Package init

2019-09-30 10:40:22 -04:00 · 2019-09-30 10:40:22 -04:00 · c65c33446a
commit c65c33446a
4 changed files with 261 additions and 0 deletions
--- a/CVE-2019-10216.patch
+++ b/CVE-2019-10216.patch
@ -0,0 +1,49 @@
 From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Fri, 2 Aug 2019 15:18:26 +0100
 Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
 ---
 Resource/Init/gs_type1.ps | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
 diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
 index 6c7735b..a039cce 100644
 --- a/Resource/Init/gs_type1.ps
 +++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
                          ( to be the same as glyph: ) print 1 index //== exec } if
                    3 index exch 3 index .forceput
                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
 -                 }
 +                 }executeonly
                  {pop} ifelse
 -               } forall
 +               } executeonly forall
                pop pop
 -             }
 +             } executeonly
              {
                pop pop pop
              } ifelse
 -           }
 +           } executeonly
            {
                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
              pop pop
            } ifelse
 -         } forall
 +         } executeonly forall
          3 1 roll pop pop
 -     } if
 +     } executeonly if
      pop
      dup /.AGLprocessed~GS //true .forceput
 -   } if
 +   } executeonly if
    %% We need to excute the C .buildfont1 in a stopped context so that, if there
    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
 -- 
 1.8.3.1
--- a/ghostscript-9.23-100-run-dvipdf-securely.patch
+++ b/ghostscript-9.23-100-run-dvipdf-securely.patch
@ -0,0 +1,22 @@
 From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
 From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
 Date: Fri, 7 Oct 2016 13:57:01 +0200
 Subject: [PATCH] Make sure 'dvipdf' is being run securely
 ---
 lib/dvipdf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dvipdf b/lib/dvipdf
 index 802aeab..c92dfb0 100755
 --- a/lib/dvipdf
 +++ b/lib/dvipdf
@@ -43,4 +43,4 @@ fi
 # We have to include the options twice because -I only takes effect if it
 # appears before other options.
 -exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
 +exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
 -- 
 2.14.3
--- a/ghostscript-9.27.tar.xz
+++ b/ghostscript-9.27.tar.xz
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -0,0 +1,190 @@
 %global _hardened_build 1
 # override the default location of documentation or license files
 # in 'ghostscript' instead of in 'libgs'
 %global _docdir_fmt     %{name}
 # download version
 %global version_short   %(echo "%{version}" | tr -d '.')
 # Obtain the location of Google Droid fonts directory
 %global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback"))
 Name:             ghostscript
 Version:          9.27
 Release:          3
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
 Source0:          https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
 # Downstream patches
 Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch
 # Patch6000 from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
 Patch6000: CVE-2019-10216.patch
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
 BuildRequires:    google-droid-sans-fonts urw-base35-fonts-devel
 BuildRequires:    cups-devel dbus-devel fontconfig-devel
 BuildRequires:    lcms2-devel libidn-devel libijs-devel libjpeg-turbo-devel
 BuildRequires:    libpng-devel libpaper-devel libtiff-devel openjpeg2-devel
 BuildRequires:    zlib-devel gtk3-devel libXt-devel
 BuildRequires:    jbig2dec-devel >= 0.16
 Requires:         adobe-mappings-cmap
 Requires:         adobe-mappings-cmap-lang
 Requires:         adobe-mappings-pdf
 Requires:         google-droid-sans-fonts
 Requires:         urw-base35-fonts
 Obsoletes:      %{name}-doc < %{version}-%{release}
 Obsoletes:      %{name}-x11 < %{version}-%{release}
 Obsoletes:      %{name}-gtk < %{version}-%{release}
 Obsoletes:      %{name}-tools-printing < %{version}-%{release}
 Obsoletes:      %{name}-tools-fonts < %{version}-%{release}
 Obsoletes:      libgs < %{version}-%{release}
 Provides:       %{name}-doc
 Provides:       %{name}-x11
 Provides:       %{name}-gtk
 Provides:       %{name}-tools-printing
 Provides:       %{name}-tools-fonts
 Provides:       libgs
 Provides:       %{name}-core
 %description
 Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files.
