Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package texlive for openSUSE:Factory checked in at 2026-04-16 17:25:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/texlive (Old) and /work/SRC/openSUSE:Factory/.texlive.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "texlive" Thu Apr 16 17:25:17 2026 rev:115 rq:1347091 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/texlive/texlive.changes 2026-04-07 16:46:18.802113476 +0200 +++ /work/SRC/openSUSE:Factory/.texlive.new.11940/texlive.changes 2026-04-16 17:25:36.456067178 +0200 @@ -1,0 +2,23 @@ +Wed Apr 15 07:54:52 UTC 2026 - Dr. Werner Fink <[email protected]> + +- Add upstream patch source-tl-r78399.dif + * Fix report on tlsecurity + +------------------------------------------------------------------- +Tue Apr 14 15:21:50 UTC 2026 - Dr. Werner Fink <[email protected]> + +- Modify patch source-dvipdfmx.dif with the code change from Fabian + +------------------------------------------------------------------- +Tue Apr 14 08:58:01 UTC 2026 - Dr. Werner Fink <[email protected]> + +- Add patch source-dvipdfmx.dif to make test in dvipdfmx tree + work even on s390x (boo#1262008) + +------------------------------------------------------------------- +Tue Apr 14 07:56:30 UTC 2026 - Dr. Werner Fink <[email protected]> + +- Correct cflags() shell function usage to catch g++ case as + well ... here to use -std=g++17 (boo#1262013) + +------------------------------------------------------------------- New: ---- source-dvipdfmx.dif source-tl-r78399.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ texlive.spec ++++++ --- /var/tmp/diff_new_pack.iL1XWc/_old 2026-04-16 17:25:38.860166224 +0200 +++ /var/tmp/diff_new_pack.iL1XWc/_new 2026-04-16 17:25:38.864166390 +0200 @@ -19,7 +19,7 @@ %define texlive_version 2026 %define texlive_previous 2025 %define texlive_release 20260301 -%define texlive_noarch 222 +%define texlive_noarch 226 %define texlive_source texlive-20260301-source %define biber_version 2.21 @@ -79,7 +79,7 @@ Version: %{texlive_version}.%{texlive_release} Release: 0 Summary: The TeXLive Formatting System -License: Apache-2.0 AND Artistic-1.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND LPPL-1.3c AND LPPL-1.0 AND MIT AND BSD-3-Clause AND SUSE-TeX AND SUSE-Public-Domain +License: Apache-2.0 AND Artistic-1.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND LPPL-1.3c AND LPPL-1.0 AND MIT AND BSD-3-Clause AND SUSE-TeX AND LicenseRef-SUSE-Public-Domain Group: Productivity/Publishing/TeX/Base URL: https://www.tug.org/texlive/ PreReq: %{name}-filesystem >= %{texlive_version} @@ -310,6 +310,8 @@ Patch11: source-lacheck.dif Patch12: source-warns.dif Patch13: source-x11r7.dif +Patch14: source-dvipdfmx.dif +Patch15: source-tl-r78399.dif Patch17: source-64.dif Patch18: source-a2ping.dif Patch19: source-dvipng.dif @@ -4372,7 +4374,7 @@ esac > /dev/null 2>&1 } cflags -std=gnu11 XCFLAGS - cflags -std=gnu++14 XCXXFLAGS + cflags -std=gnu++17 XCFLAGS XCXXFLAGS cflags -fno-const-strings XCFLAGS XCXXFLAGS cflags -fno-strict-aliasing XCFLAGS XCXXFLAGS cflags -fPIC XCFLAGS XCXXFLAGS @@ -4487,6 +4489,8 @@ %patch -P11 -p0 -b .lacheck %patch -P12 -p0 -b .warns %patch -P13 -p0 -b .x11r7 +%patch -P14 -p0 -b .s390 +%patch -P15 -p0 -b .r78399 %patch -P17 -p0 -b .64 %patch -P18 -p0 -b .a2p %patch -P19 -p0 -b .dvipng ++++++ source-dvipdfmx.dif ++++++ On s390x which in fact is a big endian the number of byte in the multi_incl.pdf is one byte more then the upstream used 85010. The resulting multi_incl.pdf can be used as test with qpdfview shows. --- texk/dvipdfm-x/dvipdfmx-incl.test | 2 +- texk/dvipdfm-x/pdffont.c | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) --- texk/dvipdfm-x/dvipdfmx-incl.test +++ texk/dvipdfm-x/dvipdfmx-incl.test 2026-04-14 08:52:49.055185431 +0000 @@ -26,7 +26,7 @@ $_xdvipdfmx --dvipdfmx -vv -f psfonts.ma || failed="$failed multi-incl" filesize=`ls -l multi_incl.pdf | awk '{print $5}'` -if [ "$filesize" -gt 85010 ]; then +if [ "$filesize" -gt 85011 ]; then echo "Too large file size :" $filesize failed="$failed multi-incl-size" fi --- texk/dvipdfm-x/pdffont.c +++ texk/dvipdfm-x/pdffont.c 2026-04-14 15:18:23.398408911 +0000 @@ -64,10 +64,7 @@ pdf_font_set_dpi (int font_dpi) PKFont_set_dpi(font_dpi); } -static union { - char p[sizeof(int)]; - int* i; -} unique_tag_count; +static int unique_tag_count; /* This function used to be implemented as * @@ -112,16 +109,21 @@ pdf_font_make_uniqueTag (char *tag) { MD5_CONTEXT state; unsigned char digest[16]; + unsigned char unique_tag_count_bytes[4]; int i, ch; - unique_tag_count.i++; + unique_tag_count++; + unique_tag_count_bytes[0] = unique_tag_count; + unique_tag_count_bytes[1] = unique_tag_count >> 8; + unique_tag_count_bytes[2] = unique_tag_count >> 16; + unique_tag_count_bytes[3] = unique_tag_count >> 24; MD5_init(&state); if (dvi_filename) MD5_write(&state, dvi_filename, strlen(dvi_filename)); if (pdf_filename) MD5_write(&state, pdf_filename, strlen(pdf_filename)); - MD5_write(&state, unique_tag_count.p, sizeof(unique_tag_count)); + MD5_write(&state, unique_tag_count_bytes, sizeof(unique_tag_count_bytes)); MD5_final(digest, &state); for (i = 0; i < 6; i++) { ++++++ source-tl-r78399.dif ++++++ Index: ChangeLog =================================================================== --- texk/dvipdfm-x/ChangeLog | 13 +++++++++++++ texk/dvipdfm-x/configure | 22 +++++++++++----------- texk/dvipdfm-x/configure.ac | 2 +- texk/dvipdfm-x/data/dvipdfmx.cfg | 13 ++++++++++++- texk/dvipdfm-x/dpxfile.c | 31 +++++++++++++++++++++++++++++-- 5 files changed, 66 insertions(+), 15 deletions(-) --- texk/dvipdfm-x/ChangeLog +++ texk/dvipdfm-x/ChangeLog 2026-04-15 00:00:00.000000000 +0000 @@ -1,3 +1,16 @@ +2026-03-17 Karl Berry <[email protected]> + + * configure.ac: version 20260317. Post-release patch. + * data/dvipdfmx.cfg (D): use --; suggestion from Max Chernoff. + +2026-03-17 Norbert Preining <[email protected]> + + * dpxfile.c (filename_unsafe_for_command): new fn to check for + ' or " in filenames. + (dpx_file_apply_filter): call it. + Report to tlsecurity from Dawid Kulikowski of CERN, + 9 Mar 2026 15:28:18. + 2026-03-02 Karl Berry <[email protected]> * TL'26 release. --- texk/dvipdfm-x/configure +++ texk/dvipdfm-x/configure 2026-04-15 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for dvipdfm-x (TeX Live) 20260113. +# Generated by GNU Autoconf 2.72 for dvipdfm-x (TeX Live) 20260317. # # Report bugs to <[email protected]>. # @@ -614,8 +614,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='dvipdfm-x (TeX Live)' PACKAGE_TARNAME='dvipdfm-x--tex-live-' -PACKAGE_VERSION='20260113' -PACKAGE_STRING='dvipdfm-x (TeX Live) 20260113' +PACKAGE_VERSION='20260317' +PACKAGE_STRING='dvipdfm-x (TeX Live) 20260317' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1387,7 +1387,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures dvipdfm-x (TeX Live) 20260113 to adapt to many kinds of systems. +'configure' configures dvipdfm-x (TeX Live) 20260317 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1459,7 +1459,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of dvipdfm-x (TeX Live) 20260113:";; + short | recursive ) echo "Configuration of dvipdfm-x (TeX Live) 20260317:";; esac cat <<\_ACEOF @@ -1590,7 +1590,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -dvipdfm-x (TeX Live) configure 20260113 +dvipdfm-x (TeX Live) configure 20260317 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. @@ -2371,7 +2371,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by dvipdfm-x (TeX Live) $as_me 20260113, which was +It was created by dvipdfm-x (TeX Live) $as_me 20260317, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw @@ -9270,7 +9270,7 @@ fi # Define the identity of the package. PACKAGE='dvipdfm-x--tex-live-' - VERSION='20260113' + VERSION='20260317' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -17056,7 +17056,7 @@ Usage: $0 [OPTIONS] Report bugs to <[email protected]>." lt_cl_version="\ -dvipdfm-x (TeX Live) config.lt 20260113 +dvipdfm-x (TeX Live) config.lt 20260317 configured by $0, generated by GNU Autoconf 2.72. Copyright (C) 2024 Free Software Foundation, Inc. @@ -19010,7 +19010,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by dvipdfm-x (TeX Live) $as_me 20260113, which was +This file was extended by dvipdfm-x (TeX Live) $as_me 20260317, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19082,7 +19082,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -dvipdfm-x (TeX Live) config.status 20260113 +dvipdfm-x (TeX Live) config.status 20260317 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" --- texk/dvipdfm-x/configure.ac +++ texk/dvipdfm-x/configure.ac 2026-04-15 00:00:00.000000000 +0000 @@ -8,7 +8,7 @@ dnl This file is free software; the co dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. dnl -AC_INIT([dvipdfm (TeX Live)], [20260113], [[email protected]]) +AC_INIT([dvipdfm (TeX Live)], [20260317], [[email protected]]) AC_PREREQ([2.65]) AC_CONFIG_SRCDIR([agl.c]) AC_CONFIG_AUX_DIR([../../build-aux]) --- texk/dvipdfm-x/dpxfile.c +++ texk/dvipdfm-x/dpxfile.c 2026-04-15 00:00:00.000000000 +0000 @@ -1,5 +1,5 @@ /* This is dvipdfmx, an eXtended version of dvipdfm by Mark A. Wicks. - Copyright (C) 2002-2020 by Jin-Hwan Cho and Shunsaku Hirata, + Copyright (C) 2002-2026 by Jin-Hwan Cho and Shunsaku Hirata, the dvipdfmx project team. Copyright (C) 1998, 1999 by Mark A. Wicks <[email protected]> @@ -1057,10 +1057,26 @@ dpx_delete_temp_file (char *tmp, int for return; } +/* Return nonzero if the filename contains characters that could break + * out of quoting in exec_spawn()'s command parser and allow argument + * injection. exec_spawn() splits on spaces and handles '...' and "..." + * but has no escape mechanism for embedded quotes. + */ +static int +filename_unsafe_for_command (const char *name) +{ + const char *p; + for (p = name; *p; p++) { + if (*p == '\'' || *p == '"') + return 1; + } + return 0; +} + /* dpx_file_apply_filter() is used for converting unsupported graphics * format to one of the formats that dvipdfmx can natively handle. * 'input' is the filename of the original file and 'output' is actually - * temporal files 'generated' by the above routine. + * temporal files 'generated' by the above routine. * This should be system dependent. (MiKTeX may want something different) * Please modify as appropriate (see also pdfximage.c and dvipdfmx.c). */ @@ -1078,6 +1094,17 @@ dpx_file_apply_filter (const char *cmdtm else if (!input || !output) return -1; + if (filename_unsafe_for_command(input)) { + WARN("Input filename contains unsafe characters for command execution: %s", + input); + return -1; + } + if (filename_unsafe_for_command(output)) { + WARN("Output filename contains unsafe characters for command execution: %s", + output); + return -1; + } + size = strlen(cmdtmpl) + strlen(input) + strlen(output) + 3; cmd = NEW(size, char); memset(cmd, 0, size); --- texk/dvipdfm-x/data/dvipdfmx.cfg +++ texk/dvipdfm-x/data/dvipdfmx.cfg 2026-04-15 00:00:00.000000000 +0000 @@ -147,12 +147,23 @@ P 0x003C %% will also be re-encoded using Flate. To turn the conversion off, %% remove the options mentioned above. %% +%% The -- forces the remaining argument(s) to be considered as +%% filenames, just in case someone manages to insert a Ghostscript option. +%% Although it's traditional to end gs invocations with "-c quit", +%% in this context it is not necessary, and we don't want that with the --, +%% since we wouldn't want to randomly find input files named "-c" or +%% "quit". +%% %% Incidentally, more than one dvipdfmx.cfg may exist. %% You can find the one that is active by running: %% kpsewhich -progname=dvipdfmx -format=othertext dvipdfmx.cfg +%% (add -all to see all files found) %% and control which one is found by setting DVIPDFMXINPUTS. %% -D "rungs -q -dSAFER -dNOPAUSE -dBATCH -dEPSCrop -sPAPERSIZE=a0 -sDEVICE=pdfwrite -dCompatibilityLevel=%v -dAutoFilterGrayImages=false -dGrayImageFilter=/FlateEncode -dAutoFilterColorImages=false -dColorImageFilter=/FlateEncode -dAutoRotatePages=/None -sOutputFile='%o' '%i' -c quit" +%% Incidentally 2, the syntax of this value is a C string: "...". +%% The embedded '...' quotes are interpreted by dvipdfmx, not a shell. +%% +D "rungs -q -dSAFER -dNOPAUSE -dBATCH -dEPSCrop -sPAPERSIZE=a0 -sDEVICE=pdfwrite -dCompatibilityLevel=%v -dAutoFilterGrayImages=false -dGrayImageFilter=/FlateEncode -dAutoFilterColorImages=false -dColorImageFilter=/FlateEncode -dAutoRotatePages=/None -sOutputFile='%o' -- '%i'" %% If you change the above rungs invocation, also change dvipdfmx-unsafe.cfg! % other random ps converters people have experimented with.
