgi?id=697808 +# and https://bugs.ghostscript.com/show_bug.cgi?id=697799 +# and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 +Patch102: CVE-2017-8291.patch # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -174,50 +156,33 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch1 -p1 -b CVE-2016-7976.orig -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch2 -p1 -b CVE-2016-7977.orig -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch3 -p1 -b CVE-2016-7978.orig -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch4 -p1 -b CVE-2016-7979.orig -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 -%patch11 -p1 -b ppc64le-support.orig -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -%patch12 -p1 -b mkromfs-buildtime.orig -# Patch13 sorts the ROM contents by name for deterministic contents -%patch13 -p1 -b mkromfs-sort-contents.orig +%patch11 -p1 -b .ppc64le-support.orig # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: -%patch100 -p1 -b remove-zlib-h-dependency.orig +#patch100 -p1 -b remove-zlib-h-dependency.orig # Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball # because we prefer to use for long-established standard libraries the ones from SUSE # in particular to automatically get SUSE security updates for standard libraries. # In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one # is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE: -rm -rf freetype jpeg libpng tiff zlib +#rm -rf freetype jpeg libpng tiff zlib +rm -rf freetype jpeg libpng tiff +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +%patch101 -b .CVE-2017-5951.orig +# Patch102 CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc +# see https://bugs.ghostscript.com/show_bug.cgi?id=697808 +# and https://bugs.ghostscript.com/show_bug.cgi?id=697799 +# and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 +%patch102 -p1 -b .CVE-2017-8291.orig %build # Derive build timestamp from latest changelog entry ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.V62YRs/_old 2017-05-03 15:53:55.399897291 +0200 +++ /var/tmp/diff_new_pack.V62YRs/_new 2017-05-03 15:53:55.399897291 +0200 @@ -58,7 +58,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: #Version: 9.19pre20rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.20 +Version: 9.21 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". @@ -69,7 +69,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#%define built_version 9.20 +#define built_version 9.20 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… @@ -77,37 +77,13 @@ # wget -O ghostscript-9.20rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… # How to download it: -# wget -O ghostscript-9.20.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… -# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… -# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe +# wget -O ghostscript-9.21.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# URL for MD5 checksums: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9… +# MD5 checksum for Source0: 5f213281761d2750fcf27476c404d17f Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch1: CVE-2016-7976.patch -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch2: CVE-2016-7977.patch -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch3: CVE-2016-7978.patch -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -Patch4: CVE-2016-7979.patch -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -116,16 +92,22 @@ # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 Patch11: ppc64le-support.patch -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -Patch12: 0001-mkromfs-make-build-reproducible-use-buildtime-from-S.patch -# Patch13 sorts the ROM contents by name for deterministic contents -Patch13: 0002-mkromfs-sort-gp_enumerate_files-output-for-determini.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +Patch101: CVE-2017-5951.patch +# Patch102 CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc +# see https://bugs.ghostscript.com/show_bug.cgi?id=697808 +# and https://bugs.ghostscript.com/show_bug.cgi?id=697799 +# and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 +Patch102: CVE-2017-8291.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -310,50 +292,33 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch1 CVE-2016-7976.patch fixes that -# various userparams allow %pipe% in paths, allowing remote shell command execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch1 -p1 -b CVE-2016-7976.orig -# Patch2 CVE-2016-7977.patch fixes that -# .libfile doesn't check PermitFileReading array, allowing remote file disclosure -# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch2 -p1 -b CVE-2016-7977.orig -# Patch3 CVE-2016-7978.patch fixes that -# reference leak in .setdevice allows use-after-free and remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch3 -p1 -b CVE-2016-7978.orig -# Patch4 CVE-2016-7979.patch fixes that -# type confusion in .initialize_dsc_parser allows remote code execution -# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 -# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 -%patch4 -p1 -b CVE-2016-7979.orig -# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 -# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 -# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 -%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed # see http://bugs.ghostscript.com/show_bug.cgi?id=695544 -%patch11 -p1 -b ppc64le-support.orig -# Patch12 adds a reproducible timestamp to the mkromfs output, using the -# SOURCE_DATE_EPOCH environment variable -%patch12 -p1 -b mkromfs-buildtime.orig -# Patch13 sorts the ROM contents by name for deterministic contents -%patch13 -p1 -b mkromfs-sort-contents.orig +%patch11 -p1 -b .ppc64le-support.orig # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: -%patch100 -p1 -b remove-zlib-h-dependency.orig +#patch100 -p1 -b remove-zlib-h-dependency.orig # Do not use the freetype jpeg libpng tiff zlib sources from the Ghostscript upstream tarball # because we prefer to use for long-established standard libraries the ones from SUSE # in particular to automatically get SUSE security updates for standard libraries. # In contrast we use e.g. lcms2 from the Ghostscript upstream tarball because this one # is specially modified to work with Ghostscript so that we cannot use lcms2 from SUSE: -rm -rf freetype jpeg libpng tiff zlib +#rm -rf freetype jpeg libpng tiff zlib +rm -rf freetype jpeg libpng tiff +# Patch101 CVE-2017-5951.patch fixes +# null pointer dereference in ref_stack_index() that is +# related to mem_get_bits_rectangle() in base/gdevmem.c +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 +# (bsc#1032114) +%patch101 -b .CVE-2017-5951.orig +# Patch102 CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc +# see https://bugs.ghostscript.com/show_bug.cgi?id=697808 +# and https://bugs.ghostscript.com/show_bug.cgi?id=697799 +# and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 +%patch102 -p1 -b .CVE-2017-8291.orig %build # Derive build timestamp from latest changelog entry ++++++ CVE-2016-7976.patch -> CVE-2017-5951.patch ++++++ --- /work/SRC/openSUSE:Factory/ghostscript/CVE-2016-7976.patch 2016-10-22 13:01:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/CVE-2017-5951.patch 2017-05-03 15:53:51.368466430 +0200 @@ -1,171 +1,19 @@ -From: Chris Liddell <chris.liddell(a)artifex.com> -Date: Wed, 5 Oct 2016 08:55:55 +0000 (+0100) -Subject: Bug 697178: Add a file permissions callback -X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_pla… - -Bug 697178: Add a file permissions callback - -For the rare occasions when the graphics library directly opens a file -(currently for reading), this allows us to apply any restrictions on -file access normally applied in the interpteter. ---- - -diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c -index 931c2a6..e9c09c3 100644 ---- a/base/gsicc_manage.c -+++ b/base/gsicc_manage.c -@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc, - } - - /* First just try it like it is */ -- str = sfopen(pname, "r", mem_gc); -- if (str != NULL) { -- *strp = str; -- return 0; -+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { -+ str = sfopen(pname, "r", mem_gc); -+ if (str != NULL) { -+ *strp = str; -+ return 0; -+ } - } - - /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ -diff --git a/base/gslibctx.c b/base/gslibctx.c -index eaa0458..37ce1ca 100644 ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -189,7 +189,7 @@ Failure: - mem->gs_lib_ctx = NULL; - return -1; - } -- -+ pio->client_check_file_permission = NULL; - gp_get_realtime(pio->real_time_0); - - /* Set scanconverter to 1 (default) */ -@@ -343,3 +343,13 @@ void errflush(const gs_memory_t *mem) - fflush(mem->gs_lib_ctx->fstderr); - /* else nothing to flush */ - } -+ -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ int code = 0; -+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) { -+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); -+ } -+ return code; -+} -diff --git a/base/gslibctx.h b/base/gslibctx.h -index 7a4e110..020e2d9 100644 ---- a/base/gslibctx.h -+++ b/base/gslibctx.h -@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server; - # define gs_font_dir_DEFINED - typedef struct gs_font_dir_s gs_font_dir; - #endif -+ -+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); -+ - typedef struct gs_lib_ctx_s - { - gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ -@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s - struct gx_io_device_s **io_device_table; - int io_device_table_count; - int io_device_table_size; -+ client_check_file_permission_t client_check_file_permission; - /* Define the default value of AccurateScreens that affects setscreen - and setcolorscreen. */ - bool screen_accurate_screens; -@@ -133,6 +137,9 @@ int - gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, - int *list_str_len); - -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); -+ - #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) - #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) - -diff --git a/psi/imain.c b/psi/imain.c -index 9a9bb5d..6874128 100644 ---- a/psi/imain.c -+++ b/psi/imain.c -@@ -57,6 +57,7 @@ - #include "ivmspace.h" - #include "idisp.h" /* for setting display device callback */ - #include "iplugin.h" -+#include "zfile.h" - - #ifdef PACIFY_VALGRIND - #include "valgrind.h" -@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) - "the_gs_name_table"); - if (code < 0) - return code; -+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; - } - code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ - if (code < 0) -diff --git a/psi/int.mak b/psi/int.mak -index 4654afc..bb30d51 100644 ---- a/psi/int.mak -+++ b/psi/int.mak -@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\ - $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ - $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ - $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ -- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ -+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ - $(INT_MAK) $(MAKEDIRS) - $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c - -diff --git a/psi/zfile.c b/psi/zfile.c -index 2c6c958..bc6c70f 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len, - return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); - } - -+/* z_check_file_permissions: see zfile.h for explanation -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; -+ gs_parsed_file_name_t pname; -+ char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; -+ int code = gs_parse_file_name(&pname, fname, len, imemory); -+ if (code < 0) -+ return code; -+ -+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) -+ return gs_error_invalidfileaccess; -+ -+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup); -+ return code; -+} -+ - /* <name_string> <access_string> file <file> */ - int /* exported for zsysvm.c */ - zfile(i_ctx_t *i_ctx_p) -diff --git a/psi/zfile.h b/psi/zfile.h -index fdf1373..a9399c7 100644 ---- a/psi/zfile.h -+++ b/psi/zfile.h -@@ -22,4 +22,11 @@ - int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, - const char *file_access, stream **ps, gs_memory_t *mem); - -+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) -+ * to allow applying the above permissions checks when opening file(s) from -+ * the graphics library -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, -+ const int len, const char *permission); - #endif +--- psi/iparam.c.orig 2017-03-16 11:12:02.000000000 +0100 ++++ psi/iparam.c 2017-04-12 11:42:57.000000000 +0200 +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * pli + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } ++++++ CVE-2016-7976.patch -> CVE-2017-8291.patch ++++++ --- /work/SRC/openSUSE:Factory/ghostscript/CVE-2016-7976.patch 2016-10-22 13:01:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/CVE-2017-8291.patch 2017-05-03 15:53:51.440456267 +0200 @@ -1,171 +1,59 @@ -From: Chris Liddell <chris.liddell(a)artifex.com> -Date: Wed, 5 Oct 2016 08:55:55 +0000 (+0100) -Subject: Bug 697178: Add a file permissions callback -X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_pla… - -Bug 697178: Add a file permissions callback - -For the rare occasions when the graphics library directly opens a file -(currently for reading), this allows us to apply any restrictions on -file access normally applied in the interpteter. ---- - -diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c -index 931c2a6..e9c09c3 100644 ---- a/base/gsicc_manage.c -+++ b/base/gsicc_manage.c -@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc, - } - - /* First just try it like it is */ -- str = sfopen(pname, "r", mem_gc); -- if (str != NULL) { -- *strp = str; -- return 0; -+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { -+ str = sfopen(pname, "r", mem_gc); -+ if (str != NULL) { -+ *strp = str; -+ return 0; -+ } - } - - /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ -diff --git a/base/gslibctx.c b/base/gslibctx.c -index eaa0458..37ce1ca 100644 ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -189,7 +189,7 @@ Failure: - mem->gs_lib_ctx = NULL; - return -1; - } -- -+ pio->client_check_file_permission = NULL; - gp_get_realtime(pio->real_time_0); - - /* Set scanconverter to 1 (default) */ -@@ -343,3 +343,13 @@ void errflush(const gs_memory_t *mem) - fflush(mem->gs_lib_ctx->fstderr); - /* else nothing to flush */ - } -+ -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ int code = 0; -+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) { -+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); +--- ghostscript-9.21/psi/zmisc3.c.orig 2017-03-16 11:12:02.000000000 +0100 ++++ ghostscript-9.21/psi/zmisc3.c 2017-05-02 14:43:41.000000000 +0200 +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); + } -+ return code; -+} -diff --git a/base/gslibctx.h b/base/gslibctx.h -index 7a4e110..020e2d9 100644 ---- a/base/gslibctx.h -+++ b/base/gslibctx.h -@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server; - # define gs_font_dir_DEFINED - typedef struct gs_font_dir_s gs_font_dir; - #endif + -+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); -+ - typedef struct gs_lib_ctx_s - { - gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ -@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s - struct gx_io_device_s **io_device_table; - int io_device_table_count; - int io_device_table_size; -+ client_check_file_permission_t client_check_file_permission; - /* Define the default value of AccurateScreens that affects setscreen - and setcolorscreen. */ - bool screen_accurate_screens; -@@ -133,6 +137,9 @@ int - gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, - int *list_str_len); - -+int -+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +--- ghostscript-9.21/psi/zfrsd.c.orig 2017-03-16 11:12:02.000000000 +0100 ++++ ghostscript-9.21/psi/zfrsd.c 2017-05-02 14:45:35.000000000 +0200 +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; + - #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) - #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) - -diff --git a/psi/imain.c b/psi/imain.c -index 9a9bb5d..6874128 100644 ---- a/psi/imain.c -+++ b/psi/imain.c -@@ -57,6 +57,7 @@ - #include "ivmspace.h" - #include "idisp.h" /* for setting display device callback */ - #include "iplugin.h" -+#include "zfile.h" ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } - #ifdef PACIFY_VALGRIND - #include "valgrind.h" -@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) - "the_gs_name_table"); - if (code < 0) - return code; -+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); } - code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ - if (code < 0) -diff --git a/psi/int.mak b/psi/int.mak -index 4654afc..bb30d51 100644 ---- a/psi/int.mak -+++ b/psi/int.mak -@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\ - $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ - $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ - $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ -- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ -+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ - $(INT_MAK) $(MAKEDIRS) - $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c - -diff --git a/psi/zfile.c b/psi/zfile.c -index 2c6c958..bc6c70f 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len, - return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); - } - -+/* z_check_file_permissions: see zfile.h for explanation -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) -+{ -+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; -+ gs_parsed_file_name_t pname; -+ char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; -+ int code = gs_parse_file_name(&pname, fname, len, imemory); -+ if (code < 0) -+ return code; -+ -+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) -+ return gs_error_invalidfileaccess; -+ -+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup); -+ return code; -+} -+ - /* <name_string> <access_string> file <file> */ - int /* exported for zsysvm.c */ - zfile(i_ctx_t *i_ctx_p) -diff --git a/psi/zfile.h b/psi/zfile.h -index fdf1373..a9399c7 100644 ---- a/psi/zfile.h -+++ b/psi/zfile.h -@@ -22,4 +22,11 @@ - int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, - const char *file_access, stream **ps, gs_memory_t *mem); - -+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) -+ * to allow applying the above permissions checks when opening file(s) from -+ * the graphics library -+ */ -+int -+z_check_file_permissions(gs_memory_t *mem, const char *fname, -+ const int len, const char *permission); - #endif + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) ++++++ ghostscript-9.20.tar.gz -> ghostscript-9.21.tar.gz ++++++ /work/SRC/openSUSE:Factory/ghostscript/ghostscript-9.20.tar.gz /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-9.21.tar.gz differ: char 5, line 1

