summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
Commit message (Collapse)AuthorAgeFilesLines
* ghostscript: Backport fix for CVE-2020-36773Vijay Anusuri2024-02-162-0/+110
| | | | | | | | | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] (From OE-Core rev: 1a25a8ebedf39f1a868fcf646684b2eeaa67301f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport fix CVE-2023-43115Vijay Anusuri2023-10-132-0/+63
| | | | | | | | | | | | | | | | | | | In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). References: https://nvd.nist.gov/vuln/detail/CVE-2023-43115 Upstream commit: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 (From OE-Core rev: a43f7277061ee6c30c42c9318e3e9dd076563f5d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-36664Vijay Anusuri2023-10-044-0/+270
| | | | | | | | | | | | | | | | | | Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream commits: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 (From OE-Core rev: 13534218ec37706d9decca5b5bd0453e312d72b0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: backport fix for CVE-2023-38559Vijay Anusuri2023-08-162-0/+32
| | | | | | | | | Upstream-Status: Backport from https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (From OE-Core rev: f70113d1d5b5359c8b668ba43aac362457927d9e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Fix CVE-2023-28879Vijay Anusuri2023-06-132-0/+55
| | | | | | | | | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] (From OE-Core rev: ec0c6f941826903b763be76c450f1d4e0e67908e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patchChee Yang Lee2023-03-251-1/+1
| | | | | | | | | | | This patch fix CVE-2021-45944. https://nvd.nist.gov/vuln/detail/CVE-2021-45944 (From OE-Core rev: d966b565d39bf50f058b388235ccea5ab0c2e60b) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: backport patch fix for CVE-2021-3781Davide Gardenal2022-03-314-0/+399
| | | | | | | | | | | | | | Upstream advisory: https://ghostscript.com/blog/CVE-2021-3781.html Other than the CVE fix other two commits are backported to fit the patch. (From OE-Core rev: ce856e5e07589d49d5ff84b515c48735cc78cd01) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2020-15900 and CVE-2021-45949 for -nativeSteve Sakoman2022-03-311-3/+3
| | | | | | | | | | | CVE patches (and the stack limits check patch) should have been added to SRC_URI_BASE so that they are applied for both target and -native packages. (From OE-Core rev: da9b7b8973913c80c989aee1f5b34c98362725a8) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2021-45949Minjae Kim2022-02-163-0/+118
| | | | | | | | | | | | | | | | | Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply this CVE-2021-45959 patch, the check-stack-limits-after-function-evalution.patch should be applied first. References: https://nvd.nist.gov/vuln/detail/CVE-2021-45949 (From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Exclude CVE-2013-6629 from cve-checkRichard Purdie2021-05-201-0/+4
| | | | | | | | | | | | The CVE is in the jpeg sources included with ghostscript. We use our own external jpeg library so this doesn't affect us. (From OE-Core rev: 829296767ecfbd443d738367b7146a91506e25f2) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8556d6a6722f21af5e6f97589bec3cbd31da206c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update to 9.52Lee Chee Yang2020-08-2722-829/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is maintenance release consolidating the changes introduced in 9.50. see : https://www.ghostscript.com/doc/9.52/News.htm Drop all custom objarch.h files; ghostscript nowadays generates that with autoconf. Freetype can no longer be disabled. Building out of source tree is broken. Upgrade include several CVE fixes: CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16308 CVE-2020-16309 CVE-2020-17538 (From OE-Core rev: 1cee5540ca74c38cc483b28f720e345644d6ca9b) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2020-15900Lee Chee Yang2020-08-122-0/+55
| | | | | | | | (From OE-Core rev: a58aa3017925617da1eec732a0e68bfda83410a1) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* microblaze: Adjust Linux items from microblazeeb to microblazeMark Hatle2020-02-061-0/+0
| | | | | | | | | | Due to recent changes to the tune, in order to match config.guess, the name of the big-endian microblaze architecture was changes to 'microblaze'. (From OE-Core rev: 6f6a6bbac684ead3fe6d070d61f17c2f611a2c87) Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Add powerpc64 LE specific objarch.hKhem Raj2020-01-191-0/+40
