Hello community, here is the log from the commit of package ghostscript for openSUSE:Leap:15.2 checked in at 2020-05-12 11:32:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/ghostscript (Old) and /work/SRC/openSUSE:Leap:15.2/.ghostscript.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Tue May 12 11:32:16 2020 rev:30 rq:801875 version:9.52 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/ghostscript/ghostscript-mini.changes 2020-01-15 15:02:52.649824260 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.ghostscript.new.2738/ghostscript-mini.changes 2020-05-12 11:32:21.731739554 +0200 @@ -1,0 +2,120 @@ +Tue Apr 28 14:17:59 CEST 2020 - [email protected] + +- The version upgrade to 9.52 fixes in particular + CVE-2020-12268: jbic2dec: heap-based buffer overflow + in jbig2_image_compose (bsc#1170603) +- Version upgrade to 9.52 + Highlights in this release include: + * The 9.52 release replaces the 9.51 release after a problem + was reported with 9.51 which warranted the quick turnaround. + Thus, like 9.51, 9.52 is primarily a maintenance release, + consolidating the changes we introduced in 9.50. + * IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt + (the "mt" indicating "multi-thread"). + LCMS2 is not thread-safe, and cannot be made thread-safe + without breaking the ABI. Our fork will be thread-safe and + include performance enhancements (these changes have all + been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. If there is sufficient interest, + our fork will be available as its own package separately + from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * New option -dALLOWPSTRANSPARENCY: The transparency compositor + (and related features), whilst we are improving it, remains + sensitive to being driven correctly, and incorrect use + can have unexpected/undefined results. Hence, as part of + improving security, we limited access to these operators, + originally using the -dSAFER feature. As we made "SAFER" + the default mode, that became unacceptable, hence the + new option -dALLOWPSTRANSPARENCY which enables access + to the operators, cf. + https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY + For a release summary see: + https://www.ghostscript.com/doc/9.52/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.51 + Highlights in this release include: + * 9.51 is primarily a maintainance release, consolidating + the changes we introduced in 9.50. + * We have continued our work on code hygiene for this release, + with a focus on the static analysis tool Coverity + (from Synopsys, Inc) and we are now maintaining a policy of + zero Coverity issues in the Ghostscript/GhostPDL source base. + * IMPORTANT: In consultation with a representative of + OpenPrinting (http://www.openprinting.org/) it is our + intention to deprecate and, in the not distant future, + remove the OpenPrinting Vector/Raster Printer Drivers + (that is, the opvp and oprp devices). + If you rely on either of these devices, please get in touch + with us (i.e. Ghostscript upstream), so we can discuss your + use case, and revise our plans accordingly. + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + https://www.ghostscript.com/doc/9.51/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.50 + Highlights in this release include: + * The change to version 9.50 follows recognition + of the extent and importance of the file access control + redesign/reimplementation outlined below. + * The file access control capability (enable with -dSAFER) + has been completely rewritten, with a ground-up rethink + of the design. For more details, see: "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * It is important to note that -dSAFER now only enables the + file access controls, and no longer applies restrictions + to standard Postscript functionality (specifically, + restrictions on setpagedevice). If your application relies + on these Postscript restrictions, see "OLDSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer + and please get in touch, as we do plan to remove those + Postscript restrictions unless we have reason not to. + IMPORTANT: File access controls are now enabled by default. + In order to run Ghostscript without these controls, + see "NOSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * There are a couple of subtle incompatibilities between the old + and new SAFER implementations. Firstly, as mentioned above, + SAFER now leaves standard Postcript functionality unchanged + (except for the file access limitations). Secondly, the + interaction with save/restore operations, see "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * The following is not strictly speaking new to 9.50, + as not much has changed since 9.27 in this area, + but for those who don't upgrade with every release: + The process of "tidying" the Postscript name space should have + removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or utilities + that rely on those non-standard and undocumented operators + may stop working, or may change behaviour. + If you encounter such a case, please contact us + (i.e. Ghostscript upstream, either the #ghostscript IRC channel + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution or return the + previous functionality, if there is genuinely no other option. + One case we know this has occurred is GSView 5 (and earlier). + GSView 5 support for PDF files relied upon internal use only + features which are no longer available. GSView 5 will still + work as previously for Postscript files. For PDF files, + users are encouraged to look at MuPDF https://www.mupdf.com/ + For a release summary see: + https://www.ghostscript.com/doc/9.50/News.htm + For details see the News.htm and History9.htm files. +- CVE-2019-10216.patch CVE-2019-14869.patch + gs-CVE-2019-14811-885444fc.patch + gs-CVE-2019-14817-cd1b1cac.patch + openjpeg4gs-CVE-2018-6616-8ee33522.patch + are fixed in the version 9.52 upstream sources. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Leap:15.2/ghostscript/ghostscript.changes 2020-01-15 15:02:52.701824287 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.ghostscript.new.2738/ghostscript.changes 2020-05-12 11:32:21.891739890 +0200 @@ -0,0 +1,121 @@ + +------------------------------------------------------------------- +Tue Apr 28 14:17:59 CEST 2020 - [email protected] + +- The version upgrade to 9.52 fixes in particular + CVE-2020-12268: jbic2dec: heap-based buffer overflow + in jbig2_image_compose (bsc#1170603) +- Version upgrade to 9.52 + Highlights in this release include: + * The 9.52 release replaces the 9.51 release after a problem + was reported with 9.51 which warranted the quick turnaround. + Thus, like 9.51, 9.52 is primarily a maintenance release, + consolidating the changes we introduced in 9.50. + * IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt + (the "mt" indicating "multi-thread"). + LCMS2 is not thread-safe, and cannot be made thread-safe + without breaking the ABI. Our fork will be thread-safe and + include performance enhancements (these changes have all + been offered and rejected upstream). We will maintain + compatibility between Ghostscript and LCMS2 for a time, + but not in perpetuity. If there is sufficient interest, + our fork will be available as its own package separately + from Ghostscript (and MuPDF). + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * New option -dALLOWPSTRANSPARENCY: The transparency compositor + (and related features), whilst we are improving it, remains + sensitive to being driven correctly, and incorrect use + can have unexpected/undefined results. Hence, as part of + improving security, we limited access to these operators, + originally using the -dSAFER feature. As we made "SAFER" + the default mode, that became unacceptable, hence the + new option -dALLOWPSTRANSPARENCY which enables access + to the operators, cf. + https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY + For a release summary see: + https://www.ghostscript.com/doc/9.52/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.51 + Highlights in this release include: + * 9.51 is primarily a maintainance release, consolidating + the changes we introduced in 9.50. + * We have continued our work on code hygiene for this release, + with a focus on the static analysis tool Coverity + (from Synopsys, Inc) and we are now maintaining a policy of + zero Coverity issues in the Ghostscript/GhostPDL source base. + * IMPORTANT: In consultation with a representative of + OpenPrinting (http://www.openprinting.org/) it is our + intention to deprecate and, in the not distant future, + remove the OpenPrinting Vector/Raster Printer Drivers + (that is, the opvp and oprp devices). + If you rely on either of these devices, please get in touch + with us (i.e. Ghostscript upstream), so we can discuss your + use case, and revise our plans accordingly. + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + https://www.ghostscript.com/doc/9.51/News.htm + For details see the News.htm and History9.htm files. +- Version upgrade to 9.50 + Highlights in this release include: + * The change to version 9.50 follows recognition + of the extent and importance of the file access control + redesign/reimplementation outlined below. + * The file access control capability (enable with -dSAFER) + has been completely rewritten, with a ground-up rethink + of the design. For more details, see: "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * It is important to note that -dSAFER now only enables the + file access controls, and no longer applies restrictions + to standard Postscript functionality (specifically, + restrictions on setpagedevice). If your application relies + on these Postscript restrictions, see "OLDSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer + and please get in touch, as we do plan to remove those + Postscript restrictions unless we have reason not to. + IMPORTANT: File access controls are now enabled by default. + In order to run Ghostscript without these controls, + see "NOSAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer + * We (i.e. Ghostscript upstream) are in the process of forking + LittleCMS, cf. the other release notes entries below. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + Incompatible changes: + * There are a couple of subtle incompatibilities between the old + and new SAFER implementations. Firstly, as mentioned above, + SAFER now leaves standard Postcript functionality unchanged + (except for the file access limitations). Secondly, the + interaction with save/restore operations, see "SAFER" at + https://www.ghostscript.com/doc/9.50/Use.htm#Safer + * The following is not strictly speaking new to 9.50, + as not much has changed since 9.27 in this area, + but for those who don't upgrade with every release: + The process of "tidying" the Postscript name space should have + removed only non-standard and undocumented operators. + Nevertheless, it is possible that any integrations or utilities + that rely on those non-standard and undocumented operators + may stop working, or may change behaviour. + If you encounter such a case, please contact us + (i.e. Ghostscript upstream, either the #ghostscript IRC channel + or the gs-devel mailing list would be best), and we'll work + with you to either find an alternative