1 0

commit MozillaThunderbird for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package MozillaThunderbird for openSUSE:Factory checked in at 2017-05-03 15:53:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/MozillaThunderbird (Old) and /work/SRC/openSUSE:Factory/.MozillaThunderbird.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "MozillaThunderbird" Wed May 3 15:53:31 2017 rev:177 rq:492468 version:52.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/MozillaThunderbird/MozillaThunderbird.changes 2017-03-13 15:30:46.409256223 +0100 +++ /work/SRC/openSUSE:Factory/.MozillaThunderbird.new/MozillaThunderbird.changes 2017-05-03 15:53:32.739096445 +0200 @@ -1,0 +2,134 @@ +Mon May 1 08:52:52 UTC 2017 - wr(a)rosenauer.org + +- update to Thunderbird 52.1.0 + * Background images not working and other issues related to + embedded images when composing email have been fixed + * Google Oauth setup can sometimes not progress to the next step + * requires NSS >= 3.28.4 +- security fixes (boo#1035082), MFSA 2017-13 + * CVE-2017-5443 (bmo#1342661) + Out-of-bounds write during BinHex decoding + * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, + bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) + Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and + Firefox ESR 52.1 + * CVE-2017-5464 (bmo#1347075) + Memory corruption with accessibility and DOM manipulation + * CVE-2017-5465 (bmo#1347617) + Out-of-bounds read in ConvolvePixel + * CVE-2017-5466 (bmo#1353975) + Origin confusion when reloading isolated data:text/html URL + * CVE-2017-5467 (bmo#1347262) + Memory corruption when drawing Skia content + * CVE-2017-5460 (bmo#1343642) + Use-after-free in frame selection + * CVE-2017-5461 (bmo#1344380) + Out-of-bounds write in Base64 encoding in NSS + * CVE-2017-5449 (bmo#1340127) + Crash during bidirectional unicode manipulation with animation + * CVE-2017-5446 (bmo#1343505) + Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data + * CVE-2017-5447 (bmo#1343552) + Out-of-bounds read during glyph processing + * CVE-2017-5444 (bmo#1344461) + Buffer overflow while parsing application/http-index-format content + * CVE-2017-5445 (bmo#1344467) + Uninitialized values used while parsing application/http-index-format + content + * CVE-2017-5442 (bmo#1347979) + Use-after-free during style changes + * CVE-2017-5469 (bmo#1292534) + Potential Buffer overflow in flex-generated code + * CVE-2017-5440 (bmo#1336832) + Use-after-free in txExecutionState destructor during XSLT processing + * CVE-2017-5441 (bmo#1343795) + Use-after-free with selection during scroll events + * CVE-2017-5439 (bmo#1336830) + Use-after-free in nsTArray Length() during XSLT processing + * CVE-2017-5438 (bmo#1336828) + Use-after-free in nsAutoPtr during XSLT processing + * CVE-2017-5437 (bmo#1343453) + Vulnerabilities in Libevent library + * CVE-2017-5436 (bmo#1345461) + Out-of-bounds write with malicious font in Graphite 2 + * CVE-2017-5435 (bmo#1350683) + Use-after-free during transaction processing in the editor + * CVE-2017-5434 (bmo#1349946) + Use-after-free during focus handling + * CVE-2017-5433 (bmo#1347168) + Use-after-free in SMIL animation functions + * CVE-2017-5432 (bmo#1346654) + Use-after-free in text input selection + * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, + bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, + bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) + Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 + * CVE-2017-5459 (bmo#1333858) + Buffer overflow in WebGL + * CVE-2017-5462 (bmo#1345089) + DRBG flaw in NSS + * CVE-2017-5454 (bmo#1349276) + Sandbox escape allowing file system read access through file + picker + * CVE-2017-5451 (bmo#1273537) + Addressbar spoofing with onblur event + +------------------------------------------------------------------- +Mon Apr 17 12:43:48 UTC 2017 - wr(a)rosenauer.org + +- update to Thunderbird 52.0.1 + * Clicking on a link in an email may not open this link in the + external browser + * addon blocklist updates +- enable ALSA for systems w/o PA +- require libffi explicitely to fix PPC64LE build where a system + library is required + +------------------------------------------------------------------- +Sat Mar 18 21:06:01 UTC 2017 - wr(a)rosenauer.org + +- update to Thunderbird 52.0 + * Optionally remove corresponding data files when removing an account + * Possibility to copy message filter + * Calendar: Event can now be created and edited in a tab + * Calendar: Processing of received invitation counter proposals + * Chat: Support Twitter Direct Messages + * Chat: Liking and favoriting in Twitter + * Chat: Removed Yahoo! Messenger support + * serveral bugfixes +- security fixes (bsc#1028391, MFSA 2017-09): + In general, these flaws cannot be exploited through email because + scripting is disabled when reading mail, but are potentially + risks in browser or browser-like contexts. + * CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) + * CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) + * CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) + * CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) + * CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) + * CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) + * CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) + * CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) + * CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) + * CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) + * CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) + * CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) + * CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) + * CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) + * CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) + * CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) + * CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) + * CVE-2017-5421: Print preview spoofing (bmo#1301876) + * CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) + * CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 + * CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8 +- removed obsolete patches + * mozilla-aarch64-48bit-va.patch + * mozilla-binutils-visibility.patch + * mozilla-flex_buffer_overrun.patch + * mozilla-gcc6.patch +- added generic mozilla patches + * mozilla-aarch64-startup-crash.patch +- require newer versions of NSPR and NSS +- use Gtk3 for Tumbleweed + +------------------------------------------------------------------- Old: ---- l10n-45.8.0.tar.xz mozilla-aarch64-48bit-va.patch mozilla-binutils-visibility.patch mozilla-flex_buffer_overrun.patch mozilla-gcc6.patch thunderbird-45.8.0-source.tar.xz New: ---- l10n-52.1.0.tar.xz mozilla-aarch64-startup-crash.patch thunderbird-52.1.0-source.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ MozillaThunderbird.spec ++++++ --- /var/tmp/diff_new_pack.Ag41Ux/_old 2017-05-03 15:53:50.724557335 +0200 +++ /var/tmp/diff_new_pack.Ag41Ux/_new 2017-05-03 15:53:50.724557335 +0200 @@ -17,21 +17,18 @@ # -%define mainversion 45.8.0 +%define mainversion 52.1.0 %define update_channel release -%define releasedate 2017030300 - -%if %suse_version > 1310 -%define gstreamer_ver 1.0 -%define gstreamer 1 -%else -%define gstreamer_ver 0.10 -%endif +%define releasedate 201704290000 %bcond_without mozilla_tb_kde4 %bcond_with mozilla_tb_valgrind %bcond_without mozilla_tb_optimize_for_size +%if 0%{?suse_version} > 1320 +%define mozilla_use_gtk3 1 +%endif + Name: MozillaThunderbird BuildRequires: Mesa-devel BuildRequires: autoconf213 @@ -44,8 +41,8 @@ BuildRequires: libgnomeui-devel BuildRequires: libidl-devel BuildRequires: libnotify-devel -BuildRequires: mozilla-nspr-devel >= 4.12 -BuildRequires: mozilla-nss-devel >= 3.21.3 +BuildRequires: mozilla-nspr-devel >= 4.13.1 +BuildRequires: mozilla-nss-devel >= 3.28.4 BuildRequires: python BuildRequires: startup-notification-devel BuildRequires: unzip @@ -54,22 +51,22 @@ BuildRequires: xz BuildRequires: yasm BuildRequires: zip +BuildRequires: pkgconfig(libffi) BuildRequires: pkgconfig(libpulse) %if %{with mozilla_tb_valgrind} BuildRequires: pkgconfig(valgrind) %endif -BuildRequires: pkgconfig(gstreamer-%gstreamer_ver) -BuildRequires: pkgconfig(gstreamer-app-%gstreamer_ver) -BuildRequires: pkgconfig(gstreamer-plugins-base-%gstreamer_ver) -%if 0%{?gstreamer} == 1 -Requires: libgstreamer-1_0-0 -Recommends: gstreamer-fluendo-mp3 -Recommends: gstreamer-plugin-libav -%else -Requires: libgstreamer-0_10-0 -Recommends: gstreamer-0_10-fluendo-mp3 -Recommends: gstreamer-0_10-plugins-ffmpeg -%endif +%if 0%{?mozilla_use_gtk3} +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(gobject-2.0) +BuildRequires: pkgconfig(gtk+-3.0) >= 3.4.0 +BuildRequires: pkgconfig(gtk+-unix-print-3.0) +%endif +# libavcodec is required for H.264 support but the +# openSUSE version is currently not able to play H.264 +# therefore the Packman version is required +# minimum version of libavcodec is 53 +Recommends: libavcodec-full >= 0.10.16 Version: %{mainversion} Release: 0 Provides: thunderbird = %{version} @@ -103,16 +100,13 @@ Patch3: mozilla-kde.patch Patch4: mozilla-develdirs.patch Patch5: mozilla-no-stdcxx-check.patch -Patch6: mozilla-gcc6.patch -Patch8: mozilla-aarch64-48bit-va.patch -Patch9: mozilla-binutils-visibility.patch +Patch6: mozilla-aarch64-startup-crash.patch # Thunderbird/mail Patch20: tb-ssldap.patch -# hotfix -Patch150: mozilla-flex_buffer_overrun.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: coreutils fileutils textutils /bin/sh Recommends: libcanberra0 +Recommends: libpulse0 ### build options %ifarch aarch64 ppc ppc64 ppc64le s390 s390x ia64 %arm %define crashreporter 0 @@ -132,11 +126,7 @@ %define progname thunderbird %define progdir %{_prefix}/%_lib/thunderbird %define libgssapi libgssapi_krb5.so.2 -%if %suse_version > 1130 %define desktop_file_name thunderbird -%else -%define desktop_file_name %{name} -%endif %description Mozilla Thunderbird is a redesign of the Mozilla Mail component. It is @@ -204,9 +194,6 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch8 -p1 -%patch9 -p1 -%patch150 -p1 popd # comm-central patches %patch20 -p1 @@ -272,7 +259,13 @@ ac_add_options --includedir=%{_includedir} ac_add_options --disable-tests ac_add_options --disable-debug +ac_add_options --enable-alsa ac_add_options --enable-optimize +%if 0%{?mozilla_use_gtk3} +ac_add_options --enable-default-toolkit=cairo-gtk3 +%else +ac_add_options --enable-default-toolkit=cairo-gtk2 +%endif ac_add_options --with-system-nspr ac_add_options --with-system-nss ac_add_options --with-system-jpeg @@ -281,15 +274,10 @@ ac_add_options --disable-updater #ac_add_options --with-system-png # no apng support ac_add_options --enable-system-hunspell -ac_add_options --disable-installer -ac_add_options --disable-mochitest ac_add_options --enable-startup-notification ac_add_options --enable-official-branding ac_add_options --disable-necko-wifi ac_add_options --enable-update-channel=%{update_channel} -%if 0%{?gstreamer} == 1 -ac_add_options --enable-gstreamer=1.0 -%endif %if %has_system_cairo ac_add_options --enable-system-cairo %endif @@ -476,7 +464,14 @@ %dir %{progdir} %{progdir}/application.ini %{progdir}/blocklist.xml +%{progdir}/chrome.manifest %{progdir}/dependentlibs.list +%{progdir}/fonts/ +%if 0%{?mozilla_use_gtk3} +%dir %{progdir}/gtk2 +%{progdir}/gtk2/libmozgtk.so +%endif +%{progdir}/icudt58l.dat %{progdir}/*.so %{progdir}/omni.ja %{progdir}/platform.ini ++++++ compare-locales.tar.xz ++++++ ++++++ create-tar.sh ++++++ --- /var/tmp/diff_new_pack.Ag41Ux/_old 2017-05-03 15:53:50.896533056 +0200 +++ /var/tmp/diff_new_pack.Ag41Ux/_new 2017-05-03 15:53:50.896533056 +0200 @@ -1,9 +1,9 @@ #!/bin/bash -CHANNEL="esr45" +CHANNEL="esr52" BRANCH="releases/comm-$CHANNEL" -RELEASE_TAG="THUNDERBIRD_45_8_0_RELEASE" -VERSION="45.8.0" +RELEASE_TAG="THUNDERBIRD_52_1_0_RELEASE" +VERSION="52.1.0" echo "cloning $BRANCH..." hg clone http://hg.mozilla.org/$BRANCH thunderbird ++++++ l10n-45.8.0.tar.xz -> l10n-52.1.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/MozillaThunderbird/l10n-45.8.0.tar.xz /work/SRC/openSUSE:Factory/.MozillaThunderbird.new/l10n-52.1.0.tar.xz differ: char 26, line 1 ++++++ mozilla-aarch64-startup-crash.patch ++++++ # HG changeset patch # Parent a5cfa3aa11a9d3391df49de6fc5a0e5232c12c10 Bug 991344 - Rpi3: Firefox crashes after a few seconds of usage diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp --- a/netwerk/base/nsIOService.cpp +++ b/netwerk/base/nsIOService.cpp @@ -830,17 +830,23 @@ nsIOService::NewChannelFromURIWithProxyF consoleService->LogStringMessage(NS_LITERAL_STRING( "Http channel implementation doesn't support nsIUploadChannel2. An extension has supplied a non-functional http protocol handler. This will break behavior and in future releases not work at all." ).get()); } gHasWarnedUploadChannel2 = true; } } +#if defined(__aarch64__) + if (result) { + channel.forget(result); + } +#else channel.forget(result); +#endif return NS_OK; } NS_IMETHODIMP nsIOService::NewChannelFromURIWithProxyFlags2(nsIURI* aURI, nsIURI* aProxyURI, uint32_t aProxyFlags, nsIDOMNode* aLoadingNode, ++++++ mozilla-develdirs.patch ++++++ --- /var/tmp/diff_new_pack.Ag41Ux/_old 2017-05-03 15:53:50.984520634 +0200 +++ /var/tmp/diff_new_pack.Ag41Ux/_new 2017-05-03 15:53:50.988520070 +0200 @@ -19,6 +19,6 @@ else DIST = $(DEPTH)/dist endif + ABS_DIST = $(topobjdir)/dist # We do magic with OBJ_SUFFIX in config.mk, the following ensures we don't - # manually use it before config.mk inclusion ++++++ mozilla-kde.patch ++++++ ++++ 2302 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/MozillaThunderbird/mozilla-kde.patch ++++ and /work/SRC/openSUSE:Factory/.MozillaThunderbird.new/mozilla-kde.patch ++++++ mozilla-language.patch ++++++ --- /var/tmp/diff_new_pack.Ag41Ux/_old 2017-05-03 15:53:51.036513294 +0200 +++ /var/tmp/diff_new_pack.Ag41Ux/_new 2017-05-03 15:53:51.036513294 +0200 @@ -1,23 +1,22 @@ # HG changeset patch # User Wolfgang Rosenauer <wr(a)rosenauer.org> # Parent 5a29924228527f8882c83cf62d470963ea1ce62e -# Parent 55b6ae7fd3ebf28f960031801f1948dfc1bd80d2 +# Parent 4f39ed617c2f151a3a15903c7ae4471b66774e9e Bug 583793 - Firefox interface language set to LANG, ignores LANGUAGE diff --git a/intl/locale/nsLocaleService.cpp b/intl/locale/nsLocaleService.cpp --- a/intl/locale/nsLocaleService.cpp +++ b/intl/locale/nsLocaleService.cpp -@@ -122,16 +122,17 @@ nsLocaleService::nsLocaleService(void) +@@ -114,16 +114,17 @@ nsLocaleService::nsLocaleService(void) + NS_ENSURE_SUCCESS_VOID(rv); + #endif + #if defined(XP_UNIX) && !defined(XP_MACOSX) RefPtr<nsLocale> resultLocale(new nsLocale()); NS_ENSURE_TRUE_VOID(resultLocale); - #ifdef MOZ_WIDGET_QT - const char* lang = QLocale::system().name().toUtf8(); - #else // Get system configuration const char* lang = getenv("LANG"); + const char* language = getenv("LANGUAGE"); - #endif nsAutoString xpLocale, platformLocale; nsAutoString category, category_platform; @@ -25,7 +24,8 @@ for( i = 0; i < LocaleListLength; i++ ) { nsresult result; -@@ -158,16 +159,21 @@ nsLocaleService::nsLocaleService(void) + // setlocale( , "") evaluates LC_* and LANG +@@ -149,16 +150,36 @@ nsLocaleService::nsLocaleService(void) } else { CopyASCIItoUTF16(lang, platformLocale); result = nsPosixLocale::GetXPLocale(lang, xpLocale); @@ -35,9 +35,24 @@ return; } + // LANGUAGE is overriding LC_MESSAGES ++ // it can be a colon separated list of preferred languages ++ // as we do not recognize here if a language is available ++ // we actually only consider the first entry unless GetXPLocale ++ // fails completely + if (i == LC_MESSAGES && language && *language) { -+ CopyASCIItoUTF16(language, platformLocale); -+ result = nsPosixLocale::GetXPLocale(language, xpLocale); ++#define LANGUAGE_SEP ":" ++ nsAutoString xpLocale_temp; ++ char* rawBuffer = (char*) language; ++ char* token = nsCRT::strtok(rawBuffer, LANGUAGE_SEP, &rawBuffer); ++ for (; token; ++ token = nsCRT::strtok(rawBuffer, LANGUAGE_SEP, &rawBuffer)) { ++ result = nsPosixLocale::GetXPLocale(token, xpLocale_temp); ++ if (NS_SUCCEEDED(result)) { ++ CopyASCIItoUTF16(token, platformLocale); ++ xpLocale = xpLocale_temp; ++ break; ++ } ++ } + } resultLocale->AddCategory(category, xpLocale); resultLocale->AddCategory(category_platform, platformLocale); ++++++ thunderbird-45.8.0-source.tar.xz -> thunderbird-52.1.0-source.tar.xz ++++++ /work/SRC/openSUSE:Factory/MozillaThunderbird/thunderbird-45.8.0-source.tar.xz /work/SRC/openSUSE:Factory/.MozillaThunderbird.new/thunderbird-52.1.0-source.tar.xz differ: char 26, line 1