| | | | | | | (From OE-Core rev: 2b2ebb11da16975e3b0cba7854c3cfe54e0305a3) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.27 -> 9.50Trevor Gamblin2019-12-094-581/+3
| | | | | | | | | | | | | Version 9.50 incorporates previously-backported fixes for CVE-2019-14811 and CVE-2019-14817. CVE: CVE-2019-14811 CVE: CVE-2019-14817 (From OE-Core rev: 8c626421840da9441be03587a57e9cf1ebd3d6f0) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix for CVE-2019-14811 is same as CVE-2019-14813Anuj Mittal2019-11-291-0/+1
| | | | | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813 https://www.openwall.com/lists/oss-security/2019/08/28/2 (From OE-Core rev: afef29326b4332fc87c53a5d9d43288cddcdd944) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14869Stefan Ghinea2019-11-252-0/+71
| | | | | | | | | | | | | | | | | | | | | A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14869 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904 (From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Disable libpaperKhem Raj2019-10-081-2/+2
| | | | | | | | | | | | | | | | | | | OE does not provide libpaper recipe, and the configure check looks for libpaper if not disabled, this causes problems especially when shared state is built on a machine which has libpaper installed on host but the consumer machine although running same OS, but does not have libpaper installed, the artifact from sstate are re-used but then native binary ./obj/aux/packps fails to execute ./obj/aux/packps: error while loading shared libraries: libpaper.so.1: cannot open shared object file: No such file or directory So either we need to provide libpaper in OE or we disable it, disabling is best for now (From OE-Core rev: 11e85220d97299be5f65d5208ec21d4ad215317a) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14811, CVE-2019-14817Stefan Ghinea2019-09-164-0/+577
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14811 https://nvd.nist.gov/vuln/detail/CVE-2019-14817 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 (From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.26 -> 9.27Hongxu Jia2019-05-1215-2698/+10
| | | | | | | | | | | - Rebase ghostscript-9.02-genarch.patch - Drop backported CVE patches (From OE-Core rev: 62510fc82a8eee19bfc51d7b5bc1c6f2aec3825b) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: set CVE_PRODUCTChen Qi2019-05-081-0/+3
| | | | | | | (From OE-Core rev: 721e69aa12dd9ee22618ef13f29fb6d28eeab9af) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Fix 3 CVEsOvidiu Panait2019-04-0914-0/+2688
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.25 -> 9.26Hongxu Jia2018-12-019-1296/+3
| | | | | | | | | | - Drop backported CVE fixes 000[1-8]*.patch (From OE-Core rev: f30bd6bf01dbf81f0872382be44d507fb981f953) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18284Hongxu Jia2018-11-072-0/+246
| | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (From OE-Core rev: 98ab5c5770d20b39bf3c58083f31f31838f2e940) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18073Hongxu Jia2018-11-073-0/+241
| | | | | | | | | | | Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (From OE-Core rev: 6098c19e1f179896af7013c4b5db3081549c97bc) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-17961Hongxu Jia2018-11-076-0/+806
| | | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade to 9.25Jagadeesh Krishnanjanappa2018-09-2010-396/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removed below patches, as v9.25 source already has those changes/security fixes: 0001-Bug-699665-memory-corruption-in-aesdecode.patch 0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch 0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch 0004-Hide-the-.shfill-operator.patch 0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch remove-direct-symlink.patch Re-worked ghostscript-9.21-native-fix-disable-system-libtiff.patch and ghostscript-9.21-prevent_recompiling.patch to fix warnings in do_patch task of ghostscript v9.25 recipe. Highlights of ghostscript v9.25 release: --------------------------------------- - This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the recent 9.24 release. - Note: The ps2epsi utility does not, and cannot call Ghostscript with the -dSAFER command line option. It should never be called with input from untrusted sources. - Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. - As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files. - IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF). - The usual round of bug fixes, compatibility changes, and incremental improvements. (From OE-Core rev: 4340928b8878b91b5a2750eb6bc87918740511ca) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & ↵Hongxu Jia2018-09-116-0/+294
