Package init

2019-09-30 10:40:22 -04:00 · 2019-09-30 10:40:22 -04:00 · c65c33446a
commit c65c33446a
4 changed files with 261 additions and 0 deletions
--- a/CVE-2019-10216.patch
+++ b/CVE-2019-10216.patch
@ -0,0 +1,49 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+---
+ Resource/Init/gs_type1.ps | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735b..a039cce 100644
+--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
+                 }executeonly
+                  {pop} ifelse
+-               } forall
+               } executeonly forall
+                pop pop
+-             }
+             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
+           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
+         } executeonly forall
+          3 1 roll pop pop
+-     } if
+     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
+   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
+-- 
+1.8.3.1
+
--- a/ghostscript-9.23-100-run-dvipdf-securely.patch
+++ b/ghostscript-9.23-100-run-dvipdf-securely.patch
@ -0,0 +1,22 @@
+From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
+From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
+Date: Fri, 7 Oct 2016 13:57:01 +0200
+Subject: [PATCH] Make sure 'dvipdf' is being run securely
+
+---
+ lib/dvipdf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dvipdf b/lib/dvipdf
+index 802aeab..c92dfb0 100755
+--- a/lib/dvipdf
+++ b/lib/dvipdf
+@@ -43,4 +43,4 @@ fi
+ 
+ # We have to include the options twice because -I only takes effect if it
+ # appears before other options.
+-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite -
+-- 
+2.14.3
+
--- a/ghostscript-9.27.tar.xz
+++ b/ghostscript-9.27.tar.xz
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -0,0 +1,190 @@
+%global _hardened_build 1
+# override the default location of documentation or license files
+# in 'ghostscript' instead of in 'libgs'
+%global _docdir_fmt     %{name}
+# download version
+%global version_short   %(echo "%{version}" | tr -d '.')
+# Obtain the location of Google Droid fonts directory
+%global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback"))
+
+Name:             ghostscript
+Version:          9.27
+Release:          3
+Summary:          An interpreter for PostScript and PDF files
+License:          AGPLv3+
+URL:              https://ghostscript.com/
+Source0:          https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
+
+# Downstream patches
+Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch
+
+# Patch6000 from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
+Patch6000: CVE-2019-10216.patch
+
+BuildRequires:    automake gcc
+BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
+BuildRequires:    google-droid-sans-fonts urw-base35-fonts-devel
+BuildRequires:    cups-devel dbus-devel fontconfig-devel
+BuildRequires:    lcms2-devel libidn-devel libijs-devel libjpeg-turbo-devel
+BuildRequires:    libpng-devel libpaper-devel libtiff-devel openjpeg2-devel
+BuildRequires:    zlib-devel gtk3-devel libXt-devel
+BuildRequires:    jbig2dec-devel >= 0.16
+
+Requires:         adobe-mappings-cmap
+Requires:         adobe-mappings-cmap-lang
+Requires:         adobe-mappings-pdf
+Requires:         google-droid-sans-fonts
+Requires:         urw-base35-fonts
+
+Obsoletes:      %{name}-doc < %{version}-%{release}
+Obsoletes:      %{name}-x11 < %{version}-%{release}
+Obsoletes:      %{name}-gtk < %{version}-%{release}
+Obsoletes:      %{name}-tools-printing < %{version}-%{release}
+Obsoletes:      %{name}-tools-fonts < %{version}-%{release}
+Obsoletes:      libgs < %{version}-%{release}
+Provides:       %{name}-doc
+Provides:       %{name}-x11
+Provides:       %{name}-gtk
+Provides:       %{name}-tools-printing
+Provides:       %{name}-tools-fonts
+Provides:       libgs
+Provides:       %{name}-core
+
+%description
+Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files.
+Ghostscript consists of a PostScript interpreter layer, and a graphics library.
+
+%package devel
+Summary:          Development files for Ghostscript's library
+Requires:         %{name} = %{version}-%{release}
+
+Obsoletes:        libgs-devel < %{version}-%{release}
+Provides:         libgs-devel
+
+%description devel
+This package contains development files for %{name}.