1 0

commit wxWidgets-3_0 for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package wxWidgets-3_0 for openSUSE:Factory checked in at 2017-05-03 15:53:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wxWidgets-3_0 (Old) and /work/SRC/openSUSE:Factory/.wxWidgets-3_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "wxWidgets-3_0" Wed May 3 15:53:25 2017 rev:18 rq:491965 version:3.0.2 Changes: -------- --- /work/SRC/openSUSE:Factory/wxWidgets-3_0/wxWidgets-3_0-nostl.changes 2017-03-18 20:48:53.292008440 +0100 +++ /work/SRC/openSUSE:Factory/.wxWidgets-3_0.new/wxWidgets-3_0-nostl.changes 2017-05-03 15:53:26.951913454 +0200 @@ -2 +2 @@ -Tue Mar 14 08:53:03 UTC 2017 - davejplater(a)gmail.com +Tue Apr 18 13:13:26 UTC 2017 - jengelh(a)inai.de @@ -4 +4,8 @@ -- Actually apply relax-abi.diff and fix devel package description. +- Bump __GXX_ABI_VERSION to 1011 for gcc7 +- Add 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch + to resolve crash [boo#1034350] + +------------------------------------------------------------------- +Tue Mar 14 08:56:12 UTC 2017 - davejplater(a)gmail.com + +- Fix devel package description. --- /work/SRC/openSUSE:Factory/wxWidgets-3_0/wxWidgets-3_0.changes 2017-03-18 20:48:53.451985776 +0100 +++ /work/SRC/openSUSE:Factory/.wxWidgets-3_0.new/wxWidgets-3_0.changes 2017-05-03 15:53:27.047899904 +0200 @@ -1,0 +2,7 @@ +Tue Apr 18 13:13:26 UTC 2017 - jengelh(a)inai.de + +- Bump __GXX_ABI_VERSION to 1011 for gcc7 +- Add 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch + to resolve crash [boo#1034350] + +------------------------------------------------------------------- New: ---- 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wxWidgets-3_0-nostl.spec ++++++ --- /var/tmp/diff_new_pack.JrfKo9/_old 2017-05-03 15:53:28.535689864 +0200 +++ /var/tmp/diff_new_pack.JrfKo9/_new 2017-05-03 15:53:28.539689299 +0200 @@ -57,10 +57,10 @@ Patch12: 0003-Don-t-use-frame-extents-when-not-using-X11-in-wxGTK.patch Patch13: 0004-Don-t-crash-when-switching-to-full-screen-in-non-X11.patch Patch14: 0005-Don-t-use-X11-only-functions-when-not-using-X11-in-w.patch -# PATCH-FIX-UPSTREAM wxWidgets-3_0-gstreamer-1.0.patch badshah400(a)gmail.com -- Port wxcntrl to use gstreamer 1.0; patch taken from upstream bug report: http://trac.wxwidgets.org/ticket/14976 Patch16: wxWidgets-3_0-gstreamer-1.0.patch Patch15: abs.diff Patch17: relax-abi.diff +Patch18: 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel BuildRequires: autoconf @@ -275,7 +275,7 @@ echo "=== RPM build flags: WX_DEBUG=0%{?WX_DEBUG}" %setup -q -n %tarball_name-%version %patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -P 9 -p1 -%patch -P 10 -P 11 -P 12 -P 13 -P 14 -P 15 -P 16 -P 17 -p1 +%patch -P 10 -P 11 -P 12 -P 13 -P 14 -P 15 -P 16 -P 17 -P 18 -p1 cp %{S:2} . %build ++++++ wxWidgets-3_0.spec ++++++ --- /var/tmp/diff_new_pack.JrfKo9/_old 2017-05-03 15:53:28.567685347 +0200 +++ /var/tmp/diff_new_pack.JrfKo9/_new 2017-05-03 15:53:28.571684782 +0200 @@ -60,8 +60,17 @@ Patch15: abs.diff Patch16: wxWidgets-3_0-gstreamer-1.0.patch Patch17: relax-abi.diff +Patch18: 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: SDL-devel + +#Link SDL2 for newer distros +%if 0%{?suse_version} > 1320 || 0%{?suse_version} == 1315 +BuildRequires: pkgconfig(sdl2) +%else +BuildRequires: pkgconfig(sdl) +%endif + + BuildRequires: autoconf BuildRequires: cppunit-devel BuildRequires: gcc-c++ @@ -276,7 +285,7 @@ echo "=== RPM build flags: WX_DEBUG=0%{?WX_DEBUG}" %setup -q -n %tarball_name-%version %patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -P 9 -p1 -%patch -P 10 -P 11 -P 12 -P 13 -P 14 -P 15 -P 16 -P 17 -p1 +%patch -P 10 -P 11 -P 12 -P 13 -P 14 -P 15 -P 16 -P 17 -P 18 -p1 cp %{S:2} . %build @@ -286,6 +295,10 @@ # --enable-accessibility is currently supported only in msw # --enable-extended_rtti does not compile +%if 0%{?suse_version} > 1320 || 0%{?suse_version} == 1315 +export SDL_CONFIG=/usr/bin/sdl2-config +%endif + %configure\ --enable-vendor=suse \ --with-gtk=%gtk_version\ ++++++ 0001-Fix-spurious-assert-in-wxGTK-wxDataViewCtrl-EditItem.patch ++++++ >From ed88188be7e97a0503f3471f7b0452740b732902 Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin <vadim(a)wxwidgets.org> Date: Tue, 10 Feb 2015 23:14:53 +0000 Subject: [PATCH] Fix spurious assert in wxGTK wxDataViewCtrl::EditItem(). The assert in wxGtkTreeSelectionLock ctor failed after the first time this object was created as it doesn't reset the selection function to NULL with wxGTK2, fix this by checking for different values depending on whether it's actually the first time we do it or not. In the future we should just reset the selection function to NULL as it does work in GTK+ 3, also update the comment explaining the problem to mention this. (cherry picked from commit 24c0401e81a4d0206f89b21775adb90fb11bf32a) --- src/gtk/dataview.cpp | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/gtk/dataview.cpp b/src/gtk/dataview.cpp index 87217e2fbc..0be3273495 100644 --- a/src/gtk/dataview.cpp +++ b/src/gtk/dataview.cpp @@ -135,9 +135,11 @@ public: // Implementation note: it could be expected that setting the selection // function in this class ctor and resetting it back to the old value in its -// dtor would work. However currently gtk_tree_selection_get_select_function() -// can't be passed NULL (see https://bugzilla.gnome.org/show_bug.cgi?id=626276) -// so we can't do this. Instead, we always use the selection function (which +// dtor would work, However in GTK+2 gtk_tree_selection_get_select_function() +// can't be passed NULL (see https://bugzilla.gnome.org/show_bug.cgi?id=626276 +// which was only fixed in 2.90.5-304-g316b9da) so we can't do this. +// +// Instead, we always use the selection function (which // imposes extra overhead, albeit minimal one, on all selection operations) and // just set/reset the flag telling it whether it should allow or forbid the // selection. @@ -168,7 +170,15 @@ public: ms_instance = this; - CheckCurrentSelectionFunc(NULL); + if ( ms_firstTime ) + { + ms_firstTime = false; + CheckCurrentSelectionFunc(NULL); + } + else + { + CheckCurrentSelectionFunc(wxdataview_selection_func); + } // Pass some non-NULL pointer as "data" for the callback, it doesn't // matter what it is as long as it's non-NULL. @@ -215,6 +225,7 @@ private: } static wxGtkTreeSelectionLock *ms_instance; + static bool ms_firstTime; GtkTreeSelection * const m_selection; @@ -222,6 +233,7 @@ private: }; wxGtkTreeSelectionLock *wxGtkTreeSelectionLock::ms_instance = NULL; +bool wxGtkTreeSelectionLock::ms_firstTime = true; //----------------------------------------------------------------------------- // wxDataViewCtrlInternal -- 2.12.2 ++++++ relax-abi.diff ++++++ --- /var/tmp/diff_new_pack.JrfKo9/_old 2017-05-03 15:53:28.735661633 +0200 +++ /var/tmp/diff_new_pack.JrfKo9/_new 2017-05-03 15:53:28.735661633 +0200 @@ -24,7 +24,7 @@ + // https://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Dialect-Options.html + // under -fabi-version) don't affect wxWidgets, so we allow a library + // and an application to differ within that range. -+ #if ((__GXX_ABI_VERSION >= 1002) && (__GXX_ABI_VERSION <= 1010)) ++ #if ((__GXX_ABI_VERSION >= 1002) && (__GXX_ABI_VERSION <= 1011)) + #define wxGXX_EFFECTIVE_ABI_VERSION 1002 + #else + #define wxGXX_EFFECTIVE_ABI_VERSION __GXX_ABI_VERSION

