Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2018-09-26 15:59:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ghostscript" Wed Sep 26 15:59:35 2018 rev:33 rq:635773 version:9.25 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2018-06-08 23:11:39.920298005 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-mini.changes 2018-09-26 15:59:40.072676627 +0200 @@ -1,0 +2,163 @@ +Fri Sep 14 10:47:33 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.25 + For the highlights in this release see the highlights in the + 9.25rc1 first release candidate for 9.25 entry below. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + For a release summary see: + http://www.ghostscript.com/doc/9.25/News.htm + For details see the News.htm and History9.htm files. + The Ghostscript 9.25 release should fix (see below) + in particular those security issues: + * CVE-2018-15909: shading_param incomplete type checking + https://bugs.ghostscript.com/show_bug.cgi?id=699660 + https://bugzilla.suse.com/show_bug.cgi?id=1106172 bsc#1106172 + * CVE-2018-15908: .tempfile file permission issues + https://bugs.ghostscript.com/show_bug.cgi?id=699657 + https://bugzilla.suse.com/show_bug.cgi?id=1106171 bsc#1106171 + * CVE-2018-15910: LockDistillerParams type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=699656 + https://bugzilla.suse.com/show_bug.cgi?id=1106173 bsc#1106173 + * CVE-2018-15911: uninitialized memory access in the aesdecode + https://bugs.ghostscript.com/show_bug.cgi?id=699665 + https://bugzilla.suse.com/show_bug.cgi?id=1106195 bsc#1106195 + * CVE-2018-16513: setcolor missing type check + https://bugs.ghostscript.com/show_bug.cgi?id=699655 + https://bugzilla.suse.com/show_bug.cgi?id=1107412 bsc#1107412 + * CVE-2018-16509: /invalidaccess bypass after failed restore + https://bugs.ghostscript.com/show_bug.cgi?id=699654 + https://bugzilla.suse.com/show_bug.cgi?id=1107410 bsc#1107410 + * CVE-2018-16510: Incorrect exec stack handling in the "CS" + and "SC" PDF primitives + https://bugs.ghostscript.com/show_bug.cgi?id=699671 + https://bugzilla.suse.com/show_bug.cgi?id=1107411 bsc#1107411 + * CVE-2018-16542: .definemodifiedfont memory corruption + if /typecheck is handled + https://bugs.ghostscript.com/show_bug.cgi?id=699668 + https://bugzilla.suse.com/show_bug.cgi?id=1107413 bsc#1107413 + * CVE-2018-16541 incorrect free logic in pagedevice replacement + https://bugs.ghostscript.com/show_bug.cgi?id=699664 + https://bugzilla.suse.com/show_bug.cgi?id=1107421 bsc#1107421 + * CVE-2018-16540 use-after-free in copydevice handling + https://bugs.ghostscript.com/show_bug.cgi?id=699661 + https://bugzilla.suse.com/show_bug.cgi?id=1107420 bsc#1107420 + * CVE-2018-16539: incorrect access checking in temp file + handling to disclose contents of files + https://bugs.ghostscript.com/show_bug.cgi?id=699658 + https://bugzilla.suse.com/show_bug.cgi?id=1107422 bsc#1107422 + * CVE-2018-16543: gssetresolution and gsgetresolution allow + for unspecified impact + https://bugs.ghostscript.com/show_bug.cgi?id=699670 + https://bugzilla.suse.com/show_bug.cgi?id=1107423 bsc#1107423 + * CVE-2018-16511: type confusion in "ztype" could be used by + remote attackers able to supply crafted PostScript to crash + the interpreter or possibly have unspecified other impact + https://bugs.ghostscript.com/show_bug.cgi?id=699659 + https://bugzilla.suse.com/show_bug.cgi?id=1107426 bsc#1107426 + * CVE-2018-16585 .setdistillerkeys PostScript command is + accepted even though it is not intended for use + https://bugzilla.suse.com/show_bug.cgi?id=1107581 bsc#1107581 + * CVE-2018-16802: Incorrect"restoration of privilege" checking + when running out of stack during exceptionhandling could be + used by attackers able to supply crafted PostScript to execute + code using the "pipe" instruction. This is due to an incomplete + fix for CVE-2018-16509 + https://bugs.ghostscript.com/show_bug.cgi?id=699714 + https://bugs.ghostscript.com/show_bug.cgi?id=699718 + https://bugzilla.suse.com/show_bug.cgi?id=1108027 bnc#1108027 + Regarding what the above "should fix" means: + PostScript is a general purpose Turing-complete programming + language (cf. https://en.wikipedia.org/wiki/PostScript) + that supports in particular file access on the system disk. + When Ghostscript processes PostScript it runs a PostScript + program as the user who runs Ghostscript. + When Ghostscript processes an arbitrary PostScript file, + the user who runs Ghostscript runs an arbitrary program + which can do anything on the system where Ghostscript runs + that this user is allowed to do on that system. + To make it safer when Ghostscript runs a PostScript program + the Ghostscript command line option '-dSAFER' disables + certain file access functionality, for details