summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
Commit message (Collapse)AuthorAgeFilesLines
* ghostscript: upgrade 10.03.0 -> 10.03.1Changqing Li2024-05-301-1/+1
| | | | | | | | | | | | | | | Patch release to address security bugs: CVE-2024-33869 CVE-2023-52722 CVE-2024-33870 CVE-2024-33871 CVE-2024-29510 (From OE-Core rev: 9a424fbcdc0c792ff3b99bf0e8a5e380582f53bc) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.02.1 -> 10.03.0Wang Mingyu2024-04-163-108/+5
| | | | | | | | | | | | | avoid-host-contamination.patch refreshed for 10.03.0 configure.ac-add-option-to-explicitly-disable-neon.patch removed since it's included in 10.03.0 (From OE-Core rev: 0e389b7b20cf77327127ae0ced856e2b2ec7aee2) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Update CVE_STATUS for incorrect cpesSimone Weiß2024-02-241-0/+1
| | | | | | | | | | Set CVE_STATUS as none of the issues apply against the versions used in the recipes. (From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: correct LICENSE with AGPLv3Kai Kang2024-02-081-1/+1
| | | | | | | | | | | | | | | | The license of ghostscript has switched to Affero GPL since version 9.07 via commit: * 3cc5318 Switch Ghostscript/GhostPDL to Affero GPL https://github.com/ArtifexSoftware/ghostpdl/commit/3cc5318 Correct it with `AGPL-3.0-or-later`. (From OE-Core rev: 7dec33a8026d9aa96177060b13bb63d74eeb4855) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Build and install shared libMarkus Volk2023-11-131-1/+2
| | | | | | | | | | | | libgs is eg. needed to build ghostscript support for gimp also install the data target (From OE-Core rev: cedd211d8b73076d1ef6f32af1c59e87a436d637) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.02.0 -> 10.02.1Wang Mingyu2023-11-051-1/+1
| | | | | | | | (From OE-Core rev: 9492c2d51a08fbd4c107540a5a833b1a3fb70504) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.01.2 -> 10.02.0Alexander Kanavin2023-09-262-34/+2
| | | | | | | | (From OE-Core rev: e705edc553fa57361cb948ec7923b261f373f385) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: avoid neon on unsupported machinesBenjamin Bara2023-09-052-0/+103
| | | | | | | | | Disable neon if the machine does not support it. (From OE-Core rev: 22d40fcb984849bc8735bf03b306c3a3b11eb779) Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: ignore CVE-2023-38560Ross Burton2023-08-091-0/+2
| | | | | | | | | | | The ghostscript recipe isn't vulnerable to CVE-2023-38560, as this is an issue in the GhostPCL release, whereas this recipe is the Ghostscript release. (From OE-Core rev: f82a13beabc784da1455f86064ce9f0f225b6e5a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: backport fix for CVE-2023-38559Ross Burton2023-08-092-0/+32
| | | | | | | (From OE-Core rev: 38478a82598260e5e0616598e8cf78416dac1867) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: advance to version 10.01.2Joe Slater2023-07-141-1/+1
| | | | | | | | | | Fix CVE-2023-28879 and CVE-2023-36664. (From OE-Core rev: 7a66d238af8545dfb9a79e551ccaac889b2d52dd) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: remove CVE_CHECK_IGNORE for CVE-2013-6629Ross Burton2023-06-291-3/+0
| | | | | | | | | | | This CVE now has a version range, indicating that this Ghostscript release isn't vulnerable. (From OE-Core rev: da6d0763a7fb9c7a322bf5964f8abdf6bed7e219) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: mostly rewrite recipeRoss Burton2023-06-208-314/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This started as a patch cleanup but escalated rapidly. Remove unneeded patches: - mkdir-p.patch isn't needed now the Makefiles appear to have the correct dependencies. - ghostscript-9.15-parallel-make.patch appears to be unneeded for the same reason - base-genht.c-add-a-preprocessor-define-to-allow-fope.patch isn't needed - cups-no-gcrypt.patch isn't needed - do-not-check-local-libpng-source.patch can be replaced by deleting the libpng/ directory, as is already done for jpeg/ - ghostscript-9.21-native-fix-disable-system-libtiff.patch is not needed when we stop doing native builds (see below) Remove the need for ghostscript-native to build and install tools that are needed at target build-time: ghostscript can do this itself. Remove the BBCLASSEXTEND and all of the native