1 0

commit libappindicator for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package libappindicator for openSUSE:Factory checked in at 2017-05-03 15:53:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libappindicator (Old) and /work/SRC/openSUSE:Factory/.libappindicator.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libappindicator" Wed May 3 15:53:20 2017 rev:7 rq:491919 version:12.10.1+bzr20170215 Changes: -------- --- /work/SRC/openSUSE:Factory/libappindicator/libappindicator.changes 2016-07-14 09:44:53.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libappindicator.new/libappindicator.changes 2017-05-03 15:53:21.636663839 +0200 @@ -1,0 +2,24 @@ +Fri Apr 28 16:04:54 UTC 2017 - jengelh(a)inai.de + +- Rename %soname to %sover to better reflect its purpose. +- Update summaries. +- Remove redundant pkgconfig() reqiures; these are already + autodiscovered. + +------------------------------------------------------------------- +Wed Apr 19 19:50:11 UTC 2017 - sor.alexei(a)meowr.ru + +- Update to version 12.10.1+bzr20170215 (changes since + 12.10.1+bzr20141110): + * Handle watcher service appearing and disappearing. + * Make test-simple-app really working. + * Fix icon and theme paths when running in $SNAP environment + (lp#1600136). + * Do not emit label changes when guide is still empty. + * Do not append the snap prefix if the icon is saved in a well + known readable path. +- Add libappindicator-activate-support.patch: Open menu on the + left-click action (lp#1403449). +- Rename python-appindicator to python2-appindicator. + +------------------------------------------------------------------- Old: ---- libappindicator_12.10.1+15.04.20141110.orig.tar.gz New: ---- libappindicator-activate-support.patch libappindicator_12.10.1+17.04.20170215.orig.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libappindicator.spec ++++++ --- /var/tmp/diff_new_pack.8Z1iC8/_old 2017-05-03 15:53:22.588529459 +0200 +++ /var/tmp/diff_new_pack.8Z1iC8/_new 2017-05-03 15:53:22.592528894 +0200 @@ -1,7 +1,7 @@ # # spec file for package libappindicator # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,26 +16,28 @@ # -%define soname 1 -%define _version 12.10.1+15.04.20141110 -%bcond_with mono +%define sover 1 +%define _version 12.10.1+17.04.20170215 %if %{undefined with_mono} %bcond_without mono %endif +%bcond_with mono Name: libappindicator -Version: 12.10.1+bzr20141110 +Version: 12.10.1+bzr20170215 Release: 0 Summary: Application indicators library License: LGPL-2.0 and LGPL-3.0 and GPL-3.0 Group: System/Libraries Url: https://launchpad.net/libappindicator -Source: http://archive.ubuntu.com/ubuntu/pool/main/liba/%{name}/%{name}_%{_version}… +Source: https://launchpad.net/ubuntu/+archive/primary/+files/%{name}_%{_version}.or… # PATCH-FIX-UPSTREAM 0001_Fix_mono_dir.patch hrvoje.senjan(a)gmail.com -- Fix location of .pc files. Patch0: 0001_Fix_mono_dir.patch +# PATCH-FIX-OPENSUSE libappindicator-activate-support.patch sor.alexei(a)meowr.ru -- Open menu on the left-click action. +Patch1: libappindicator-activate-support.patch BuildRequires: fdupes BuildRequires: gnome-common BuildRequires: gtk-doc -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: vala BuildRequires: pkgconfig(dbus-glib-1) BuildRequires: pkgconfig(dbusmenu-glib-0.4) @@ -59,19 +61,22 @@ on KSNI it also works in KDE and will fallback to generic Systray support if none of those are available. -%package -n python-appindicator +%package -n python2-appindicator Summary: Python 2 bindings for libappindicator -Group: System/Libraries -Requires: libappindicator%{soname} = %{version} +Group: Development/Languages/Python +Requires: libappindicator%{sover} = %{version} +# python-appindicator was last used in openSUSE Leap 42.2. +Provides: python-appindicator = %{version} +Obsoletes: python-appindicator < %{version} -%description -n python-appindicator +%description -n python2-appindicator This package contains the Python 2 bindings for the appindicator library. -%package -n libappindicator%{soname} +%package -n libappindicator%{sover} Summary: Application indicators library Group: System/Libraries -%description -n libappindicator%{soname} +%description -n libappindicator%{sover} A library to allow applications to export a menu into the Unity Menu bar. Based on KSNI it also works in KDE and will fallback to generic Systray support if none of those are available. @@ -87,19 +92,16 @@ %package devel Summary: Development files for libappindicator Group: Development/Libraries/C and C++ -Requires: libappindicator%{soname} = %{version} -Requires: pkg-config -Requires: pkgconfig(dbus-glib-1) -Requires: pkgconfig(dbusmenu-glib-0.4) +Requires: libappindicator%{sover} = %{version} %description devel This package contains the development files for the appindicator library. -%package -n libappindicator3-%{soname} -Summary: Application indicators library -- GTK+ 3 +%package -n libappindicator3-%{sover} +Summary: Application indicators library for GTK+3 Group: System/Libraries -%description -n libappindicator3-%{soname} +%description -n libappindicator3-%{sover} A library to allow applications to export a menu into the Unity Menu bar. Based on KSNI it also works in KDE and will fallback to generic Systray support if none of those are available. @@ -117,10 +119,7 @@ %package -n libappindicator3-devel Summary: Development files for libappindicator3 Group: Development/Libraries/C and C++ -Requires: libappindicator3-%{soname} = %{version} -Requires: pkg-config -Requires: pkgconfig(dbus-glib-1) -Requires: pkgconfig(dbusmenu-glib-0.4) +Requires: libappindicator3-%{sover} = %{version} %description -n libappindicator3-devel This package contains the development files for the appindicator3 library. @@ -136,7 +135,7 @@ %if %{with mono} %package -n appindicator-sharp -Summary: Application indicators library -- C# assembly CLI +Summary: Application indicators library for C# Group: System/Libraries %description -n appindicator-sharp @@ -155,12 +154,16 @@ %endif %prep -%setup -q -n %{name}-%{_version} +%setup -q -c %patch0 -p1 +%patch1 -p1 %build -%global _configure ../configure NOCONFIGURE=1 ./autogen.sh +%if %{with mono} +export CSC=%{_bindir}/gmcs +%endif +%global _configure ../configure for ver in 2 3; do mkdir build-gtk$ver @@ -170,28 +173,25 @@ --enable-gtk-doc \ --disable-mono-test \ --with-gtk=$ver - make -j1 + make -j1 V=1 popd done %install -for ver in 2 3; do - pushd build-gtk$ver - %make_install - popd -done +%make_install -C build-gtk2 +%make_install -C build-gtk3 find %{buildroot} -type f -name "*.la" -delete -print %fdupes %{buildroot}%{python_sitearch} -%post -n libappindicator%{soname} -p /sbin/ldconfig +%post -n libappindicator%{sover} -p /sbin/ldconfig -%postun -n libappindicator%{soname} -p /sbin/ldconfig +%postun -n libappindicator%{sover} -p /sbin/ldconfig -%post -n libappindicator3-%{soname} -p /sbin/ldconfig +%post -n libappindicator3-%{sover} -p /sbin/ldconfig -%postun -n libappindicator3-%{soname} -p /sbin/ldconfig +%postun -n libappindicator3-%{sover} -p /sbin/ldconfig -%files -n python-appindicator +%files -n python2-appindicator %defattr(-,root,root) %doc COPYING COPYING.LGPL.2.1 README %dir %{python_sitearch}/appindicator/ @@ -202,10 +202,10 @@ %dir %{_datadir}/pygtk/2.0/defs/ %{_datadir}/pygtk/2.0/defs/appindicator.defs -%files -n libappindicator%{soname} +%files -n libappindicator%{sover} %defattr(-,root,root) %doc COPYING COPYING.LGPL.2.1 README -%{_libdir}/libappindicator.so.%{soname}* +%{_libdir}/libappindicator.so.%{sover}* %files -n typelib-1_0-AppIndicator-0_1 %defattr(-,root,root) @@ -224,10 +224,10 @@ %{_datadir}/vala/vapi/appindicator-0.1.vapi %{_datadir}/vala/vapi/appindicator-0.1.deps -%files -n libappindicator3-%{soname} +%files -n libappindicator3-%{sover} %defattr(-,root,root) %doc COPYING COPYING.LGPL.2.1 README -%{_libdir}/libappindicator3.so.%{soname}* +%{_libdir}/libappindicator3.so.%{sover}* %files -n typelib-1_0-AppIndicator3-0_1 %defattr(-,root,root) ++++++ libappindicator-activate-support.patch ++++++ --- a/src/app-indicator.c +++ b/src/app-indicator.c @@ -1188,6 +1188,12 @@ bus_method_call (GDBusConnection * conne { gtk_widget_activate (menuitem); } + } else if (g_strcmp0(method, "Activate") == 0) { + GtkMenu * menu = app_indicator_get_menu(app); + if (menu != NULL) { + gtk_menu_popup(menu, NULL, NULL, NULL, NULL, 1, + gtk_get_current_event_time()); + } } else { g_warning("Calling method '%s' on the app-indicator and it's unknown", method); } --- a/src/notification-item.xml +++ b/src/notification-item.xml @@ -31,6 +31,10 @@ <method name="XAyatanaSecondaryActivate"> <arg type="u" name="timestamp" direction="in" /> </method> + <method name="Activate"> + <arg type="i" name="x" direction="in" /> + <arg type="i" name="y" direction="in" /> + </method>  <signal name="NewIcon"> ++++++ libappindicator_12.10.1+15.04.20141110.orig.tar.gz -> libappindicator_12.10.1+17.04.20170215.orig.tar.gz ++++++ ++++ 17680 lines of diff (skipped)

1 0

commit perl-Bootloader for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package perl-Bootloader for openSUSE:Factory checked in at 2017-05-03 15:53:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Bootloader (Old) and /work/SRC/openSUSE:Factory/.perl-Bootloader.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "perl-Bootloader" Wed May 3 15:53:12 2017 rev:180 rq:491865 version:0.918 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Bootloader/perl-Bootloader.changes 2017-02-03 17:53:16.456650019 +0100 +++ /work/SRC/openSUSE:Factory/.perl-Bootloader.new/perl-Bootloader.changes 2017-05-03 15:53:17.101304123 +0200 @@ -0,0 +1,8 @@ +-------------------------------------------------------------------- +Fri Apr 28 14:10:38 UTC 2017 - mchang(a)suse.com + +- merge gh#openSUSE/perl-bootloader#112 +- implemented trusted boot/TPM support in UEFI mode (bsc#1036735, + fate#315831) +- 0.918 + Old: ---- perl-Bootloader-0.917.tar.xz New: ---- perl-Bootloader-0.918.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Bootloader.spec ++++++ --- /var/tmp/diff_new_pack.7CW1EZ/_old 2017-05-03 15:53:18.697078838 +0200 +++ /var/tmp/diff_new_pack.7CW1EZ/_new 2017-05-03 15:53:18.701078273 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-Bootloader # -# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: perl-Bootloader -Version: 0.917 +Version: 0.918 Release: 0 Requires: coreutils Requires: perl-base = %{perl_version} ++++++ perl-Bootloader-0.917.tar.xz -> perl-Bootloader-0.918.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/perl-Bootloader-0.917/VERSION new/perl-Bootloader-0.918/VERSION --- old/perl-Bootloader-0.917/VERSION 2017-01-24 13:49:06.000000000 +0100 +++ new/perl-Bootloader-0.918/VERSION 2017-04-28 16:10:38.000000000 +0200 @@ -1 +1 @@ -0.917 +0.918 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/perl-Bootloader-0.917/changelog new/perl-Bootloader-0.918/changelog --- old/perl-Bootloader-0.917/changelog 2017-01-24 13:49:06.000000000 +0100 +++ new/perl-Bootloader-0.918/changelog 2017-04-28 16:10:38.000000000 +0200 @@ -1,3 +1,6 @@ +2017-04-28: 0.918 + - implemented trusted boot/TPM support in UEFI mode (bsc #1036735, fate #315831) + 2017-01-03: 0.917 - grub2: drop trailing space from saved entry - grub2: parse initrd (bsc #1007335) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/perl-Bootloader-0.917/grub2-efi/install new/perl-Bootloader-0.918/grub2-efi/install --- old/perl-Bootloader-0.917/grub2-efi/install 2017-01-24 13:49:06.000000000 +0100 +++ new/perl-Bootloader-0.918/grub2-efi/install 2017-04-28 16:10:38.000000000 +0200 @@ -52,6 +52,10 @@ append="--no-nvram --removable" fi +if [ "$SYS__BOOTLOADER__TRUSTED_BOOT" = yes -a -f "/usr/lib/grub2/$target/tpm.mod" ] ; then + append="$append --suse-enable-tpm" +fi + if [ "$SYS__BOOTLOADER__SECURE_BOOT" = "yes" ] ; then if [ -x /usr/sbin/shim-install ] ; then ( set -x ; /usr/sbin/shim-install --config-file=/boot/grub2/grub.cfg $append )