see + /usr/share/doc/ghostscript/9.25/Use.htm + Its name 'SAFER' says everything: It makes it 'safer' + to let Ghostscript run a PostScript program, + but it does not make it completely safe. + In theory software is safe against misuse (i.e. has no bugs). + In practice there is an endless sequence of various kind of + security issues (i.e. software can be misused to do more than + what is intended) that get fixed issue by issue ad infinitum. + In the end all that means: + In practice the user who runs Ghostscript must not let it + process arbitrary PostScript files from untrusted origin. + In particular Ghostscript is usually run when printing + documents (with the '-dSAFER' option set), see the part about + "It is crucial to limit access to CUPS to trusted users" in + https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings + +------------------------------------------------------------------- +Thu Sep 13 14:14:39 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.25rc1 (first release candidate for 9.25). + Highlights in this release include: + * This release fixes problems with argument handling, some + unintended results of the security fixes to the SAFER file + access restrictions (specifically accessing ICC profile files), + and some additional security issues over the 9.24 release. + * Security issues have been the primary focus of this release, + including solving several (well publicised) real + and potential exploits. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * Avoid that ps2epsi fails with + 'Error: /undefined in --setpagedevice--' + Recent changes required to harden SAFER mode mean that + it is no longer possible to run ps2epsi in SAFER mode, + because it relies upon unsafe Ghostscript non-standard + extension operators. + Removing SAFER and DELAYSAFER, and the code to reset SAFER, + allow ps2epsi to run as well as it ever did (ie badly). + This program (i.e. ps2epsi) should now be considered unsafe, + you should not use it on untrusted PostScript programs. + Likely we (i.e. Ghostscript upstream) will deprecate and + remove this program in future. + For details see the News.htm and History9.htm files. + Regarding installing packages (in particular release candidates) + from the openSUSE build service development project "Printing" + see https://build.opensuse.org/project/show/Printing + +------------------------------------------------------------------- +Thu Sep 13 10:25:21 CEST 2018 - jsmeix@suse.de + +- Version upgrade to 9.24 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) + real and potential exploits. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * As well as Ghostscript itself, jbig2dec has had a significant + amount of work improving its robustness in the face of + out specification files. + * IMPORTANT: We (i.e. Ghostscript upstream) are in the process + of forking LittleCMS. LCMS2 is not thread safe, and cannot + be made thread safe without breaking the ABI. Our fork + will be thread safe, and include performance enhancements + (these changes have all be been offered and rejected upstream). + We will maintain compatibility between Ghostscript and LCMS2 + for a time, but not in perpetuity. Our fork will be available + as its own package separately from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.24/News.htm + For details see the News.htm and History9.htm files. +- fix_ln_docdir_gsdatadir.patch is no longer needed + because the issue is fixed in the upstream sources. +- CVE-2018-10194.patch is no longer needed + because the issue is fixed in the upstream sources. + +------------------------------------------------------------------- ghostscript.changes: same change Old: ---- CVE-2018-10194.patch fix_ln_docdir_gsdatadir.patch ghostscript-9.23.tar.gz New: ---- ghostscript-9.25.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.VtE39w/_old 2018-09-26 15:59:41.656673872 +0200 +++ /var/tmp/diff_new_pack.VtE39w/_new 2018-09-26 15:59:41.660673866 +0200 @@ -37,53 +37,44 @@ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.22pre23rc1 +#Version: 9.24pre25rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.23 +Version: 9.25 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): %define tarball_version %{version} -#define tarball_version 9.23rc1 +#define tarball_version 9.25rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#define built_version 9.23 +#define built_version 9.25 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... -# How to download it: -# wget -O ghostscript-9.23rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# URL for Source0: +# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# URL for MD5 checksums: +# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.23.