Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2019-03-26 15:37:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Tue Mar 26 15:37:17 2019 rev:38 rq:687694 version:9.26a Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2019-03-01 20:25:31.374067406 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.25356/ghostscript-mini.changes 2019-03-26 15:37:18.864374873 +0100 @@ -1,0 +2,20 @@ +Thu Mar 14 08:03:24 UTC 2019 - jseg...@suse.com + +- Added AA rules for dvips (bsc#1127934) +- Allow execution of dirname (bsc#1128697) +- Allow execution of hpijs (bsc#1128467). For now this is in + complain mode +- Sane profile name "ghostscript", moved profile from + /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript + (bsc#1128607) +- Improved AA packaging (bsc#1128608) + Thanks to Christian Boltz for his help + +------------------------------------------------------------------- +Fri Mar 8 10:49:18 UTC 2019 - Martin Wilck <mwi...@suse.com> + +- Fix IJS printing problem (bsc#1128467) + * added ijs_exec_server_dont_use_sh.patch + * allow exec'ing hpijs in apparmor profile + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2019-03-12 09:48:15.227599787 +0100 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.25356/ghostscript.changes 2019-03-26 15:37:19.192374743 +0100 @@ -1,0 +2,13 @@ +Thu Mar 14 08:03:24 UTC 2019 - jseg...@suse.com + +- Added AA rules for dvips (bsc#1127934) +- Allow execution of dirname (bsc#1128697) +- Allow execution of hpijs (bsc#1128467). For now this is in + complain mode +- Sane profile name "ghostscript", moved profile from + /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript + (bsc#1128607) +- Improved AA packaging (bsc#1128608) + Thanks to Christian Boltz for his help + +------------------------------------------------------------------- Old: ---- apparmor_usr.bin.gs New: ---- apparmor_ghostscript ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.lT2Uxk/_old 2019-03-26 15:37:21.388373869 +0100 +++ /var/tmp/diff_new_pack.lT2Uxk/_new 2019-03-26 15:37:21.392373868 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -25,6 +25,11 @@ BuildRequires: libtool BuildRequires: pkg-config BuildRequires: zlib-devel +%if 0%{?suse_version} >= 1500 +BuildRequires: apparmor-abstractions +BuildRequires: apparmor-rpm-macros +Requires: apparmor-abstractions +%endif Summary: Minimal Ghostscript for minimal build requirements License: AGPL-3.0-only Group: System/Libraries @@ -71,7 +76,7 @@ # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz -Source1: apparmor_usr.bin.gs +Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -81,6 +86,7 @@ # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball: Patch100: remove-zlib-h-dependency.patch +Patch101: ijs_exec_server_dont_use_sh.patch # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -146,6 +152,7 @@ # and disable remove-zlib-h-dependency.patch because # Ghostscript 9.21 does no longer build this way: #patch100 -p1 -b remove-zlib-h-dependency.orig +%patch101 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig @@ -312,9 +319,13 @@ # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR -install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript -%post -p /sbin/ldconfig +%post +/sbin/ldconfig +%if 0%{?suse_version} >= 1500 +%apparmor_reload /etc/apparmor.d/ghostscript +%endif %postun -p /sbin/ldconfig @@ -392,8 +403,10 @@ %{_libdir}/libgs.so.* %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so +%if 0%{?suse_version} < 1500 %dir %{_sysconfdir}/apparmor.d -%{_sysconfdir}/apparmor.d/* +%endif +%{_sysconfdir}/apparmor.d/ghostscript %files devel %defattr(-,root,root) ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.lT2Uxk/_old 2019-03-26 15:37:21.412373859 +0100 +++ /var/tmp/diff_new_pack.lT2Uxk/_new 2019-03-26 15:37:21.412373859 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -45,6 +45,11 @@ BuildRequires: xorg-x11-devel BuildRequires: xorg-x11-fonts BuildRequires: zlib-devel +%if 0%{?suse_version} >= 1500 +BuildRequires: apparmor-abstractions +BuildRequires: apparmor-rpm-macros +Requires: apparmor-abstractions +%endif Summary: The Ghostscript interpreter for PostScript and PDF License: AGPL-3.0-only Group: System/Libraries @@ -91,7 +96,7 @@ # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz -Source1: apparmor_usr.bin.gs +Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -450,9 +455,13 @@ # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR -install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript -%post -p /sbin/ldconfig +%post +/sbin/ldconfig +%if 0%{?suse_version} >= 1500 +%apparmor_reload /etc/apparmor.d/ghostscript +%endif %postun -p /sbin/ldconfig @@ -531,8 +540,10 @@ %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so %exclude %{_libdir}/ghostscript/%{built_version}/X11.so +%if 0%{?suse_version} < 1500 %dir %{_sysconfdir}/apparmor.d -%{_sysconfdir}/apparmor.d/* +%endif +%{_sysconfdir}/apparmor.d/ghostscript %files x11 %defattr(-,root,root) ++++++ apparmor_ghostscript ++++++ #include <tunables/global> # this profile is mainly intended to prevent easy exploitation of # issues in ghostscript. This is mainly intended as a hardening # measure and doesn't alleviate the need for regular updates profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/X> # needed to read gc/write pdfs/eps/.. everywhere /** wr, /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} mrix, /usr/bin/dvips mrix, /usr/lib64/ghostscript/** m, /usr/lib64/libgs.so.* m, /usr/lib64/libijs-* m, /usr/bin/hpijs Cx, profile /usr/bin/hpijs flags=(complain) { #include <abstractions/base> network inet dgram, /etc/cups/cupsd.conf r, /etc/hp/hplip.conf r, /usr/bin/hpijs mr, /usr/share/ghostscript/** r, /usr/share/hplip/** r, /usr/share/snmp/mibs/ r, /usr/share/snmp/mibs/*.txt r, owner /var/spool/cups/tmp/gs_?????? rw, } /usr/bin/basename Cx, profile /usr/bin/basename { #include <abstractions/base> /usr/bin/basename mr, } /usr/bin/dirname Cx, profile /usr/bin/dirname { #include <abstractions/base> /usr/bin/dirname mr, } }