overrides. Inherit pkgconfig and explicitly tell configure to use the pkgconfig binary: unless told otherwise this configure will refuse to use an unprefixed pkgconfig in cross builds. Review DEPENDS and add missing freetype and zlib dependencies. Ghostcript will use the embedded copies of libraries over system libraries, so extend the deletion of jpeg and libpng to include expat, freetype, and cups as we want to link to our build of those. We can't delete zlib as it is explicitly used when building the native tools. Add PACKAGECONFIGs for optional libidn and libpaper dependencies. Remove HAVE_SYS_TIME_H assignments, the upstream bug was fixed in 2011. Clean up comments: there's no need to explain how to use PACKAGECONFIG, and justify the use of autotools-brokensep. (From OE-Core rev: b62e6d676ce2075a52eea729957f186cfb3bd42b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade to 10.01.1Ross Burton2023-06-063-103/+1
| | | | | | | | | Drop the merged fix for CVE-2023-28879. (From OE-Core rev: 659b0cf41db00420366d0eca103f16922c2c5d72) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2023-28879Joe Slater2023-05-052-0/+61
| | | | | | | | | | | Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. (From OE-Core rev: 8a70d6935afa38173dbf012b8e1c3d59228504df) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.56.1 -> 10.0.0Alexander Kanavin2022-12-183-6/+47
| | | | | | | | | | | Drop --without-jbig2dec as it is now required by pdf support and jbig2dec library is in ghostscript's source tree. (From OE-Core rev: 761a17b7beab248056b69b9c3d84b1ddc4d2082d) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: remove unneeded patchAlexander Kanavin2022-09-022-79/+0
| | | | | | | | | | | | | The patch has been added here https://git.yoctoproject.org/poky/commit/?id=ca63a0158ae42010477080ad6bb776329f1230b0 and isn't necessary anymore, as cross compilation works fine without it. (From OE-Core rev: 37e521d8a5d1a89ba46d5058bc9c86cbe2195652) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.55.0 -> 9.56.1wangmy2022-04-191-1/+1
| | | | | | | | (From OE-Core rev: 83a45e8a2532689da6cffe444ad4326ad1b1a4f2) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/scripts: Automated conversion of OE renamed variablesRichard Purdie2022-02-211-1/+1
| | | | | | (From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX ↵Richard Purdie2022-02-201-1/+1
| | | | | | | | | | | | | license identifiers An automated conversion using scripts/contrib/convert-spdx-licenses.py to convert to use the standard SPDX license identifiers. Two recipes in meta-selftest were not converted as they're that way specifically for testing. A change in linux-firmware was also skipped and may need a more manual tweak. (From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.54.0 -> 9.55.0Alexander Kanavin2021-10-231-3/+3
| | | | | | | | | | | | jbig2dec seems no longer optional; the source for it is bundle with ghostscript. License-Update: removed patent references (From OE-Core rev: 44a3bea7e8fedbc76b6e8f97e1f669def81e158a) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Convert to new override syntaxRichard Purdie2021-08-021-11/+11
| | | | | | | | | | | | This is the result of automated script conversion: scripts/contrib/convert-overrides.py <oe-core directory> converting the metadata to use ":" as the override character instead of "_". (From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Exclude CVE-2013-6629 from cve-checkRichard Purdie2021-05-121-0/+4
| | | | | | | | | The CVE is in the jpeg sources included with ghostscript. We use our own external jpeg library so this doesn't affect us. (From OE-Core rev: 8556d6a6722f21af5e6f97589bec3cbd31da206c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.53.3 -> 9.54.0wangmy2021-04-181-1/+1
| | | | | | | (From OE-Core rev: bb4cdbda73b77808ebbd17cce3420fab767b496d) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.52 -> 9.53.3Alexander Kanavin2020-10-303-74/+12
| | | | | | | | | | | | | ghostscript-9.15-parallel-make.patch rebased; one of the chunks removed upstream. Remove bundled jpeg source, as that seems to be the only way to get ghostscript to fall back to system jpeg library. (From OE-Core rev: ad8c8ffc5a008872d40a36ea825da30accd6a11a) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2020-15900Lee Chee Yang2020-08-082-0/+55