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... # URL for MD5 checksums: -# wget -O gs923.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... -# MD5 checksum for Source0: 5a47ab47cd22dec1eb5f51c06f1c9d9c +# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: -# Avoid -# ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc -# ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory -# base/unixinst.mak:162: recipe for target 'install-doc' failed -# make[1]: *** [install-doc] Error 1 -Patch12: fix_ln_docdir_gsdatadir.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch -# Patch101 fixes stack-based buffer overflow in gdevpdts.c -# see https://bugzilla.suse.com/show_bug.cgi?id=1090099 -# and https://bugs.ghostscript.com/show_bug.cgi?id=699255 -# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32... -Patch101: CVE-2018-10194.patch # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -142,23 +133,12 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Avoid -# ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc -# ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory -# base/unixinst.mak:162: recipe for target 'install-doc' failed -# make[1]: *** [install-doc] Error 1 -%patch12 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig -# Patch101 fixes stack-based buffer overflow in gdevpdts.c -# see https://bugzilla.suse.com/show_bug.cgi?id=1090099 -# and https://bugs.ghostscript.com/show_bug.cgi?id=699255 -# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32... -%patch101 -b CVE-2018-10194.orig # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.VtE39w/_old 2018-09-26 15:59:41.676673837 +0200 +++ /var/tmp/diff_new_pack.VtE39w/_new 2018-09-26 15:59:41.676673837 +0200 @@ -57,53 +57,44 @@ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.22pre23rc1 +#Version: 9.24pre25rc1 # Normal version for Ghostscript releases is the upstream version: -Version: 9.23 +Version: 9.25 Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): %define tarball_version %{version} -#define tarball_version 9.23rc1 +#define tarball_version 9.25rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): %define built_version %{version} -#define built_version 9.23 +#define built_version 9.25 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases -# URL for Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... -# How to download it: -# wget -O ghostscript-9.23rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# URL for Source0: +# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# URL for MD5 checksums: +# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.23.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... # URL for MD5 checksums: -# wget -O gs923.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... -# MD5 checksum for Source0: 5a47ab47cd22dec1eb5f51c06f1c9d9c +# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs92... +# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: -# Avoid -# ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc -# ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory -# base/unixinst.mak:162: recipe for target 'install-doc' failed -# make[1]: *** [install-doc] Error 1 -Patch12: fix_ln_docdir_gsdatadir.patch # Source100...Source999 is for sources from SUSE which are not intended for upstream: # Patch100...Patch999 is for patches from SUSE which are not intended for upstream: # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch -# Patch101 fixes stack-based buffer overflow in gdevpdts.c -# see https://bugzilla.suse.com/show_bug.cgi?id=1090099 -# and https://bugs.ghostscript.com/show_bug.cgi?id=699255 -# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32... -Patch101: CVE-2018-10194.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -278,23 +269,12 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Avoid -# ln -s /home/abuild/rpmbuild/BUILDROOT/ghostscript-9.22pre23rc1-104.1.i386/usr/share/doc/ghostscript/9.23 /usr/share/ghostscript/9.23/doc -# ln: failed to create symbolic link '/usr/share/ghostscript/9.23/doc': No such file or directory -# base/unixinst.mak:162: recipe for target 'install-doc' failed -# make[1]: *** [install-doc] Error 1 -%patch12 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig -# Patch101 fixes stack-based buffer overflow in gdevpdts.c -# see https://bugzilla.suse.com/show_bug.cgi?id=1090099 -# and https://bugs.ghostscript.com/show_bug.cgi?id=699255 -# and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32... -%patch101 -b CVE-2018-10194.orig # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ ghostscript-9.23.tar.gz -> ghostscript-9.25.tar.gz ++++++ /work/SRC/openSUSE:Factory/ghostscript/ghostscript-9.23.tar.gz /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-9.25.tar.gz differ: char 5, line 1