1 0

commit cups for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2017-05-03 15:53:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cups" Wed May 3 15:53:05 2017 rev:138 rq:491776 version:2.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2017-04-12 17:09:03.808014252 +0200 +++ /work/SRC/openSUSE:Factory/.cups.new/cups.changes 2017-05-03 15:53:07.250694792 +0200 @@ -1,0 +2,22 @@ +Thu Apr 20 16:26:52 UTC 2017 - alarrosa(a)suse.com + +- Drop cups-1.7.5-cupsEnumDests-react-to-all-for-now.diff and add + 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch, + 0002-Save-work-on-Avahi-code.patch and + 0003-Avahi-fixes-for-cupsEnumDests.patch which is what upstream + finally commited to cups 2.2 sources in response to + https://github.com/apple/cups/pull/4989 in order to fix cupsEnumDests + to react to the ALL_FOR_NOW avahi event (and also include a similar + fix for the dnssd case). Related to bsc#955432. + +------------------------------------------------------------------- +Mon Apr 10 17:37:16 UTC 2017 - alarrosa(a)suse.com + +- Add cups-2.1.3-cupsEnumDests-react-to-all-for-now.diff . + Avahi sends an ALL_FOR_NOW event when it finishes sending + its cache contents. This patch makes cupsEnumDests finish + when the signal is received so it doesn't block the caller + doing nothing until the timeout finishes (related to bsc#955432, + submitted upstream at https://github.com/apple/cups/pull/4989) + +------------------------------------------------------------------- New: ---- 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch 0002-Save-work-on-Avahi-code.patch 0003-Avahi-fixes-for-cupsEnumDests.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.7RKfiL/_old 2017-05-03 15:53:08.526514677 +0200 +++ /var/tmp/diff_new_pack.7RKfiL/_new 2017-05-03 15:53:08.530514112 +0200 @@ -45,6 +45,12 @@ Patch11: cups-2.1.0-default-webcontent-path.patch # Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly: Patch12: cups-2.1.0-cups-systemd-socket.patch +# Patch13 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch bsc#955432 -- React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +Patch13: 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch +# Patch14 0002-Save-work-on-Avahi-code.patch bsc#955432 -- React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +Patch14: 0002-Save-work-on-Avahi-code.patch +# Patch15 0003-Avahi-fixes-for-cupsEnumDests.patch bsc#955432 -- React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +Patch15: 0003-Avahi-fixes-for-cupsEnumDests.patch # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream: # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE: Patch100: cups-pam.diff @@ -133,9 +139,9 @@ %package libs Summary: Libraries for CUPS -# Prerequire /sbin/ldconfig which is used in the traditional bash scriptlets for post/postun: License: GPL-2.0 and LGPL-2.1 Group: Hardware/Printing +# Prerequire /sbin/ldconfig which is used in the traditional bash scriptlets for post/postun: Requires(pre): /sbin/ldconfig %if 0%{?suse_version} >= 1330 Requires(pre): group(lp) @@ -157,6 +163,8 @@ %package client Summary: CUPS Client Programs +License: GPL-2.0 +Group: Hardware/Printing # Require the exact matching version-release of the cups-libs sub-package because # non-matching CUPS libraries may let CUPS software crash (e.g. segfault) # because all CUPS software is built from the one same CUPS source tar ball @@ -166,8 +174,6 @@ # on the same package repository where the cups package is because # all are built simulaneously from the same cups source package # and all required packages are provided on the same repository: -License: GPL-2.0 -Group: Hardware/Printing Requires: cups-libs = %{version}-%{release} # Conflicts with other print spoolers which provide same binaries like /usr/bin/lp and so on: Conflicts: lprng @@ -190,13 +196,13 @@ %package devel Summary: Development Environment for CUPS +License: GPL-2.0 +Group: Development/Libraries/C and C++ # Do not require the exact matching version-release of cups-libs # but only a cups-libs package with matching version because # for building third-party software which uses only the CUPS public API # there are no CUPS-internal dependencies via CUPS private API calls # (the latter would require the exact matching cups-libs version-release): -License: GPL-2.0 -Group: Development/Libraries/C and C++ Requires: cups-libs = %{version} Requires: glibc-devel @@ -258,6 +264,12 @@ %patch11 -b default-webcontent-path.prig # Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly: %patch12 -b cups-systemd-socket.orig +# Patch13 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +%patch13 -p1 +# Patch14 0002-Save-work-on-Avahi-code.patch React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +%patch14 -p1 +# Patch15 0003-Avahi-fixes-for-cupsEnumDests.patch React properly to avahi's ALL_FOR_NOW signal to reduce unneeded delay +%patch15 -p1 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream: # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE: %patch100 ++++++ 0001-Update-cupsEnumDests-implementation-to-return-early-if-all.patch ++++++ >From a2187a63425a3d6c05de1e1cbf8c26fd39a1aced Mon Sep 17 00:00:00 2001 From: Michael R Sweet <michaelrsweet(a)gmail.com> Date: Wed, 19 Apr 2017 15:29:42 -0400 Subject: [PATCH] Update cupsEnumDests implementation to return early if all printers have been discovered (Issue #4989) Also update the code to generate the same queue names as cupsd does for IPP Everywhere printers. --- CHANGES.txt | 4 +- cups/dest.c | 169 +++++++++++++++++++++++++++++++++++++++++++------------- cups/testdest.c | 4 +- 3 files changed, 136 insertions(+), 41 deletions(-) diff --git a/cups/dest.c b/cups/dest.c index b06a9ee..54f2a7f 100644 --- a/cups/dest.c +++ b/cups/dest.c @@ -101,9 +101,10 @@ typedef struct _cups_dnssd_device_s /* Enumerated device */ # else /* HAVE_AVAHI */ AvahiRecordBrowser *ref; /* Browser for query */ # endif /* HAVE_DNSSD */ - char *domain, /* Domain name */ - *fullName, /* Full name */ - *regtype; /* Registration type */ + char *fullName, /* Full name */ +// *serviceName, /* Service name */ + *regtype, /* Registration type */ + *domain; /* Domain name */ cups_ptype_t type; /* Device registration type */ cups_dest_t dest; /* Destination record */ } _cups_dnssd_device_t; @@ -202,6 +203,7 @@ static void cups_dnssd_query_cb(AvahiRecordBrowser *browser, AvahiLookupResultFlags flags, void *context); # endif /* HAVE_DNSSD */ +static void cups_dnssd_queue_name(char *name, const char *serviceName, size_t namesize); static const char *cups_dnssd_resolve(cups_dest_t *dest, const char *uri, int msec, int *cancel, cups_dest_cb_t cb, void *user_data); @@ -920,14 +922,13 @@ _cupsCreateDest(const char *name, /* I - Printer name */ int /* O - 1 on success, 0 on failure */ cupsEnumDests( - unsigned flags, /* I - Enumeration flags */ - int msec, /* I - Timeout in milliseconds, - * -1 for indefinite */ - int *cancel, /* I - Pointer to "cancel" variable */ - cups_ptype_t type, /* I - Printer type bits */ - cups_ptype_t mask, /* I - Mask for printer type bits */ - cups_dest_cb_t cb, /* I - Callback function */ - void *user_data) /* I - User data */ + unsigned flags, /* I - Enumeration flags */ + int msec, /* I - Timeout in milliseconds, -1 for indefinite */ + int *cancel, /* I - Pointer to "cancel" variable */ + cups_ptype_t type, /* I - Printer type bits */ + cups_ptype_t mask, /* I - Mask for printer type bits */ + cups_dest_cb_t cb, /* I - Callback function */ + void *user_data) /* I - User data */ { int i, /* Looping var */ num_dests; /* Number of destinations */ @@ -939,6 +940,7 @@ cupsEnumDests( *user_default; /* User default printer */ #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) int count, /* Number of queries started */ + completed, /* Number of completed queries */ remaining; /* Remainder of timeout */ _cups_dnssd_data_t data; /* Data for callback */ _cups_dnssd_device_t *device; /* Current device */ @@ -1007,29 +1009,70 @@ cupsEnumDests( dest->is_default = 1; } +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) + data.type = type; + data.mask = mask; + data.cb = cb; + data.user_data = user_data; + data.devices = cupsArrayNew3((cups_array_func_t)cups_dnssd_compare_devices, NULL, NULL, 0, NULL, (cups_afree_func_t)cups_dnssd_free_device); +#endif /* HAVE_DNSSD || HAVE_AVAHI */ + for (i = num_dests, dest = dests; i > 0 && (!cancel || !*cancel); i --, dest ++) + { + const char *device_uri; /* Device URI */ + if (!(*cb)(user_data, i > 1 ? CUPS_DEST_FLAGS_MORE : CUPS_DEST_FLAGS_NONE, dest)) break; + if (!dest->instance && (device_uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL && !strncmp(device_uri, "dnssd://", 8)) + { + /* + * Add existing queue using service name, etc. so we don't list it again... + */ + + char scheme[32], /* URI scheme */ + userpass[32], /* Username:password */ + serviceName[256], /* Service name (host field) */ + resource[256], /* Resource (options) */ + *regtype, /* Registration type */ + *replyDomain; /* Registration domain */ + int port; /* Port number (not used) */ + + if (httpSeparateURI(HTTP_URI_CODING_ALL, device_uri, scheme, sizeof(scheme), userpass, sizeof(userpass), serviceName, sizeof(serviceName), &port, resource, sizeof(resource)) >= HTTP_URI_STATUS_OK) + { + if ((regtype = strstr(serviceName, "._ipp")) != NULL) + { + *regtype++ = '\0'; + + if ((replyDomain = strstr(regtype, "._tcp.")) != NULL) + { + replyDomain[5] = '\0'; + replyDomain += 6; + + if ((device = cups_dnssd_get_device(&data, serviceName, regtype, replyDomain)) != NULL) + device->state = _CUPS_DNSSD_ACTIVE; + } + } + } + } + } + cupsFreeDests(num_dests, dests); if (i > 0 || msec == 0) + { + cupsArrayDelete(data.devices); return (1); + } #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) /* * Get Bonjour-shared printers... */ - data.type = type; - data.mask = mask; - data.cb = cb; - data.user_data = user_data; - data.devices = cupsArrayNew3((cups_array_func_t)cups_dnssd_compare_devices, NULL, NULL, 0, NULL, (cups_afree_func_t)cups_dnssd_free_device); - # ifdef HAVE_DNSSD if (DNSServiceCreateConnection(&data.main_ref) != kDNSServiceErr_NoError) return (0); @@ -1105,27 +1148,25 @@ cupsEnumDests( pfd.fd = main_fd; pfd.events = POLLIN; - nfds = poll(&pfd, 1, remaining > 250 ? 250 : remaining); + nfds = poll(&pfd, 1, remaining > 500 ? 500 : remaining); # else FD_ZERO(&input); FD_SET(main_fd, &input); timeout.tv_sec = 0; - timeout.tv_usec = remaining > 250 ? 250000 : remaining * 1000; + timeout.tv_usec = remaining > 500 ? 500000 : remaining * 1000; nfds = select(main_fd + 1, &input, NULL, NULL, &timeout); # endif /* HAVE_POLL */ if (nfds > 0) DNSServiceProcessResult(data.main_ref); - else if (nfds == 0) - remaining -= 250; # else /* HAVE_AVAHI */ data.got_data = 0; - if ((error = avahi_simple_poll_iterate(data.simple_poll, 250)) > 0) + if ((error = avahi_simple_poll_iterate(data.simple_poll, 500)) > 0) { /* * We've been told to exit the loop. Perhaps the connection to @@ -1135,18 +1176,21 @@ cupsEnumDests( break; } - if (!data.got_data) - remaining -= 250; # endif /* HAVE_DNSSD */ + remaining -= 500; + for (device = (_cups_dnssd_device_t *)cupsArrayFirst(data.devices), - count = 0; + count = 0, completed = 0; device; device = (_cups_dnssd_device_t *)cupsArrayNext(data.devices)) { if (device->ref) count ++; + if (device->state == _CUPS_DNSSD_ACTIVE) + completed ++; + if (!device->ref && device->state == _CUPS_DNSSD_NEW) { DEBUG_printf(("1cupsEnumDests: Querying '%s'.", device->fullName)); @@ -1196,8 +1240,11 @@ cupsEnumDests( } else if (device->ref && device->state == _CUPS_DNSSD_PENDING) { + completed ++; + if ((device->type & mask) == type) { + DEBUG_printf(("1cupsEnumDests: Add callback for \"%s\".", device->dest.name)); if (!(*cb)(user_data, CUPS_DEST_FLAGS_NONE, &device->dest)) { remaining = -1; @@ -1208,6 +1255,9 @@ cupsEnumDests( device->state = _CUPS_DNSSD_ACTIVE; } } + + if (completed == cupsArrayCount(data.devices)) + break; } cupsArrayDelete(data.devices); @@ -2964,8 +3014,9 @@ cups_dnssd_get_device( { _cups_dnssd_device_t key, /* Search key */ *device; /* Device */ - char fullName[kDNSServiceMaxDomainName]; + char fullName[kDNSServiceMaxDomainName], /* Full name for query */ + name[128]; /* Queue name */ DEBUG_printf(("5cups_dnssd_get_device(data=%p, serviceName=\"%s\", " @@ -2974,7 +3025,9 @@ cups_dnssd_get_device( * See if this is an existing device... */ - key.dest.name = (char *)serviceName; + cups_dnssd_queue_name(name, serviceName, sizeof(name)); + + key.dest.name = name; if ((device = cupsArrayFind(data->devices, &key)) != NULL) { @@ -3035,10 +3088,12 @@ cups_dnssd_get_device( replyDomain)); device = calloc(sizeof(_cups_dnssd_device_t), 1); - device->dest.name = _cupsStrAlloc(serviceName); + device->dest.name = _cupsStrAlloc(name); device->domain = _cupsStrAlloc(replyDomain); device->regtype = _cupsStrAlloc(regtype); + device->dest.num_options = cupsAddOption("printer-info", serviceName, 0, &device->dest.options); + cupsArrayAdd(data->devices, device); } @@ -3047,11 +3102,9 @@ cups_dnssd_get_device( */ # ifdef HAVE_DNSSD - DNSServiceConstructFullName(fullName, device->dest.name, device->regtype, - device->domain); + DNSServiceConstructFullName(fullName, serviceName, regtype, replyDomain); # else /* HAVE_AVAHI */ - avahi_service_name_join(fullName, kDNSServiceMaxDomainName, serviceName, - regtype, replyDomain); + avahi_service_name_join(fullName, kDNSServiceMaxDomainName, serviceName, regtype, replyDomain); # endif /* HAVE_DNSSD */ _cupsStrFree(device->fullName); @@ -3070,6 +3123,8 @@ cups_dnssd_get_device( if (device->state == _CUPS_DNSSD_ACTIVE) { + DEBUG_printf(("6cups_dnssd_get_device: Remove callback for \"%s\".", device->dest.name)); + (*data->cb)(data->user_data, CUPS_DEST_FLAGS_REMOVED, &device->dest); device->state = _CUPS_DNSSD_NEW; } @@ -3128,7 +3183,10 @@ cups_dnssd_local_cb( } if (device->state == _CUPS_DNSSD_ACTIVE) + { + DEBUG_printf(("6cups_dnssd_local_cb: Remove callback for \"%s\".", device->dest.name)); (*data->cb)(data->user_data, CUPS_DEST_FLAGS_REMOVED, &device->dest); + } device->state = _CUPS_DNSSD_LOCAL; } @@ -3214,7 +3272,8 @@ cups_dnssd_query_cb( # endif /* HAVE_DNSSD */ _cups_dnssd_data_t *data = (_cups_dnssd_data_t *)context; /* Enumeration data */ - char name[1024], /* Service name */ + char serviceName[256],/* Service name */ + name[128], /* Queue name */ *ptr; /* Pointer into string */ _cups_dnssd_device_t dkey, /* Search key */ *device; /* Device */ @@ -3255,14 +3314,16 @@ cups_dnssd_query_cb( * Lookup the service in the devices array. */ - dkey.dest.name = name; - - cups_dnssd_unquote(name, fullName, sizeof(name)); + cups_dnssd_unquote(serviceName, fullName, sizeof(serviceName)); - if ((ptr = strstr(name, "._")) != NULL) + if ((ptr = strstr(serviceName, "._")) != NULL) *ptr = '\0'; - if ((device = cupsArrayFind(data->devices, &dkey)) != NULL) + cups_dnssd_queue_name(name, serviceName, sizeof(name)); + + dkey.dest.name = name; + + if ((device = cupsArrayFind(data->devices, &dkey)) != NULL && device->state == _CUPS_DNSSD_NEW) { /* * Found it, pull out the make and model from the TXT record and save it... @@ -3620,6 +3681,38 @@ cups_dnssd_unquote(char *dst, /* I - Destination buffer */ #endif /* HAVE_DNSSD */ +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) +/* + * 'cups_dnssd_queue_name()' - Create a local queue name based on the service name. + */ + +static void +cups_dnssd_queue_name( + char *name, /* I - Name buffer */ + const char *serviceName, /* I - Service name */ + size_t namesize) /* I - Size of name buffer */ +{ + const char *ptr; /* Pointer into serviceName */ + char *nameptr; /* Pointer into name */ + + + for (nameptr = name, ptr = serviceName; *ptr && nameptr < (name + namesize - 1); ptr ++) + { + /* + * Sanitize the printer name... + */ + + if (_cups_isalnum(*ptr)) + *nameptr++ = *ptr; + else if (nameptr == name || nameptr[-1] != '_') + *nameptr++ = '_'; + } + + *nameptr = '\0'; +} +#endif /* HAVE_DNSSD || HAVE_AVAHI */ + + /* * 'cups_find_dest()' - Find a destination using a binary search. */ ++++++ 0002-Save-work-on-Avahi-code.patch ++++++ >From 657c5b5f91e6d5120c4ad7b118cf9098dd27f03d Mon Sep 17 00:00:00 2001 From: Michael R Sweet <michael.r.sweet(a)gmail.com> Date: Thu, 20 Apr 2017 09:11:45 -0400 Subject: [PATCH] Save work on Avahi code --- cups/dest.c | 64 +++++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/cups/dest.c b/cups/dest.c index 54f2a7f..c1a0913 100644 --- a/cups/dest.c +++ b/cups/dest.c @@ -85,6 +85,7 @@ typedef struct _cups_dnssd_data_s /* Enumeration data */ AvahiSimplePoll *simple_poll; /* Polling interface */ AvahiClient *client; /* Client information */ int got_data; /* Did we get data? */ + int browsers; /* How many browsers are running? */ # endif /* HAVE_DNSSD */ cups_dest_cb_t cb; /* Callback */ void *user_data; /* User data pointer */ @@ -102,7 +103,6 @@ typedef struct _cups_dnssd_device_s /* Enumerated device */ AvahiRecordBrowser *ref; /* Browser for query */ # endif /* HAVE_DNSSD */ char *fullName, /* Full name */ -// *serviceName, /* Service name */ *regtype, /* Registration type */ *domain; /* Domain name */ cups_ptype_t type; /* Device registration type */ @@ -1021,12 +1021,15 @@ cupsEnumDests( i > 0 && (!cancel || !*cancel); i --, dest ++) { +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) const char *device_uri; /* Device URI */ +#endif /* HAVE_DNSSD || HAVE_AVAHI */ if (!(*cb)(user_data, i > 1 ? CUPS_DEST_FLAGS_MORE : CUPS_DEST_FLAGS_NONE, dest)) break; +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) if (!dest->instance && (device_uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL && !strncmp(device_uri, "dnssd://", 8)) { /* @@ -1058,13 +1061,17 @@ cupsEnumDests( } } } +#endif /* HAVE_DNSSD || HAVE_AVAHI */ } cupsFreeDests(num_dests, dests); if (i > 0 || msec == 0) { +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) cupsArrayDelete(data.devices); +#endif /* HAVE_DNSSD || HAVE_AVAHI */ + return (1); } @@ -1122,10 +1129,12 @@ cupsEnumDests( return (1); } + data.browsers ++; ipp_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, "_ipp._tcp", NULL, 0, cups_dnssd_browse_cb, &data); # ifdef HAVE_SSL + data.browsers ++; ipps_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, "_ipps._tcp", NULL, 0, cups_dnssd_browse_cb, &data); @@ -1166,7 +1175,7 @@ cupsEnumDests( # else /* HAVE_AVAHI */ data.got_data = 0; - if ((error = avahi_simple_poll_iterate(data.simple_poll, 500)) > 0) + if ((error = avahi_simple_poll_iterate(data.simple_poll, 1000)) > 0) { /* * We've been told to exit the loop. Perhaps the connection to @@ -1176,6 +1185,7 @@ cupsEnumDests( break; } + DEBUG_printf(("1cupsEnumDests: got_data=%d", data.got_data)); # endif /* HAVE_DNSSD */ remaining -= 500; @@ -1227,14 +1237,14 @@ cupsEnumDests( cups_dnssd_query_cb, &data)) != NULL) { + DEBUG_printf(("1cupsEnumDests: browser ref=%p", device->ref)); count ++; } else { device->state = _CUPS_DNSSD_ERROR; - DEBUG_printf(("1cupsEnumDests: Query failed: %s", - avahi_strerror(avahi_client_errno(data.client)))); + DEBUG_printf(("1cupsEnumDests: Query failed: %s", avahi_strerror(avahi_client_errno(data.client)))); } # endif /* HAVE_DNSSD */ } @@ -1256,8 +1266,17 @@ cupsEnumDests( } } +# ifdef HAVE_AVAHI + DEBUG_printf(("1cupsEnumDests: browsers=%d, completed=%d, count=%d, devices count=%d", data.browsers, completed, count, cupsArrayCount(data.devices))); + + if (data.browsers == 0 && completed == cupsArrayCount(data.devices)) + break; +# else + DEBUG_printf(("1cupsEnumDests: completed=%d, count=%d, devices count=%d", completed, count, cupsArrayCount(data.devices))); + if (completed == cupsArrayCount(data.devices)) break; +# endif /* HAVE_AVAHI */ } cupsArrayDelete(data.devices); @@ -2889,11 +2908,12 @@ cups_dnssd_browse_cb( (void)protocol; (void)context; + DEBUG_printf(("cups_dnssd_browse_cb(..., name=\"%s\", type=\"%s\", domain=\"%s\", ...);", name, type, domain)); + switch (event) { case AVAHI_BROWSER_FAILURE: - DEBUG_printf(("cups_dnssd_browse_cb: %s", - avahi_strerror(avahi_client_errno(client)))); + DEBUG_printf(("cups_dnssd_browse_cb: %s", avahi_strerror(avahi_client_errno(client)))); avahi_simple_poll_quit(data->simple_poll); break; @@ -2908,8 +2928,7 @@ cups_dnssd_browse_cb( * This comes from the local machine so ignore it. */ - DEBUG_printf(("cups_dnssd_browse_cb: Ignoring local service \"%s\".", - name)); + DEBUG_printf(("cups_dnssd_browse_cb: Ignoring local service \"%s\".", name)); } else { @@ -2921,9 +2940,13 @@ cups_dnssd_browse_cb( } break; - case AVAHI_BROWSER_REMOVE: - case AVAHI_BROWSER_ALL_FOR_NOW: - case AVAHI_BROWSER_CACHE_EXHAUSTED: + case AVAHI_BROWSER_REMOVE : + case AVAHI_BROWSER_CACHE_EXHAUSTED : + break; + + case AVAHI_BROWSER_ALL_FOR_NOW : + DEBUG_puts("cups_dnssd_browse_cb: ALL_FOR_NOW"); + data->browsers --; break; } } @@ -2945,6 +2968,8 @@ cups_dnssd_client_cb( (void)client; + DEBUG_printf(("cups_dnssd_client_cb(client=%p, state=%d, context=%p)", client, state, context)); + /* * If the connection drops, quit. */ @@ -3214,16 +3239,22 @@ cups_dnssd_poll_cb( int val; /* Return value */ + DEBUG_printf(("cups_dnssd_poll_cb(pollfds=%p, num_pollfds=%d, timeout=%d, context=%p)", pollfds, num_pollfds, timeout, context)); + (void)timeout; - val = poll(pollfds, num_pollfds, 250); + val = poll(pollfds, num_pollfds, 500); + + DEBUG_printf(("cups_dnssd_poll_cb: poll() returned %d", val)); if (val < 0) { DEBUG_printf(("cups_dnssd_poll_cb: %s", strerror(errno))); } else if (val > 0) + { data->got_data = 1; + } return (val); } @@ -3290,11 +3321,7 @@ cups_dnssd_query_cb( return; # else /* HAVE_AVAHI */ - DEBUG_printf(("5cups_dnssd_query_cb(browser=%p, interfaceIndex=%d, " - "protocol=%d, event=%d, fullName=\"%s\", rrclass=%u, " - "rrtype=%u, rdata=%p, rdlen=%u, flags=%x, context=%p)", - browser, interfaceIndex, protocol, event, fullName, rrclass, - rrtype, rdata, (unsigned)rdlen, flags, context)); + DEBUG_printf(("cups_dnssd_query_cb(browser=%p, interfaceIndex=%d, protocol=%d, event=%d, fullName=\"%s\", rrclass=%u, rrtype=%u, rdata=%p, rdlen=%u, flags=%x, context=%p)", browser, interfaceIndex, protocol, event, fullName, rrclass, rrtype, rdata, (unsigned)rdlen, flags, context)); /* * Only process "add" data... @@ -3303,8 +3330,7 @@ cups_dnssd_query_cb( if (event != AVAHI_BROWSER_NEW) { if (event == AVAHI_BROWSER_FAILURE) - DEBUG_printf(("cups_dnssd_query_cb: %s", - avahi_strerror(avahi_client_errno(client)))); + DEBUG_printf(("cups_dnssd_query_cb: %s", avahi_strerror(avahi_client_errno(client)))); return; } ++++++ 0003-Avahi-fixes-for-cupsEnumDests.patch ++++++ >From 3fae3b337df0be1a766857be741173d8a9915da7 Mon Sep 17 00:00:00 2001 From: Michael R Sweet <michael.r.sweet(a)gmail.com> Date: Thu, 20 Apr 2017 10:12:40 -0400 Subject: [PATCH] Avahi fixes for cupsEnumDests (Issue #4989) Also fix timeouts to track elapsed time so the timeout is more accurate. --- cups/dest.c | 70 ++++++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 24 deletions(-) diff --git a/cups/dest.c b/cups/dest.c index c1a0913..48758bf 100644 --- a/cups/dest.c +++ b/cups/dest.c @@ -60,6 +60,10 @@ # define kUseLastPrinter CFSTR("UseLastPrinter") #endif /* __APPLE__ */ +#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) +# define _CUPS_DNSSD_MAXTIME 500 /* Milliseconds for maximum quantum of time */ +#endif /* HAVE_DNSSD || HAVE_AVAHI */ + /* * Types... @@ -211,6 +215,7 @@ static int cups_dnssd_resolve_cb(void *context); static void cups_dnssd_unquote(char *dst, const char *src, size_t dstsize); #endif /* HAVE_DNSSD || HAVE_AVAHI */ +static int cups_elapsed(struct timeval *t); static int cups_find_dest(const char *name, const char *instance, int num_dests, cups_dest_t *dests, int prev, int *rdiff); @@ -942,6 +947,7 @@ cupsEnumDests( int count, /* Number of queries started */ completed, /* Number of completed queries */ remaining; /* Remainder of timeout */ + struct timeval curtime; /* Current time */ _cups_dnssd_data_t data; /* Data for callback */ _cups_dnssd_device_t *device; /* Current device */ # ifdef HAVE_DNSSD @@ -1129,15 +1135,12 @@ cupsEnumDests( return (1); } - data.browsers ++; - ipp_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, - AVAHI_PROTO_UNSPEC, "_ipp._tcp", NULL, - 0, cups_dnssd_browse_cb, &data); + data.browsers = 1; + ipp_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, "_ipp._tcp", NULL, 0, cups_dnssd_browse_cb, &data); + # ifdef HAVE_SSL data.browsers ++; - ipps_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, - AVAHI_PROTO_UNSPEC, "_ipps._tcp", NULL, - 0, cups_dnssd_browse_cb, &data); + ipps_ref = avahi_service_browser_new(data.client, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, "_ipps._tcp", NULL, 0, cups_dnssd_browse_cb, &data); # endif /* HAVE_SSL */ # endif /* HAVE_DNSSD */ @@ -1152,19 +1155,23 @@ cupsEnumDests( * Check for input... */ + DEBUG_printf(("1cupsEnumDests: remaining=%d", remaining)); + + cups_elapsed(&curtime); + # ifdef HAVE_DNSSD # ifdef HAVE_POLL pfd.fd = main_fd; pfd.events = POLLIN; - nfds = poll(&pfd, 1, remaining > 500 ? 500 : remaining); + nfds = poll(&pfd, 1, remaining > _CUPS_DNSSD_MAXTIME ? _CUPS_DNSSD_MAXTIME : remaining); # else FD_ZERO(&input); FD_SET(main_fd, &input); timeout.tv_sec = 0; - timeout.tv_usec = remaining > 500 ? 500000 : remaining * 1000; + timeout.tv_usec = 1000 * (remaining > _CUPS_DNSSD_MAXTIME ? _CUPS_DNSSD_MAXTIME : remaining); nfds = select(main_fd + 1, &input, NULL, NULL, &timeout); # endif /* HAVE_POLL */ @@ -1175,7 +1182,7 @@ cupsEnumDests( # else /* HAVE_AVAHI */ data.got_data = 0; - if ((error = avahi_simple_poll_iterate(data.simple_poll, 1000)) > 0) + if ((error = avahi_simple_poll_iterate(data.simple_poll, _CUPS_DNSSD_MAXTIME)) > 0) { /* * We've been told to exit the loop. Perhaps the connection to @@ -1188,7 +1195,7 @@ cupsEnumDests( DEBUG_printf(("1cupsEnumDests: got_data=%d", data.got_data)); # endif /* HAVE_DNSSD */ - remaining -= 500; + remaining -= cups_elapsed(&curtime); for (device = (_cups_dnssd_device_t *)cupsArrayFirst(data.devices), count = 0, completed = 0; @@ -1227,17 +1234,9 @@ cupsEnumDests( } # else /* HAVE_AVAHI */ - if ((device->ref = avahi_record_browser_new(data.client, - AVAHI_IF_UNSPEC, - AVAHI_PROTO_UNSPEC, - device->fullName, - AVAHI_DNS_CLASS_IN, - AVAHI_DNS_TYPE_TXT, - 0, - cups_dnssd_query_cb, - &data)) != NULL) + if ((device->ref = avahi_record_browser_new(data.client, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, device->fullName, AVAHI_DNS_CLASS_IN, AVAHI_DNS_TYPE_TXT, 0, cups_dnssd_query_cb, &data)) != NULL) { - DEBUG_printf(("1cupsEnumDests: browser ref=%p", device->ref)); + DEBUG_printf(("1cupsEnumDests: Query ref=%p", device->ref)); count ++; } else @@ -1252,6 +1251,8 @@ cupsEnumDests( { completed ++; + DEBUG_printf(("1cupsEnumDests: Query for \"%s\" is complete.", device->fullName)); + if ((device->type & mask) == type) { DEBUG_printf(("1cupsEnumDests: Add callback for \"%s\".", device->dest.name)); @@ -1267,12 +1268,12 @@ cupsEnumDests( } # ifdef HAVE_AVAHI - DEBUG_printf(("1cupsEnumDests: browsers=%d, completed=%d, count=%d, devices count=%d", data.browsers, completed, count, cupsArrayCount(data.devices))); + DEBUG_printf(("1cupsEnumDests: remaining=%d, browsers=%d, completed=%d, count=%d, devices count=%d", remaining, data.browsers, completed, count, cupsArrayCount(data.devices))); if (data.browsers == 0 && completed == cupsArrayCount(data.devices)) break; # else - DEBUG_printf(("1cupsEnumDests: completed=%d, count=%d, devices count=%d", completed, count, cupsArrayCount(data.devices))); + DEBUG_printf(("1cupsEnumDests: remaining=%d, completed=%d, count=%d, devices count=%d", remaining, completed, count, cupsArrayCount(data.devices))); if (completed == cupsArrayCount(data.devices)) break; @@ -3243,7 +3244,7 @@ cups_dnssd_poll_cb( (void)timeout; - val = poll(pollfds, num_pollfds, 500); + val = poll(pollfds, num_pollfds, _CUPS_DNSSD_MAXTIME); DEBUG_printf(("cups_dnssd_poll_cb: poll() returned %d", val)); @@ -3740,6 +3741,27 @@ cups_dnssd_queue_name( /* + * 'cups_elapsed()' - Return the elapsed time in milliseconds. + */ + +static int /* O - Elapsed time in milliseconds */ +cups_elapsed(struct timeval *t) /* IO - Previous time */ +{ + int msecs; /* Milliseconds */ + struct timeval nt; /* New time */ + + + gettimeofday(&nt, NULL); + + msecs = 1000 * (nt.tv_sec - t->tv_sec) + (nt.tv_usec - t->tv_usec) / 1000; + + *t = nt; + + return (msecs); +} + + +/* * 'cups_find_dest()' - Find a destination using a binary search. */