+
+%package        help
+Summary:        Documents for %{name}
+Buildarch:      noarch
+Requires:       man info
+Requires:       %{name} = %{version}-%{release}
+
+Obsoletes:      %{name}-doc < %{version}-%{release}
+Provides:       %{name}-doc
+
+%description help
+Man pages and other related documents for %{name}.
+
+%package tools-dvipdf
+Summary:          Ghostscript's 'dvipdf' utility
+Requires:         %{name} = %{version}-%{release}
+Requires:         texlive-dvips
+
+%description tools-dvipdf
+This package provides the utility 'dvipdf' for converting of TeX DVI files into
+PDF files using Ghostscript and dvips
+
+%prep
+%autosetup -N -p1
+
+# Libraries that we already have packaged(see Build Requirements):
+rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
+rm -rf windows
+
+%build
+%configure --enable-dynamic --disable-compile-inits --without-versioned-path \
+           --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/"
+%make_build so
+
+%install
+# to install necessary files without 'make_install'
+make DESTDIR=%{buildroot} soinstall
+
+# rename to 'gs' binary.
+mv -f %{buildroot}%{_bindir}/{gsc,gs}
+
+# remove files
+rm -f %{buildroot}%{_bindir}/{lprsetup.sh,unix-lpr.sh}
+rm -f %{buildroot}%{_docdir}/%{name}/{AUTHORS,COPYING,*.tex,*.hlp,*.txt}
+rm -f %{buildroot}%{_datadir}/%{name}/doc
+
+# move some files into html/
+install -m 0755 -d %{buildroot}%{_docdir}/%{name}/html
+cp doc/gsdoc.el %{buildroot}%{_docdir}/%{name}/
+mv -f %{buildroot}%{_docdir}/%{name}/{*.htm*,*.el,html}
+
+# create symlink
+ln -s %{_bindir}/gs %{buildroot}%{_bindir}/ghostscript
+ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1
+
+# use the symlinks where possible.
+ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf
+
+for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do
+  ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font}
+done
+
+# create symlink for each of the CMap files in Ghostscript's Resources/CMap folder.
+for file in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/CMap/*); do
+  find %{adobe_mappings_rootpath} -type f -name ${file} -exec ln -fs {} %{buildroot}%{_datadir}/%{name}/Resource/CMap/${file} \;
+done
+
+install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
+
+%check
+make check
+
+%pre
+
+%preun
+
+%post
+
+%postun
+
+%files
+%defattr(-,root,root)
+%license LICENSE doc/COPYING
+%{_datadir}/%{name}/
+%dir %{_datadir}/%{name}/conf.d/
+%{_bindir}/gs
+%{_bindir}/gsnd
+%{_bindir}/ghostscript
+%{_bindir}/eps2*
+%{_bindir}/pdf2*
+%{_bindir}/ps2*
+%{_bindir}/gsx
+%{_bindir}/gsbj
+%{_bindir}/gsdj
+%{_bindir}/gsdj500
+%{_bindir}/gslj
+%{_bindir}/gslp
+%{_bindir}/pphs
+%{_bindir}/pf2afm
+%{_bindir}/pfbtopfa
+%{_bindir}/printafm
+%{_libdir}/libgs.so.*
+%{_libdir}/%{name}/
+
+%files devel
+%{_libdir}/libgs.so
+%{_includedir}/%{name}/
+
+%files help
+%{_mandir}/man1/*
+%lang(de) %{_mandir}/de/man1/*
+%doc %{_docdir}/%{name}/
+
+%files tools-dvipdf
+%{_bindir}/dvipdf
+
+%changelog
+* Mon Sep 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-3
+- fix CVE-2019-10216 and modify requires
+
+* Mon Sep 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-2
+- Add subpackage tools-dvipdf
+
+* Thu Sep 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.27-1
+- Package init