 Ghostscript consists of a PostScript interpreter layer, and a graphics library.
 %package devel
 Summary:          Development files for Ghostscript's library
 Requires:         %{name} = %{version}-%{release}
 Obsoletes:        libgs-devel < %{version}-%{release}
 Provides:         libgs-devel
 %description devel
 This package contains development files for %{name}.
 %package        help
 Summary:        Documents for %{name}
 Buildarch:      noarch
 Requires:       man info
 Requires:       %{name} = %{version}-%{release}
 Obsoletes:      %{name}-doc < %{version}-%{release}
 Provides:       %{name}-doc
 %description help
 Man pages and other related documents for %{name}.
 %package tools-dvipdf
 Summary:          Ghostscript's 'dvipdf' utility
 Requires:         %{name} = %{version}-%{release}
 Requires:         texlive-dvips
 %description tools-dvipdf
 This package provides the utility 'dvipdf' for converting of TeX DVI files into
 PDF files using Ghostscript and dvips
 %prep
 %autosetup -N -p1
 # Libraries that we already have packaged(see Build Requirements):
 rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
 rm -rf windows
 %build
 %configure --enable-dynamic --disable-compile-inits --without-versioned-path \
           --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/"
 %make_build so
 %install
 # to install necessary files without 'make_install'
 make DESTDIR=%{buildroot} soinstall
 # rename to 'gs' binary.
 mv -f %{buildroot}%{_bindir}/{gsc,gs}
 # remove files
 rm -f %{buildroot}%{_bindir}/{lprsetup.sh,unix-lpr.sh}
 rm -f %{buildroot}%{_docdir}/%{name}/{AUTHORS,COPYING,*.tex,*.hlp,*.txt}
 rm -f %{buildroot}%{_datadir}/%{name}/doc
 # move some files into html/
 install -m 0755 -d %{buildroot}%{_docdir}/%{name}/html
 cp doc/gsdoc.el %{buildroot}%{_docdir}/%{name}/
 mv -f %{buildroot}%{_docdir}/%{name}/{*.htm*,*.el,html}
 # create symlink
 ln -s %{_bindir}/gs %{buildroot}%{_bindir}/ghostscript
 ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1
 # use the symlinks where possible.
 ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
 for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do
  ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font}
 done
 # create symlink for each of the CMap files in Ghostscript's Resources/CMap folder.
 for file in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/CMap/*); do
  find %{adobe_mappings_rootpath} -type f -name ${file} -exec ln -fs {} %{buildroot}%{_datadir}/%{name}/Resource/CMap/${file} \;
 done
 install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %check
 make check
 %pre
 %preun
 %post
 %postun
 %files
 %defattr(-,root,root)
 %license LICENSE doc/COPYING
 %{_datadir}/%{name}/
 %dir %{_datadir}/%{name}/conf.d/
 %{_bindir}/gs
 %{_bindir}/gsnd
 %{_bindir}/ghostscript
 %{_bindir}/eps2*
 %{_bindir}/pdf2*
 %{_bindir}/ps2*
 %{_bindir}/gsx
 %{_bindir}/gsbj
 %{_bindir}/gsdj
 %{_bindir}/gsdj500
 %{_bindir}/gslj
 %{_bindir}/gslp
 %{_bindir}/pphs
 %{_bindir}/pf2afm
 %{_bindir}/pfbtopfa
 %{_bindir}/printafm
 %{_libdir}/libgs.so.*
 %{_libdir}/%{name}/
 %files devel
 %{_libdir}/libgs.so
 %{_includedir}/%{name}/
 %files help
 %{_mandir}/man1/*
 %lang(de) %{_mandir}/de/man1/*
 %doc %{_docdir}/%{name}/
 %files tools-dvipdf
 %{_bindir}/dvipdf
 %changelog
 * Mon Sep 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-3
 - fix CVE-2019-10216 and modify requires
 * Mon Sep 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-2
 - Add subpackage tools-dvipdf
 * Thu Sep 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-1
 - Package init