1 0

commit libva for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package libva for openSUSE:Factory checked in at 2017-05-03 15:52:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libva (Old) and /work/SRC/openSUSE:Factory/.libva.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libva" Wed May 3 15:52:59 2017 rev:36 rq:491342 version:1.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libva/libva-gl.changes 2017-04-18 13:48:00.686740145 +0200 +++ /work/SRC/openSUSE:Factory/.libva.new/libva-gl.changes 2017-05-03 15:53:00.779608354 +0200 @@ -1,0 +2,14 @@ +Wed Apr 19 18:56:52 UTC 2017 - chris(a)computersalat.de + +- fix changes file + * add missing changes for 1.8.1 + * fix Version string + +------------------------------------------------------------------- +Tue Apr 18 20:41:00 UTC 2017 - chris(a)computersalat.de + +- Version 1.8.1 - 10.Apr.2017 + * Bump libva to 1.8.1 +- add sha1sum file + +------------------------------------------------------------------- @@ -4 +18 @@ -- update to version 1.8.0 +- Version 1.8.0 - 31.March.2017 --- /work/SRC/openSUSE:Factory/libva/libva.changes 2017-04-18 13:48:00.718735617 +0200 +++ /work/SRC/openSUSE:Factory/.libva.new/libva.changes 2017-05-03 15:53:00.863596497 +0200 @@ -1,0 +2,14 @@ +Wed Apr 19 18:56:52 UTC 2017 - chris(a)computersalat.de + +- fix changes file + * add missing changes for 1.8.1 + * fix Version string + +------------------------------------------------------------------- +Tue Apr 18 20:41:00 UTC 2017 - chris(a)computersalat.de + +- Version 1.8.1 - 10.Apr.2017 + * Bump libva to 1.8.1 +- add sha1sum file + +------------------------------------------------------------------- @@ -4 +18 @@ -- update to version 1.8.0 +- Version 1.8.0 - 31.March.2017 Old: ---- libva-1.8.0.tar.bz2 New: ---- libva-1.8.1.tar.bz2 libva-1.8.1.tar.bz2.sha1sum ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libva-gl.spec ++++++ --- /var/tmp/diff_new_pack.bcwCWF/_old 2017-05-03 15:53:01.663483572 +0200 +++ /var/tmp/diff_new_pack.bcwCWF/_new 2017-05-03 15:53:01.667483008 +0200 @@ -28,14 +28,15 @@ Name: libva-gl %define _name libva -Version: 1.8.0 +Version: 1.8.1 Release: 0 Summary: Video Acceleration (VA) API for Linux License: MIT Group: System/Libraries Url: http://freedesktop.org/wiki/Software/vaapi Source0: http://www.freedesktop.org/software/vaapi/releases/libva/%{_name}-%{version… -Source1: baselibs.conf +Source1: http://www.freedesktop.org/software/vaapi/releases/libva/%{_name}-%{version… +Source2: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ BuildRequires: libtool @@ -164,16 +165,6 @@ This package provides the development environment for libva. -#%package -n vaapi-tools -#Summary: Video Acceleration (VA) API for Linux -#Group: System/Libraries -# -#%description -n vaapi-tools -#The libva library implements the Video Acceleration (VA) API for Linux. -#The library loads a hardware dependendent driver. -# -#This is a set of tools around vaapi livrary. - %if %{with wayland} %package -n vaapi-wayland-tools Summary: Video Acceleration (VA) API for Linux - Wayland support @@ -285,21 +276,9 @@ %{_libdir}/pkgconfig/libva*.pc %else -#%files -n vaapi-tools -#%defattr(-,root,root,-) -#%{_bindir}/vainfo -#%{_bindir}/avcenc -#%{_bindir}/h264encode -#%{_bindir}/mpeg2vaenc -#%{_bindir}/mpeg2vldemo -#%{_bindir}/putsurface -#%{_bindir}/loadjpeg -#%{_bindir}/jpegenc - %if %{with wayland} %files -n vaapi-wayland-tools %defattr(-,root,root) -#%{_bindir}/putsurface_wayland %files -n libva-wayland1 %defattr(-, root, root) ++++++ libva.spec ++++++ --- /var/tmp/diff_new_pack.bcwCWF/_old 2017-05-03 15:53:01.691479620 +0200 +++ /var/tmp/diff_new_pack.bcwCWF/_new 2017-05-03 15:53:01.695479056 +0200 @@ -28,14 +28,15 @@ Name: libva %define _name libva -Version: 1.8.0 +Version: 1.8.1 Release: 0 Summary: Video Acceleration (VA) API for Linux License: MIT Group: System/Libraries Url: http://freedesktop.org/wiki/Software/vaapi Source0: http://www.freedesktop.org/software/vaapi/releases/libva/%{_name}-%{version… -Source1: baselibs.conf +Source1: http://www.freedesktop.org/software/vaapi/releases/libva/%{_name}-%{version… +Source2: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ BuildRequires: libtool @@ -164,16 +165,6 @@ This package provides the development environment for libva. -#%package -n vaapi-tools -#Summary: Video Acceleration (VA) API for Linux -#Group: System/Libraries -# -#%description -n vaapi-tools -#The libva library implements the Video Acceleration (VA) API for Linux. -#The library loads a hardware dependendent driver. -# -#This is a set of tools around vaapi livrary. - %if %{with wayland} %package -n vaapi-wayland-tools Summary: Video Acceleration (VA) API for Linux - Wayland support @@ -285,21 +276,9 @@ %{_libdir}/pkgconfig/libva*.pc %else -#%files -n vaapi-tools -#%defattr(-,root,root,-) -#%{_bindir}/vainfo -#%{_bindir}/avcenc -#%{_bindir}/h264encode -#%{_bindir}/mpeg2vaenc -#%{_bindir}/mpeg2vldemo -#%{_bindir}/putsurface -#%{_bindir}/loadjpeg -#%{_bindir}/jpegenc - %if %{with wayland} %files -n vaapi-wayland-tools %defattr(-,root,root) -#%{_bindir}/putsurface_wayland %files -n libva-wayland1 %defattr(-, root, root) ++++++ libva-1.8.0.tar.bz2 -> libva-1.8.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libva-1.8.0/NEWS new/libva-1.8.1/NEWS --- old/libva-1.8.0/NEWS 2017-03-31 09:16:22.000000000 +0200 +++ new/libva-1.8.1/NEWS 2017-04-10 10:13:06.000000000 +0200 @@ -1,6 +1,9 @@ -libva NEWS -- summary of user visible changes. 2017-03-31 +libva NEWS -- summary of user visible changes. 2017-04-10 Copyright (C) 2009-2017 Intel Corporation +Version 1.8.1 - 10.Apr.2017 +* Bump libva to 1.8.1 + Version 1.8.0 - 31.March.2017 * Bump VA API version to 0.40 * API: Change vaRenderPicture semantics that vaRenderPicture no longer deletes the passed buffer automatically. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libva-1.8.0/configure new/libva-1.8.1/configure --- old/libva-1.8.0/configure 2017-03-31 09:52:10.000000000 +0200 +++ new/libva-1.8.1/configure 2017-04-10 10:19:39.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libva 1.8.0. +# Generated by GNU Autoconf 2.69 for libva 1.8.1. # # Report bugs to <https://github.com/01org/libva/issues/new>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='libva' PACKAGE_TARNAME='libva' -PACKAGE_VERSION='1.8.0' -PACKAGE_STRING='libva 1.8.0' +PACKAGE_VERSION='1.8.1' +PACKAGE_STRING='libva 1.8.1' PACKAGE_BUGREPORT='https://github.com/01org/libva/issues/new' PACKAGE_URL='https://github.com/01org/libva' @@ -1396,7 +1396,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libva 1.8.0 to adapt to many kinds of systems. +\`configure' configures libva 1.8.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1466,7 +1466,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libva 1.8.0:";; + short | recursive ) echo "Configuration of libva 1.8.1:";; esac cat <<\_ACEOF @@ -1608,7 +1608,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libva configure 1.8.0 +libva configure 1.8.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2098,7 +2098,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libva $as_me 1.8.0, which was +It was created by libva $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2964,7 +2964,7 @@ # Define the identity of the package. PACKAGE='libva' - VERSION='1.8.0' + VERSION='1.8.1' cat >>confdefs.h <<_ACEOF @@ -3113,8 +3113,8 @@ LIBVA_MAJOR_VERSION=1 LIBVA_MINOR_VERSION=8 -LIBVA_MICRO_VERSION=0 -LIBVA_VERSION=1.8.0 +LIBVA_MICRO_VERSION=1 +LIBVA_VERSION=1.8.1 @@ -18105,7 +18105,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libva $as_me 1.8.0, which was +This file was extended by libva $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18172,7 +18172,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libva config.status 1.8.0 +libva config.status 1.8.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libva-1.8.0/configure.ac new/libva-1.8.1/configure.ac --- old/libva-1.8.0/configure.ac 2017-03-31 09:15:18.000000000 +0200 +++ new/libva-1.8.1/configure.ac 2017-04-10 10:13:14.000000000 +0200 @@ -42,7 +42,7 @@ # - reset micro version to zero when VA-API major or minor version is changed m4_define([libva_major_version], [m4_eval(va_api_major_version + 1)]) m4_define([libva_minor_version], [m4_eval(va_api_minor_version - 32)]) -m4_define([libva_micro_version], [0]) +m4_define([libva_micro_version], [1]) m4_define([libva_pre_version], [0]) m4_define([libva_version], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libva-1.8.0/doc/Makefile.in new/libva-1.8.1/doc/Makefile.in --- old/libva-1.8.0/doc/Makefile.in 2017-03-31 09:52:08.000000000 +0200 +++ new/libva-1.8.1/doc/Makefile.in 2017-04-10 10:19:38.000000000 +0200 @@ -413,8 +413,8 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -@ENABLE_DOCS_FALSE@uninstall-local: @ENABLE_DOCS_FALSE@install-html-local: +@ENABLE_DOCS_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am ++++++ libva-1.8.1.tar.bz2.sha1sum ++++++ ae1f580d3ca54199393133214ac1e5a66d9cbeb3 libva-1.8.1.tar.bz2

