Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2024-10-31 16:08:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ghostscript" Thu Oct 31 16:08:37 2024 rev:69 rq:1219571 version:10.04.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2024-10-23 21:08:28.278189828 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.2020/ghostscript.changes 2024-10-31 16:08:44.449495004 +0100 @@ -1,0 +2,11 @@ +Wed Oct 30 12:27:04 UTC 2024 - Johannes Meixner <jsmeix@suse.com> + +- Enhanced entry below dated "Wed Oct 23 08:54:59 UTC 2024" + by adding the individual "bsc" numbers for each CVE, see + https://bugzilla.suse.com/show_bug.cgi?id=1232173#c4 + and by adding the "IMPORTANT" change in Ghostscript 10.04.0 +- spec file cleanup: removed the special cases for SLE12 + i.e. rely on "suse_version >= 1500" as given precondition + (recent Ghostscript versions fail to build in SLE12 anyway) + +------------------------------------------------------------------- @@ -4,8 +15,24 @@ -- update to 10.04.0 (bsc#1232173): - * Amongst other general bugs fixes, this release addresses: - + CVE-2024-46951 - + CVE-2024-46952 - + CVE-2024-46953 - + CVE-2024-46954 - + CVE-2024-46955 - + CVE-2024-46956 +- Version upgrade to 10.04.0 (bsc#1232173): + Highlights in this release include: + See 'Recent Changes in Ghostscript' at Ghostscript upstream + https://ghostscript.readthedocs.io/en/gs10.04.0/News.html + * This release addresses: + + CVE-2024-46951 (bsc#1232265) + + CVE-2024-46952 (bsc#1232266) + + CVE-2024-46953 (bsc#1232267) + + CVE-2024-46954 (bsc#1232268) + + CVE-2024-46955 (bsc#1232269) + + CVE-2024-46956 (bsc#1232270) + * IMPORTANT: In this release (10.04.0) + we (i.e. Ghostscript upstream) have be added + protection for device selection from PostScript input. + This will mean that, by default, only the device specified + on the command line will be permitted. Similar to the file + permissions, there will be a "--permit-devices=" allowing + a comma separation list of allowed devices. This will also + take a single wildcard "*" allowing any device. + Any application which relies on allowing PostScript + to change devices during a job will have to be aware, + and take action to deal with this change. + The exception is "nulldevice", switching to that requires + no special action. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.E3j9QS/_old 2024-10-31 16:08:45.369533394 +0100 +++ /var/tmp/diff_new_pack.E3j9QS/_new 2024-10-31 16:08:45.369533394 +0100 @@ -1,5 +1,5 @@ # -# spec file for package ghostscript +# spec file # # Copyright (c) 2024 SUSE LLC # @@ -30,8 +30,15 @@ License: AGPL-3.0-only Group: Productivity/Office/Other URL: https://www.ghostscript.com/ -# use "osc service manualrun" to fetch +# Use "osc service manualrun" to fetch Source0: Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-%{version}.tar.gz +# How to manually (i.e. without "osc service") find the Source0 URL at Ghostscript upstream +# (example for the Ghostscript 10.03.1 release): +# Go to https://www.ghostscript.com +# -> "The current Ghostscript release 10.03.1 can be downloaded here" https://www.ghostscript.com/releases/index.html +# -> "Ghostscript" https://www.ghostscript.com/releases/gsdnld.html +# -> "Ghostscript 10.03.1 Source for all platforms / GNU Affero General Public License" = "Ghostscript AGPL Release" +# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10... Source10: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -52,7 +59,7 @@ BuildRequires: update-alternatives BuildRequires: zlib-devel Requires(post): update-alternatives -Requires(preun): update-alternatives +Requires(preun):update-alternatives # Provide the additional RPM Provides of the ghostscript-library package # (ghostscript_x11 is provided by the ghostscript-x11 sub-package, see below). # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" @@ -66,6 +73,7 @@ # in openSUSE products, cf. https://build.opensuse.org/request/show/877083 Provides: ghostscript_any = %{version} %if "%{flavor}" != "mini" +BuildRequires: cups-devel BuildRequires: dbus-1-devel BuildRequires: libexpat-devel BuildRequires: xorg-x11-fonts @@ -75,18 +83,11 @@ BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xproto) BuildRequires: pkgconfig(xt) -%if 0%{?suse_version} == 1315 -BuildRequires: cups154-devel -%else -BuildRequires: cups-devel -%endif %if %{with apparmor} -%if 0%{?suse_version} >= 1500 BuildRequires: apparmor-abstractions BuildRequires: apparmor-rpm-macros %endif %endif -%endif # Always check if latest version of openjpeg becomes compatible with ghostscript %if 0%{?suse_version} >= 1550 BuildRequires: pkgconfig(libopenjp2) >= 2.3.1 @@ -108,10 +109,8 @@ # The "Obsoletes: ghostscript-mini" is intentionally unversioned because # this package ghostscript should replace any version of ghostscript-mini. Obsoletes: ghostscript-mini -%if 0%{?suse_version} > 1210 Recommends: (cups-filters-ghostscript if cups) %endif -%endif %description Ghostscript is a package of software that provides: @@ -325,11 +324,9 @@ /sbin/ldconfig %if %{with apparmor} %if "%{flavor}" != "mini" -%if 0%{?suse_version} >= 1500 %apparmor_reload %{_sysconfdir}/apparmor.d/ghostscript %endif %endif -%endif %{_sbindir}/update-alternatives \ --install %{_bindir}/gs gs %{_bindir}/gs.bin 15 @@ -408,9 +405,6 @@ %if "%{flavor}" != "mini" %exclude %{_libdir}/ghostscript/%{version}/X11.so %if %{with apparmor} -%if 0%{?suse_version} < 1500 -%dir %{_sysconfdir}/apparmor.d -%endif %{_sysconfdir}/apparmor.d/ghostscript %endif