| | | | | | | (From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Remove leftover fileRichard Purdie2020-05-181-1/+0
| | | | | | | | | This should have been removed in a previous change but was accidentally left behind and points at an invalid directory. (From OE-Core rev: 9d6ce24207189c711099f45265b240d0cdc0e686) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.50 -> 9.52Alexander Kanavin2020-05-0321-826/+19
| | | | | | | | | | | | | | Drop all custom objarch.h files; ghostscript nowadays generates that with autoconf. Freetype can no longer be disabled. Building out of source tree is broken. (From OE-Core rev: bb699a99b2e99a868520430c614d55ea3004427c) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: do not hardcode version in SRC_URIAlexander Kanavin2020-05-031-1/+5
| | | | | | | (From OE-Core rev: e0d972a054e286d62ccf9e3ccc4ec00892198038) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* microblaze: Adjust Linux items from microblazeeb to microblazeMark Hatle2020-02-061-0/+0
| | | | | | | | | | Due to recent changes to the tune, in order to match config.guess, the name of the big-endian microblaze architecture was changes to 'microblaze'. (From OE-Core rev: 6f6a6bbac684ead3fe6d070d61f17c2f611a2c87) Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Add powerpc64 LE specific objarch.hKhem Raj2020-01-191-0/+40
| | | | | | | (From OE-Core rev: 2b2ebb11da16975e3b0cba7854c3cfe54e0305a3) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.27 -> 9.50Trevor Gamblin2019-12-094-581/+3
| | | | | | | | | | | | | Version 9.50 incorporates previously-backported fixes for CVE-2019-14811 and CVE-2019-14817. CVE: CVE-2019-14811 CVE: CVE-2019-14817 (From OE-Core rev: 8c626421840da9441be03587a57e9cf1ebd3d6f0) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix for CVE-2019-14811 is same as CVE-2019-14813Anuj Mittal2019-11-291-0/+1
| | | | | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813 https://www.openwall.com/lists/oss-security/2019/08/28/2 (From OE-Core rev: afef29326b4332fc87c53a5d9d43288cddcdd944) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14869Stefan Ghinea2019-11-252-0/+71
| | | | | | | | | | | | | | | | | | | | | A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14869 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904 (From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Disable libpaperKhem Raj2019-10-081-2/+2
| | | | | | | | | | | | | | | | | | | OE does not provide libpaper recipe, and the configure check looks for libpaper if not disabled, this causes problems especially when shared state is built on a machine which has libpaper installed on host but the consumer machine although running same OS, but does not have libpaper installed, the artifact from sstate are re-used but then native binary ./obj/aux/packps fails to execute ./obj/aux/packps: error while loading shared libraries: libpaper.so.1: cannot open shared object file: No such file or directory So either we need to provide libpaper in OE or we disable it, disabling is best for now (From OE-Core rev: 11e85220d97299be5f65d5208ec21d4ad215317a) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14811, CVE-2019-14817Stefan Ghinea2019-09-164-0/+577
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14811 https://nvd.nist.gov/vuln/detail/CVE-2019-14817 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 (From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.26 -> 9.27Hongxu Jia2019-05-1215-2698/+10
| | | | | | | | | | | - Rebase ghostscript-9.02-genarch.patch - Drop backported CVE patches (From OE-Core rev: 62510fc82a8eee19bfc51d7b5bc1c6f2aec3825b) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: set CVE_PRODUCTChen Qi2019-05-081-0/+3
| | | | | | | (From OE-Core rev: 721e69aa12dd9ee22618ef13f29fb6d28eeab9af) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Fix 3 CVEsOvidiu Panait2019-04-0914-0/+2688
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.25 -> 9.26Hongxu Jia2018-12-019-1296/+3
| | | | | | | | | | - Drop backported CVE fixes 000[1-8]*.patch (From OE-Core rev: f30bd6bf01dbf81f0872382be44d507fb981f953) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18284Hongxu Jia2018-11-072-0/+246
| | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (From OE-Core rev: 98ab5c5770d20b39bf3c58083f31f31838f2e940) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18073Hongxu Jia2018-11-073-0/+241
| | | | | | | | | | | Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (From OE-Core rev: 6098c19e1f179896af7013c4b5db3081549c97bc) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-17961Hongxu Jia2018-11-076-0/+806
| | | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade to 9.25Jagadeesh Krishnanjanappa2018-09-2010-396/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removed below patches, as v9.25 source already has those changes/security fixes: 0001-Bug-699665-memory-corruption-in-aesdecode.patch 0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch 0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch 0004-Hide-the-.shfill-operator.patch 0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch remove-direct-symlink.patch Re-worked ghostscript-9.21-native-fix-disable-system-libtiff.patch and ghostscript-9.21-prevent_recompiling.patch to fix warnings in do_patch task of ghostscript v9.25 recipe. Highlights of ghostscript v9.25 release: --------------------------------------- - This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the recent 9.24 release. - Note: The ps2epsi utility does not, and cannot call Ghostscript with the -dSAFER command line option. It should never be called with input from untrusted sources. - Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. - As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files. - IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF). - The usual round of bug fixes, compatibility changes, and incremental improvements. (From OE-Core rev: 4340928b8878b91b5a2750eb6bc87918740511ca) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & ↵Hongxu Jia2018-09-116-0/+294
| | | | | | | | | | CVE-2018-15911 (From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-10194Hongxu Jia2018-07-042-0/+50
| | | | | | | | | | https://nvd.nist.gov/vuln/detail/CVE-2018-10194 (From OE-Core rev: 4b56d6a61bfe4ca28d1301ae83898a979d3df73a) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.21 -> 9.23Hongxu Jia2018-05-0423-640/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Drop backported patches - CVE-2017-7207.patch - CVE-2017-5951.patch - CVE-2017-7975.patch - CVE-2017-9216.patch - CVE-2017-9611.patch - CVE-2017-9612.patch - CVE-2017-9739.patch - CVE-2017-9726.patch - CVE-2017-9727.patch - CVE-2017-9835.patch - CVE-2017-11714.patch 2. Rebase to 9.23 - ghostscript-9.15-parallel-make.patch - ghostscript-9.16-Werror-return-type.patch - do-not-check-local-libpng-source.patch - avoid-host-contamination.patch - mkdir-p.patch - ghostscript-9.21-prevent_recompiling.patch - ghostscript-9.02-genarch.patch - cups-no-gcrypt.patch - ghostscript-9.21-native-fix-disable-system-libtiff.patch - base-genht.c-add-a-preprocessor-define-to-allow-fope.patch 3. Add packps from (native to target) to support cross compiling. 4. Add remove-direct-symlink.patch to fix do_populate_sysroot failure (From OE-Core rev: f8b4636472c6784fb78ca09a7dd7ebe53011f631) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: drop incorrectly applied patchAlexander Kanavin2018-03-092-34/+0
| | | | | | | | | | | | | | | The patch was adding a change to the source file that was already there, so the lines of code were repeated twice. This didn't create a bug or a security issue, but it may well have. Long story: https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450 (From OE-Core rev: 1fc1a5f392ec6773cd520cbbd19b58931c6a2d66) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: refresh patchesRoss Burton2018-03-091-5/+6
| | | | | | | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. (From OE-Core rev: 49437de120ffdf26396fb295254f51ccc204560a) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2017-9727, -9835, -11714Joe Slater2017-08-234-0/+224
| | | | | | | | | | | CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust CVE-2017-9835: bounds check the array allocations methods CVE-2017-11714: prevent trying to reloc a freed object (From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-25 21:20:50 +0000