| | | | | | | | | | CVE-2018-15911 (From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-10194Hongxu Jia2018-07-042-0/+50
| | | | | | | | | | https://nvd.nist.gov/vuln/detail/CVE-2018-10194 (From OE-Core rev: 4b56d6a61bfe4ca28d1301ae83898a979d3df73a) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.21 -> 9.23Hongxu Jia2018-05-0423-640/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Drop backported patches - CVE-2017-7207.patch - CVE-2017-5951.patch - CVE-2017-7975.patch - CVE-2017-9216.patch - CVE-2017-9611.patch - CVE-2017-9612.patch - CVE-2017-9739.patch - CVE-2017-9726.patch - CVE-2017-9727.patch - CVE-2017-9835.patch - CVE-2017-11714.patch 2. Rebase to 9.23 - ghostscript-9.15-parallel-make.patch - ghostscript-9.16-Werror-return-type.patch - do-not-check-local-libpng-source.patch - avoid-host-contamination.patch - mkdir-p.patch - ghostscript-9.21-prevent_recompiling.patch - ghostscript-9.02-genarch.patch - cups-no-gcrypt.patch - ghostscript-9.21-native-fix-disable-system-libtiff.patch - base-genht.c-add-a-preprocessor-define-to-allow-fope.patch 3. Add packps from (native to target) to support cross compiling. 4. Add remove-direct-symlink.patch to fix do_populate_sysroot failure (From OE-Core rev: f8b4636472c6784fb78ca09a7dd7ebe53011f631) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: drop incorrectly applied patchAlexander Kanavin2018-03-092-34/+0
| | | | | | | | | | | | | | | The patch was adding a change to the source file that was already there, so the lines of code were repeated twice. This didn't create a bug or a security issue, but it may well have. Long story: https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450 (From OE-Core rev: 1fc1a5f392ec6773cd520cbbd19b58931c6a2d66) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: refresh patchesRoss Burton2018-03-091-5/+6
| | | | | | | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. (From OE-Core rev: 49437de120ffdf26396fb295254f51ccc204560a) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2017-9727, -9835, -11714Joe Slater2017-08-234-0/+224
| | | | | | | | | | | CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust CVE-2017-9835: bounds check the array allocations methods CVE-2017-11714: prevent trying to reloc a freed object (From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix several CVEs by adding bounds checkingJoe Slater2017-08-235-0/+143
| | | | | | | | | | | | CVE-2017-9611 CVE-2017-9612 CVE-2017-9739 CVE-2017-9726 (From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: remove legacy patch png_mak.patchKai Kang2017-07-212-33/+0
| | | | | | | | | | | | | | | | png_mak.patch was created for ghostscript 9.16 and causes make circular dependency now. Check source code base/png.mak after apply png_mak.patch: Line 77: $(MAKEDIRS) : $(pnglibconf_h) Line 83: $(pnglibconf_h) : $(PNGSRC)scripts$(D)pnglibconf.h.prebuilt $(TOP_MAKEFILES) $(MAKEDIRS) So remove png_mak.patch. (From OE-Core rev: 8a5890cc0b0a6c110edb36aec3614c3ebeb54e24) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Add/fix missing Upstream-Status to patchesRichard Purdie2017-06-271-0/+1
| | | | | | | | | This adds or fixes the Upstream-Status for all remaining patches missing it in OE-Core. (From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: add X11 PACKAGECONFIG infoJoe Slater2017-06-231-1/+15
| | | | | | | | | | | | | Add information necessary to build for x11, but do not enable that option. Fix parallel build directory creation issue. (From OE-Core rev: 2bfc7be412da501d8a9138a3dde33636c5fe2616) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: move to version 9.21Joe Slater2017-06-2311-276/+98
| | | | | | | | | | | | | | | | Eliminate CVE patches that are now in source. Add CUPSCONFIG to configure options. (From OE-Core rev: 3041f94896b50a5a5d19caf0dd0e7910c730e18e) Signed-off-by: Joe Slater <jslater@windriver.com> to be scrunched Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2017-9216Catalin Enache2017-05-305-0/+151