1 0

commit SuSEfirewall2 for openSUSE:Factory
by root＠hilbert.suse.de 03 May '17

03 May '17

Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2017-05-03 15:52:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "SuSEfirewall2" Wed May 3 15:52:53 2017 rev:82 rq:490302 version:3.6.357 Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2017-04-07 14:18:19.455468038 +0200 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2017-05-03 15:52:54.820449645 +0200 @@ -0,0 +1,34 @@ +------------------------------------------------------------------- +Mon Apr 24 12:19:12 UTC 2017 - matthias.gerstner(a)suse.com + +- implementation of feature FATE#316295: allow incremental update of rpc + rules: + + By calling "/usr/sbin/SuSEfirewall2 update-rpc [-s service]" you can now + cause SuSEfirewall to update its rpc related firewall rules to reflect the + current portmapper state in the system, without affecting the rest of the + firewall rule set. + + This can for example be put in systemd unit files as ExecStartPost + directives, to always keep port mapping rules up to date, for certain rpc + services. Note that you still need to configure the rpc rules in + /etc/sysconfig/SuSEfirewall2 to make this work. See configuration variables: + + FW_SERVICES_DROP_{EXT,INT,DMZ} + FW_SERVICES_ACCEPT_{EXT,INT,DMZ} + FW_SERVICES_{EXT,INT,DMZ}_RPC + +- conntrack helpers: explicitly load kernel module to make sure conntrack + helper rules can be applied and to avoid errors messages if kernel module is + not loaded + +------------------------------------------------------------------- +Tue Apr 18 16:07:56 UTC 2017 - matthias.gerstner(a)suse.com + +Update to new git release 3.6.351: + +- ship ftp-client service file for allowing active ftp client connections + easily. Also fix use of connection tracker helper on kernel >= 4.7 for ftp. + (boo#1034341) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.346.tar.bz2 New: ---- SuSEfirewall2-3.6.357.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.Zb8SFr/_old 2017-05-03 15:52:55.740319782 +0200 +++ /var/tmp/diff_new_pack.Zb8SFr/_new 2017-05-03 15:52:55.744319217 +0200 @@ -19,7 +19,7 @@ %define newname SUSEfirewall2 Name: SuSEfirewall2 -Version: 3.6.346 +Version: 3.6.357 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: /bin/sed textutils fileutils grep filesystem ++++++ SuSEfirewall2-3.6.346.tar.bz2 -> SuSEfirewall2-3.6.357.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/Makefile new/SuSEfirewall2-3.6.357/Makefile --- old/SuSEfirewall2-3.6.346/Makefile 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/Makefile 2017-04-24 14:09:10.000000000 +0200 @@ -46,6 +46,7 @@ ln -sf SuSEfirewall2 $(DESTDIR)/etc/sysconfig/network/scripts/firewall install -m 755 SuSEfirewall2-custom.sysconfig $(DESTDIR)/etc/sysconfig/scripts/SuSEfirewall2-custom install -m 644 SuSEfirewall2.service.TEMPLATE $(DESTDIR)/etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE + install -m 644 services/* $(DESTDIR)/etc/sysconfig/SuSEfirewall2.d/services install -m 644 SuSEfirewall2.defaults $(DESTDIR)/usr/share/SuSEfirewall2/defaults/50-default.cfg install -m 644 rpcusers $(DESTDIR)/usr/share/SuSEfirewall2/rpcusers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/SuSEfirewall2 new/SuSEfirewall2-3.6.357/SuSEfirewall2 --- old/SuSEfirewall2-3.6.346/SuSEfirewall2 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/SuSEfirewall2 2017-04-24 14:09:10.000000000 +0200 @@ -57,23 +57,28 @@ $0 basic|stop|close|status|help $0 open ZONE TYPE services... $0 on|off +$0 [-s <service>] update-rpc Options: - start generate and load the firewall filter rules from - /etc/sysconfig/SuSEfirewall2 - stop unload all filter rules - close no incoming network traffic except bootp+ping (for boot security) - basic set basic filter rules that drop all incoming access - test generate and load the filter rules but do not drop any packet but log - to syslog anything which *would* be denied - status print the output of "iptables -nvL" - debug print the iptables command to stdout instead of executing them - log show SuSEfirewall2 related syslog messages in a better readable format - help this output - open open the specified services in the specified zone. You need to - restart SuSEfirewall2 for changes to take effect. - on add SuSEfirewall2 initscripts to boot process and start - off remove SuSEfirwall2 initscripts from boot process and stop + start generate and load the firewall filter rules from + /etc/sysconfig/SuSEfirewall2 + stop unload all filter rules + close no incoming network traffic except bootp+ping (for boot security) + basic set basic filter rules that drop all incoming access + test generate and load the filter rules but do not drop any packet but log + to syslog anything which *would* be denied + status print the output of "iptables -nvL" + debug print the iptables command to stdout instead of executing them + log show SuSEfirewall2 related syslog messages in a better readable format + help this output + open open the specified services in the specified zone. You need to + restart SuSEfirewall2 for changes to take effect. + on add SuSEfirewall2 initscripts to boot process and start + off remove SuSEfirwall2 initscripts from boot process and stop + update-rpc update rules for dynamic RPC services + if -s/--service is specified then only rules for the given + service will be updated, otherwise for all configured RPC + services file FILENAME same as "start" but load alternate config file FILENAME @@ -304,7 +309,7 @@ quiet=1 fi -getopttmp=`/usr/bin/getopt -o hqi: --long help,scriptsdir:,batch,nobatch,file:,debug,test,bootlock,bootunlock,quiet,interface: \ +getopttmp=`/usr/bin/getopt -o hqi:s: --long help,scriptsdir:,batch,nobatch,file:,debug,test,bootlock,bootunlock,quiet,interface:,service: \ -n 'SuSEfirewall2' -- "$@"` [ $? != 0 ] && die 1 "getopt error" @@ -326,6 +331,8 @@ # only used by if-{up,down} scripts to indicate the interface # that changed -i|--interface) up_down_iface="$2"; shift 2 ;; + # only used for update-rpc action + -s|--service) rpc_service="$2"; shift 2 ;; --) shift ; break ;; *) die 1 "getopt error"; ;; esac @@ -349,6 +356,7 @@ boot_init) ACTION="init"; create_bootlock=1 ;; boot_setup) ACTION="start"; remove_bootlock=1 ;; systemd_stop) ACTION="$1"; needconfig=1 ;; + update-rpc) ACTION="$1"; needconfig=1 ;; *) help ;; esac shift @@ -1550,6 +1558,8 @@ # see bsc#986527 function configure_ct_helper() { + # this module is required for checking the helper state + load_modules nfnetlink_cthelper enabled=`getproc net.netfilter.nf_conntrack_helper` if [ "$enabled" -eq 1 ]; then @@ -1560,6 +1570,7 @@ local zone="$1" local related="$2" local module="$3" + local helper_port="" # if no conntrack module is involved we don't have to do anything # same if no related port/protocol is given @@ -1579,8 +1590,14 @@ helper="netbios-ns" ;; h323) + # these are two separate helpers, actually helper="RAS Q.931" ;; + ftp) + helper="$basename" + # control connections on port 21, related on port 20 + helper_port="21" + ;; amanda|ftp|irc|pptp|sane|sip|snmp|tftp) helper="$basename" ;; @@ -1595,6 +1612,11 @@ return fi + # use a special helper port, if required + if [ -n "$helper_port" ]; then + sport="$helper_port" + fi + # all gathered information is collected as colon separated pairs in # this space separated variable. will be used by enable_ct_helper() CT_HELPERS="$CT_HELPERS $helper,$proto,$sport,$zone" @@ -1785,6 +1807,89 @@ esac } +# returns zero if the firewall is currently considered to be running, non-zero +# otherwise +is_firewall_running() +{ + /bin/systemctl -q is-active SuSEfirewall2 || return 1 +} + +# returns a safe identifier to use for the iptables comment module +# input: +# $1: the base identifier to use +# output: +# $id: the resulting id string +comment_id() +{ + id="$1" + # avoid spaces in this label + id=`echo $id | /usr/bin/tr ' ' ','` + id="sfw2.$id" +} + +# return comment options for adding comments to rules +# these comments help to identify rules in later invocations of this script, +# for incrementally removing them, for example +# input +# $1: unique identifier for the comment +# output +# $comment: resulting identifier +comment_pars() +{ + local id + comment_id "$1" + comment="-m comment --comment $id" +} + +# gets the insert position for incremental updates of rule sets during +# update-rpc mode +# +# input +# +# $1: the chain where the insertion shall occur +# +# output +# +# $pos: the insertion number to pass to 'iptables -I <chain> <pos>' +get_insert_pos() +{ + local chain="$1" + local id + comment_id "insert.pos" + # see the comments in drop_all() and remove_matching_rules() for more + # about this + + # just select the first matching rule in case there are multiple ones + # (logging rule for example) + pos=`$IPTABLES_BIN -S "$chain" | /usr/bin/tail -n+2 | /usr/bin/cat -n | /usr/bin/grep "\"$id\"" | /usr/bin/grep -o '^[[:space:]]*[0-9]\+' | /usr/bin/head -n 1` +} + +# get the iptables parameters for inserting an rpc rule to a given chain +# +# input +# +# $1: boolean, whether we're running in update-rpc mode, thus incremental rule +# insertion is required +# $2: the chain where the insertion shall occur +# +# output +# +# $rpc_insert: the parameters to add to iptables to achieve the desired +# insertion +get_rpc_insert_pars() +{ + local update_rpc="$1" + local chain="$2" + + if $update_rpc; then + local pos + get_insert_pos $chain + rpc_insert="-I $chain $pos" + else + rpc_insert="-A $chain" + fi +} + ### IPsec ### parse_ipsec() @@ -1884,10 +1989,15 @@ } # Protect the firewall from the internal network? # +# +# optional parameters: +# $1: mode (currently only update-rpc: don't modify, just collect zones) protect_from_internal() { local iptables zone devs dev chain local newzones= + local mode=$1 + for zone in $input_zones; do if [ "$zone" = "int" -a "$FW_PROTECT_FROM_INTERNAL" = "no" ]; then @@ -1898,7 +2008,15 @@ eval val="\"\$$var\"" fi - if [ "$val" = notrack ]; then + if [ "$val" != notrack -a "$val" != no ]; then + if [ -z "$newzones" ]; then + newzones="$zone" + else + newzones="$newzones $zone" + fi + elif [ "$mode" = "update-rpc" ]; then + continue + elif [ "$val" = notrack ]; then eval devs="\$FW_DEV_$zone" for dev in $devs; do for iptables in "$IPTABLES" "$IP6TABLES"; do @@ -1914,12 +2032,6 @@ $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-ALL " $iptables -A $chain -j "$ACCEPT" done - else - if [ -z "$newzones" ]; then - newzones="$zone" - else - newzones="$newzones $zone" - fi fi done @@ -1942,6 +2054,7 @@ var="FW_SERVICES_ACCEPT_RELATED_`cibiz $zone`" eval services="\"\$$var\"" + local service for service in $services; do IFS=, eval set -- \$service @@ -2101,19 +2214,44 @@ # determine port numbers of rpc services and generate a suitable iptables # parameter fragment # -# parameters: names of rpc services, e.g. ypbind mountd +# parameters: +# $1: names of rpc services, e.g. ypbind mountd +# $2: whether portmapper ports shall be implicitly added (boolean) rpcservicerules() { + # The -rpcinfo script by default implicitly adds extra rules for portmap + # itself. This is because portmap needs to be reached in order for other + # rpc services to work at all. + # In some contexts this generates superfluous portmap rules, however. In + # conjunction with the update-rpc functionality we might end up with a lot + # of redundant rules. Thus we can selectively disabled this implicit + # behaviour. + # It would be better to only explicitly add the portmap rules. But this + # required more refactoring, and also the current solution is buggy: The + # implicit portmap rules don't take source subnet restrictions into + # account. + if [ $# -eq 2 ] && ! $2; then + export NOPORTMAP=1 + fi + perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@" 2>/dev/null + unset NOPORTMAP } -# parameters: REJECT|DROP +# parameters: +# $1: REJECT|DROP +# optional: +# $2: mode (currently only update-rpc) +# $3: service (for update-rpc mode) reject_or_drop_services() { local action="$1" local var local services target service proto net port local iptables zone chain + local mode="$2" selected="$3" + local update_rpc=false + [ "$mode" = "update-rpc" ] && update_rpc=true eval target=\$$action @@ -2121,7 +2259,11 @@ chain=input_$zone var="FW_SERVICES_${action}_`cibiz $zone`" eval services="\"\$$var\"" + + local rpc_insert + get_rpc_insert_pars $update_rpc $chain + local service for service in $services; do IFS=, eval set -- \$service @@ -2137,10 +2279,16 @@ esac if [ "$proto" = "_rpc_" ]; then + [ -n "$selected" -a "$selected" != $port ] && continue + local comment + comment_pars "rpc.$port" rpcservicerules $service | while read ARG; do - $LDC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG - $IPTABLES -A $chain -j "$target" $ARG + $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG + $IPTABLES $rpc_insert $comment -j "$target" $ARG done + elif $update_rpc; then + # don't add any other rules in update rpc mode + continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then for iptables in $iptables; do $LDA $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-$action " @@ -2151,18 +2299,29 @@ done } +# optional parameters +# $1: mode (currently only update-rpc: used for selectively updating RPC +# rules) +# $2: selected service (for mode = update-rpc, to restrict to certain service) accept_services() { local var local services target service proto net local iptables zone chain local ipt_recent_update ipt_recent_set ipt_recent_rcheck + local mode="$1" selected="$2" + local update_rpc=false + [ "$mode" = "update-rpc" ] && update_rpc=true for zone in $input_zones; do chain=input_$zone var="FW_SERVICES_ACCEPT_`cibiz $zone`" eval services="\"\$$var\"" + local rpc_insert + get_rpc_insert_pars $update_rpc $chain + + local service for service in $services; do ipt_recent_update='' ipt_recent_set='' @@ -2204,16 +2363,22 @@ esac if [ "$proto" = "_rpc_" ]; then + [ -n "$selected" -a "$selected" != "$port" ] && continue + local comment + comment_pars "rpc.$port" rpcservicerules $service | while read ARG; do if [ -n "$ipt_recent_set" ]; then - $LDC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck - $IPTABLES -A $chain -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update + $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck + $IPTABLES $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update fi - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC " $ARG - [ -n "$ipt_recent_set" ] && $IPTABLES -A $chain -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set - $IPTABLES -A $chain -j ACCEPT $ARG + $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG + $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG + [ -n "$ipt_recent_set" ] && $IPTABLES $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set + $IPTABLES $rpc_insert $comment -j ACCEPT $ARG done + elif $update_rpc; then + # don't add any other rules in update rpc mode + continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then for iptables in $iptables; do if [ -n "$ipt_recent_set" ]; then @@ -2230,18 +2395,44 @@ done } + +# optional parameters: +# $1: limit the rules to the given service, if given, otherwise all configured +# services are used +# optional envvar: +# add_portmapper: whether to add rules for portmapper itself (boolean, +# default: true) +# update_rpc: whether we're running in update-rpc mode (boolean, default: +# false) allow_rpc_services() { - local zone chain ports - for zone in $input_zones; do - chain=input_$zone - eval ports="\$FW_SERVICES_`cibiz $zone`_RPC" - rpcservicerules $ports | while read ARG; do - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG - $IPTABLES -A $chain -j "$ACCEPT" $ARG + local zone chain services comment + local selected="$1" + [ -z "$add_portmapper" ] && add_portmapper=true + [ -z "$update_rpc" ] && update_rpc=false + + for zone in $input_zones; do + chain=input_$zone + eval services="\$FW_SERVICES_`cibiz $zone`_RPC" + # explicitly add portmapper ourselves, otherwise -rpcinfo will + # add it each time, causing duplicate rules + $add_portmapper && [ ! -z "$services" ] && services="$services portmapper" + + local rpc_insert + get_rpc_insert_pars $update_rpc $chain + + local service + for service in $services; do + # skip not matching services for incremental updates + [ -n "$selected" -a "$selected" != "$service" -a "$service" != "portmapper" ] && continue + comment_pars "rpc.$service" + rpcservicerules $service false | while read ARG; do + $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG + $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG + $IPTABLES $rpc_insert $comment -j "$ACCEPT" $ARG + done + done done - done } allow_ip_services() @@ -2649,6 +2840,8 @@ local zone local drop local chainprefix='input_' + local comment + comment_pars "insert.pos" for iptables in $IPTABLES_LIST; do local icmp_type=icmp @@ -2676,10 +2869,21 @@ # log and drop broadcast/multicast packets separately, only if not # ignored, to not flood other log targets (#155326, #538053, #847193) + # the $comment added here is a marker that helps us to + # find the right insert position for incremental rule + # additions in update-rpc mode. We can't simply append + # the incremental rules, because we have general DROP + # statements at the end, but also should't simply + # prepend incremental rules, because we have some DROP + # statements at the beginning like DROP broadcast in + # the INPUT chain. This here should be a good spot, + # after the initial DROP statements but before the + # final ones. + if [ "$ignore" != 'yes' ]; then - $LDA $iptables -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast + $LDA $iptables -A $chain $comment ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast fi - $iptables -A $chain -j "$DROP" -m pkttype \! --pkt-type unicast + $iptables -A $chain $comment -j "$DROP" -m pkttype \! --pkt-type unicast # some packet types are considered critical if [ -z "$LDC" ]; then @@ -2720,6 +2924,122 @@ # If FW_ROUTE is enabled for IPv4/6 we make sure it's enabled anyways. } +# reads in all config files, prepares script state for further activity +function init_configuration() +{ + parse_zones + parse_interfaces + check_interfaces_unique + autodetect_interfaces + write_status + process_masq_dev + + load_customrules + + check_interfaces + + verify_parameters + #verify_masq_nets + + parse_ipsec + + remove_unused_zones + [ "$FW_ROUTE" != 'no' ] && forward_zones="$all_zones" + input_zones="$all_zones" + saved_input_zones="$input_zones" # need that for fork_to_chains + + parse_configurations +} + +# removes all rules from the separate sfw2 chains that match the given comment +# string +# $1: the comment string to use for finding matching rules. This may also +# contain grep regular expression wildcards to selecting multiple groups of +# comments +function remove_matching_rules() +{ + local id + comment_id "$1" + + # there are different approaches to remove inidividual rules again. + # the default is that we'd need to specify the complete rule to + # iptables -D, which is pretty cumbersome. An alternative is to + # specify the rule number in the chain, that we want to delete + + # the rule number is not fixed, when removing a rule in the middle + # then the numbers of all following rules change. thus it also isn't + # race free if multiple programs modify the tables. This is true for + # many things regarding iptables, however. + + # we use the rule number approach here. + # iptables -L --line shows the rule numbers, however for all chains. + # this is difficult to process for us. + # iptables -S shows the rules from a given chain, but doesn't support + # the --line parameter >:-( + + # - the first rule from iptables -S is to be ignored (it's the chain + # creation rule). + # - cat prints us the numbers + # - grep filters the rules we want + # - ... and extracts the rule numbers + # - tac reverses the numbers so we start with the highest + # rule numbers first, to prevent the renumbering of rules hitting + # us. + + for zone in $all_zones; do + for chain in input forward; do + chain="${chain}_${zone}" + # use IPTABLES_BIN here, to avoid iptables-batch + # handling that breaks when we want to parse the + # iptables output, or calculate rule numbers in + # get_rpc_insert_pars + for rulenr in `$IPTABLES_BIN -S $chain | /usr/bin/tail -n +2 | /usr/bin/cat -n | /usr/bin/grep "\"$id\"" | /usr/bin/grep -o '^[[:space:]]*[0-9]\+' | /usr/bin/tac`; do + $IPTABLES_BIN -D $chain $rulenr + done + done + done +} + +# called in update-rpc mode: +# - remove any currently active rules for the selected rpc services +# - reinstate the rules based on updated port mapper information +# $1: the rpc_service to update, or empty for all services currently +# configured +function update_rpc() +{ + local service="$1" + local pattern="$service" + + # wildcard all rpc comments if no special service is selected + [ -z "$pattern" ] && pattern='[^"]\+' + + remove_matching_rules "rpc.$pattern" + # necessary to reduce the input_zones to the necessary amount + protect_from_internal "update-rpc" + + local action + for action in DROP REJECT; do + reject_or_drop_services $action "update-rpc" $service + done + + # don't add the portmapper rules if we're doing a selective rpc + # service update and the rules are already in place + # - except if the service is the portmapper itself, in which case we + # want to process it, of course + local add_portmapper=true + if [ -n "$service" -a "$service" != "portmapper" ]; then + local id + comment_id "rpc.portmapper" + $IPTABLES_BIN -L | grep -q "$id" + [ $? -eq 0 ] && add_portmapper=false + fi + + add_portmapper=$add_portmapper update_rpc=true allow_rpc_services $service + accept_services "update-rpc" $service + + [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch +} + ############################################ # # # Now we begin to set the filter rules ... # @@ -2822,32 +3142,22 @@ die 1 "failed to execute $OPENHELPER" fi +if [ "$ACTION" = "update-rpc" ]; then + init_configuration + if ! is_firewall_running; then + die 1 "SuSEfirewall2 is not running, no rpc update possible" + else + message "Updating rules for ${rpc_service:-every} rpc service" + fi + update_rpc $rpc_service + die 0 +fi + ### main mode ### message "Setting up rules from $FWCONFIG ..." -parse_zones -parse_interfaces -check_interfaces_unique -autodetect_interfaces -write_status -process_masq_dev - -load_customrules - -check_interfaces - -verify_parameters -#verify_masq_nets - -parse_ipsec - -remove_unused_zones -[ "$FW_ROUTE" != 'no' ] && forward_zones="$all_zones" -input_zones="$all_zones" -saved_input_zones="$input_zones" # need that for fork_to_chains - -parse_configurations +init_configuration # Set default rules + flush set_basic_rules @@ -2959,4 +3269,4 @@ # END # die 0 "Firewall rules successfully set" -# vim: sw=4 +# vim: fo-=t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/SuSEfirewall2-rpcinfo new/SuSEfirewall2-3.6.357/SuSEfirewall2-rpcinfo --- old/SuSEfirewall2-3.6.346/SuSEfirewall2-rpcinfo 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/SuSEfirewall2-rpcinfo 2017-04-24 14:09:10.000000000 +0200 @@ -4,18 +4,18 @@ # Copyright (C) 2005-2011 SUSE LINUX Products GmbH # # Author: Ludwig Nussel -# +# # Please send feedback via http://www.suse.de/feedback # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, @@ -147,7 +147,7 @@ close FILE; # always also add portmapper - if($ret && !exists $services{'portmapper'}) + if($ret && !defined $ENV{"NOPORTMAP"} && !exists $services{'portmapper'}) { push @{$services{'portmapper'}}, { tcp => [111], udp => [111] }; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6.357/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6.346/SuSEfirewall2.sysconfig 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/SuSEfirewall2.sysconfig 2017-04-24 14:09:10.000000000 +0200 @@ -790,7 +790,7 @@ # If you want to drop broadcasts however ignore the annoying log entries, set # FW_IGNORE_FW_BROADCAST_* to yes. # -# Note that if you allow specifc ports here it just means that broadcast +# Note that if you allow specific ports here it just means that broadcast # packets for that port are not dropped. You still need to set # FW_SERVICES_*_UDP to actually allow regular unicast packets to # reach the applications. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/obs/mkpackage new/SuSEfirewall2-3.6.357/obs/mkpackage --- old/SuSEfirewall2-3.6.346/obs/mkpackage 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/obs/mkpackage 2017-04-24 14:09:10.000000000 +0200 @@ -1,9 +1,15 @@ #!/bin/bash set -e shopt -s nullglob -name="`pwd -P`" -name=${name##*/} -name=${name%%.*} +# when running from git with multiple worktrees then deducing the name via pwd +# doesn't suffice any more. Thus allow to provide the package name on cmdline +if [ $# -eq 1 ]; then + name="$1" +else + name="`pwd -P`" + name=${name##*/} + name=${name%%.*} +fi dstdir="package" src="$PWD" if [ ! -d "$dstdir/.osc" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/obs/mktar new/SuSEfirewall2-3.6.357/obs/mktar --- old/SuSEfirewall2-3.6.346/obs/mktar 2017-03-20 18:10:06.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/obs/mktar 2017-04-24 14:09:10.000000000 +0200 @@ -2,7 +2,7 @@ set -e NAME=SuSEfirewall2 VERSION=3.6 -revs=`git rev-list master|wc -l` +revs=`git rev-list HEAD|wc -l` # there are two empty commits in svn were not converted to git # commits so increase revs by two let revs=revs+2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.346/services/ftp-client new/SuSEfirewall2-3.6.357/services/ftp-client --- old/SuSEfirewall2-3.6.346/services/ftp-client 1970-01-01 01:00:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.357/services/ftp-client 2017-04-24 14:09:10.000000000 +0200 @@ -0,0 +1,5 @@ +## Name: FTP client active mode +## Description: allows data connection from FTP server in active mode + +RELATED="0/0,tcp,20" +MODULES="nf_conntrack_ftp"

1 0