solution or return the + previous functionality, if there is genuinely no other option. + One case we know this has occurred is GSView 5 (and earlier). + GSView 5 support for PDF files relied upon internal use only + features which are no longer available. GSView 5 will still + work as previously for Postscript files. For PDF files, + users are encouraged to look at MuPDF https://www.mupdf.com/ + For a release summary see: + https://www.ghostscript.com/doc/9.50/News.htm + For details see the News.htm and History9.htm files. +- CVE-2019-10216.patch CVE-2019-14869.patch + gs-CVE-2019-14811-885444fc.patch + gs-CVE-2019-14817-cd1b1cac.patch + openjpeg4gs-CVE-2018-6616-8ee33522.patch + are fixed in the version 9.52 upstream sources. + Old: ---- CVE-2019-10216.patch CVE-2019-14869.patch ghostscript-9.27.tar.gz gs-CVE-2019-14811-885444fc.patch gs-CVE-2019-14817-cd1b1cac.patch openjpeg4gs-CVE-2018-6616-8ee33522.patch New: ---- ghostscript-9.52.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.qaivUd/_old 2020-05-12 11:32:22.539741251 +0200 +++ /var/tmp/diff_new_pack.qaivUd/_new 2020-05-12 11:32:22.543741260 +0200 @@ -39,7 +39,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: # Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1. #Version: 9.25pre26rc1 -Version: 9.27 +Version: 9.52 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -51,7 +51,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.27 +%define built_version 9.52 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -63,24 +63,12 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz +# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz # URL for MD5 checksums: -# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS -# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz +# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS +# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -Patch1: CVE-2019-10216.patch -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -Patch2: gs-CVE-2019-14811-885444fc.patch -# Patch3 Add commit from ghostscript upstream to fix CVE-2019-14817 -Patch3: gs-CVE-2019-14817-cd1b1cac.patch -# Patch4 Add commit from Ghostscript upstream -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f -# to fix CVE-2019-14869 "-dSAFER escape in .charkeys" (bsc#1156275) -Patch4: CVE-2019-14869.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -146,19 +134,6 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -# openjpeg4gs-CVE-2018-6616-8ee33522.patch -%patch0 -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -%patch1 -p0 -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -%patch2 -p1 -# Patch3 Add commit from ghostscript upstream to fix CVE-2019-14817 -%patch3 -p1 -# Patch4 Add commit from Ghostscript upstream -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f -# to fix CVE-2019-14869 "-dSAFER escape in .charkeys" (bsc#1156275) -%patch4 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.qaivUd/_old 2020-05-12 11:32:22.559741293 +0200 +++ /var/tmp/diff_new_pack.qaivUd/_new 2020-05-12 11:32:22.563741302 +0200 @@ -59,7 +59,7 @@ # so that we keep additionally the previous version number to upgrade from the previous version: # Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1. #Version: 9.25pre26rc1 -Version: 9.27 +Version: 9.52 Release: 0 # Normal version for Ghostscript releases is the upstream version: # tarball_version is used below to specify the directory via "setup -n": @@ -71,7 +71,7 @@ # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): #define built_version %{version} -%define built_version 9.27 +%define built_version 9.52 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -83,24 +83,12 @@ #Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.27.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/ghostscript-9.27.tar.gz +# wget -O ghostscript-9.52.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/ghostscript-9.52.tar.gz # URL for MD5 checksums: -# wget -O gs927.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS -# MD5 checksum for Source0: c3990a504a3a23b9babe9de00ed6597d ghostscript-9.27.tar.gz +# wget -O gs952.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS +# MD5 checksum for Source0: 0f6964ab9b83a63b7e373f136243f901 ghostscript-9.52.tar.gz Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -Patch1: CVE-2019-10216.patch -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -Patch2: gs-CVE-2019-14811-885444fc.patch -# Patch3 Add commit from ghostscript upstream to fix CVE-2019-14817 -Patch3: gs-CVE-2019-14817-cd1b1cac.patch -# Patch4 Add commit from Ghostscript upstream -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f -# to fix CVE-2019-14869 "-dSAFER escape in .charkeys" (bsc#1156275) -Patch4: CVE-2019-14869.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -279,19 +267,6 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} -# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 -# openjpeg4gs-CVE-2018-6616-8ee33522.patch -%patch0 -# Patch1 Add commit from of upstream to fix CVE-2019-10216 -%patch1 -p0 -# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 -%patch2 -p1 -# Patch3 Add commit from ghostscript upstream to fix CVE-2019-14817 -%patch3 -p1 -# Patch4 Add commit from Ghostscript upstream -# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f -# to fix CVE-2019-14869 "-dSAFER escape in .charkeys" (bsc#1156275) -%patch4 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream ++++++ ghostscript-9.27.tar.gz -> ghostscript-9.52.tar.gz ++++++ /work/SRC/openSUSE:Leap:15.2/ghostscript/ghostscript-9.27.tar.gz /work/SRC/openSUSE:Leap:15.2/.ghostscript.new.2738/ghostscript-9.52.tar.gz differ: char 5, line 1