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document. Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice. Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file. References: https://nvd.nist.gov/vuln/detail/CVE-2016-7977 https://nvd.nist.gov/vuln/detail/CVE-2016-7978 https://nvd.nist.gov/vuln/detail/CVE-2016-7979 https://nvd.nist.gov/vuln/detail/CVE-2017-9216 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=875a0095f37626a721c7ff57d606a0f95af03913 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853 (From OE-Core rev: 584dfa2f780d5785aaff01f84fbabc18b3478d76) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: check for incompatible hostChang Rebecca Swee Fun2017-05-181-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | The following warning occurs when building with meta-zephyr with MACHINE set to arduino-101-sss: WARNING: /srv/sdc/builds/11319/meta/recipes-extended/ghostscript/ghostscript_9.20.bb: Unable to get checksum for ghostscript SRC_URI entry objarch.h: file could not be found This is due to the the TARGET_ARCH = "arc" for meta-zephyr is not supported by ghostscript and causing bitbake unable to locate the correct config file during recipe parse. Adding checker in the recipe to raise an exception if the target architecture is "arc". This would then only display an error if someone specifically tries to build the recipe: ERROR: ghostscript was skipped: incompatible with host arc-yocto-elf (not in COMPATIBLE_HOST) [YOCTO #11344] (From OE-Core rev: 720a7230b92d734106d5340a426270dd4e921e8e) Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2016-8602, CVE-2017-7975Catalin Enache2017-05-183-0/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code. References: https://nvd.nist.gov/vuln/detail/CVE-2016-8602 https://nvd.nist.gov/vuln/detail/CVE-2017-7975 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298 (From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951Catalin Enache2017-04-294-0/+151
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2017-7207Catalin Enache2017-04-102-0/+40
| | | | | | | | | | | | | | | | | | The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091 (From OE-Core rev: 0f22a27c2abd2f2dd9119681f139dd85dcb6479d) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix upstream version checkAlexander Kanavin2016-12-171-0/+1
| | | | | | | | | | (From OE-Core rev: 10001924baf112a4556c5e85c16c482cbf435950) (From OE-Core rev: 4e8e884054b56c578d51d7b4af7150b77806368d) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript 9.19 -> 9.20Huang Qiyu2016-12-172-22/+21
| | | | | | | | | | | | | 1)Upgrade ghostscript from 9.19 to 9.20. 2)Modify ghostscript-9.15-parallel-make.patch, since the data has been changed. (From OE-Core rev: 4f3483c3a0ba22f46d768d78d6f56880e8ac5608) (From OE-Core rev: 9133ba6b8138951f3ef798f0a1cc6f694fe71868) Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Use MIPS MACHINE_OVERRIDES for objarch.hZubair Lutfullah Kakakhel2016-11-306-0/+0
| | | | | | | | | | | | | MIPS MACHINE_OVERRIDES can be used to provide the same objarch.h files for MIPS pre-R2 and R6 ISA versions. Use them to reduce duplication in supporting MIPS R6 ISA (From OE-Core rev: a169f11cee3f4288467120cbc363f5e664b86f0c) Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Reduce duplication in MIPS variants.Zubair Lutfullah Kakakhel2016-11-151-2/+1
| | | | | | | | | | | Reduce duplication in MIPS variants now that the MACHINEOVERRIDES variable is defined (From OE-Core rev: c4aefe37ef5ff34ebd8e1a077c9198dcf3634e07) Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade to 9.19Hongxu Jia2016-06-156-200/+78
| | | | | | | | | | | | | | | | | | - Ghostscript and GhostPDL releases from version 9.19 have been moved to GitHub hosting, tweak download site - Drop 0001-Bug-696497-Fix-support-for-building-with-no-jbig2-de.patch, and 0002-Bug-696497-part-2-fix-support-for-building-with-a-JP.patch, ghostscript 9.19 has fixed them. - Fix QA Warning unrecognised options: --enable-little-endian. It use AC_C_BIGENDIAN to detect big/little endian. http://www.delorie.com/gnu/docs/autoconf/autoconf_64.html (From OE-Core rev: 227ca0a373b5a93602a419296ff1da1a96615ba2) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostcript: Set UPSTREAM_CHECK_URI variableLeonardo Sandoval2016-05-301-0/+2
| | | | | | | | | | | Set UPSTREAM_CHECK_URI (a github location), so package checking system gets the latest version of the package. (From OE-Core rev: 94d80ae33e0671e439c845f25e54aab0ee69843b) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Update URL_SRI considered as 'old release'Leonardo Sandoval2016-05-221-1/+1
| | | | | | | | | | | | | | | | The Ghostcript project started to place their tarballs in two places starting at 9.19 as explained in [1]. 9.18 version is considered old, so including the 'old-gs-releases' in the URL. [1] http://downloads.ghostscript.com/public/ [YOCTO #9573] (From OE-Core rev: f4232f796875b007a438eb75fe438db6aba30572) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>