From bcb0d3f385495db1bfb38f8690bd7a11fba8b421 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Mon, 5 Jun 2023 15:43:44 +0100 Subject: ghostscript: upgrade to 10.01.1 Drop the merged fix for CVE-2023-28879. (From OE-Core rev: 659b0cf41db00420366d0eca103f16922c2c5d72) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../ghostscript/ghostscript/cross-compile.patch | 40 ------- .../ghostscript/ghostscript/cve-2023-28879.patch | 60 ---------- .../ghostscript/ghostscript_10.0.0.bb | 130 --------------------- .../ghostscript/ghostscript_10.01.1.bb | 128 ++++++++++++++++++++ 4 files changed, 128 insertions(+), 230 deletions(-) delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/cross-compile.patch delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch delete mode 100644 meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb create mode 100644 meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb diff --git a/meta/recipes-extended/ghostscript/ghostscript/cross-compile.patch b/meta/recipes-extended/ghostscript/ghostscript/cross-compile.patch deleted file mode 100644 index ba62820df1..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript/cross-compile.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4c3575346b9c7d394ebc73b4e5fabebadd8877ec Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Thu, 24 Nov 2022 16:33:47 +0000 -Subject: [PATCH] Fix a little bitrot in the cross-compiling logic - -Removing the option to disable FAPI meant configuring for cross compiling would -fail because the option being passed to the sub-call to configure would include -an unknown command line option. - -Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;f=configure.ac;h=4c3575346b9c7d394ebc73b4e5fabebadd8877ec] -Signed-off-by: Alexander Kanavin ---- - configure.ac | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d5c68c4b3..738eb10a9 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -138,7 +138,7 @@ if test x"$host" != x"$build" ; then - echo $AUXFLAGS_MAK_LINE07 >> $AUXFLAGS_MAK.in - - AC_MSG_NOTICE([Begin recursive call to configure script (for auxiliary tools)]) -- "$absolute_source_path/configure" CC="$CCAUX" CFLAGS="$CFLAGSAUX" CPPFLAGS="$CPPFLAGSAUX" LDFLAGS="$LDFLAGSAUX" CCAUX= CFLAGSAUX= CFLAGSAUX= MAKEFILE=$AUXFLAGS_MAK --host=$build --build=$build --enable-auxtools_only --disable-hidden-visibility --with-local-zlib --without-libtiff --disable-contrib --disable-fontconfig --disable-dbus --disable-freetype --disable-fapi --disable-cups --disable-openjpeg --disable-gtk --with-libiconv=no --without-libidn --without-libpaper --without-pdftoraster --without-ijs --without-jbig2dec --without-x --with-drivers="" -+ "$absolute_source_path/configure" CC="$CCAUX" CFLAGS="$CFLAGSAUX" CPPFLAGS="$CPPFLAGSAUX" LDFLAGS="$LDFLAGSAUX" CCAUX= CFLAGSAUX= CFLAGSAUX= MAKEFILE=$AUXFLAGS_MAK --host=$build --build=$build --enable-auxtools_only --disable-hidden-visibility --with-local-zlib --without-libtiff --disable-contrib --disable-fontconfig --disable-dbus --disable-freetype --disable-cups --disable-openjpeg --disable-gtk --with-libiconv=no --without-libidn --without-libpaper --without-pdftoraster --without-ijs --without-jbig2dec --without-x --with-drivers="" - status=$? - cp config.log "$olddir/configaux.log" - if test $status -eq 0 ; then -@@ -2530,7 +2530,7 @@ PDF= - PDF_MAK="\$(GLSRCDIR)\$(D)stub.mak" - PDFROMFS_MAK="\$(GLSRCDIR)\$(D)stub.mak" - --if test x"$with_pdf" != x"no" ; then -+if test x"$with_pdf" != x"no" -a x"$enable_auxtools_only" != x"yes" ; then - - if test x"$JBIG2_DECODER" = x""; then - AC_MSG_ERROR([No JBIG2 decoder available, required for PDF support]) --- -2.25.1 - diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch deleted file mode 100644 index 604b927521..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Fri, 24 Mar 2023 13:19:57 +0000 -Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding - -Bug #706494 "Buffer Overflow in s_xBCPE_process" - -As described in detail in the bug report, if the write buffer is filled -to one byte less than full, and we then try to write an escaped -character, we overrun the buffer because we don't check before -writing two bytes to it. - -This just checks if we have two bytes before starting to write an -escaped character and exits if we don't (replacing the consumed byte -of the input). - -Up for further discussion; why do we even permit a BCP encoding filter -anyway ? I think we should remove this, at least when SAFER is true. ---- -CVE: CVE-2023-28879 - -Upstream-Status: Backport [see text] - -git://git.ghostscript.com/ghostpdl -cherry-pick - -Signed-off-by: Joe Slater limit - q < 2) { -+ p--; -+ break; -+ } - if (p == rlimit) { - p--; - break; --- -2.25.1 - diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb deleted file mode 100644 index 86ecdbe24a..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ /dev/null @@ -1,130 +0,0 @@ -SUMMARY = "The GPL Ghostscript PostScript/PDF interpreter" -DESCRIPTION = "Ghostscript is used for PostScript/PDF preview and printing. Usually as \ -a back-end to a program such as ghostview, it can display PostScript and PDF \ -documents in an X11 environment. \ -\ -Furthermore, it can render PostScript and PDF files as graphics to be printed \ -on non-PostScript printers. Supported printers include common \ -dot-matrix, inkjet and laser models. \ -" -HOMEPAGE = "http://www.ghostscript.com" -SECTION = "console/utils" - -LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://LICENSE;md5=f98ffa763e50cded76f49bce73aade16" - -DEPENDS = "ghostscript-native tiff jpeg fontconfig cups libpng" -DEPENDS:class-native = "libpng-native" - -UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" -UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" - -# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources -# however we use an external jpeg which doesn't have the issue. -CVE_CHECK_IGNORE += "CVE-2013-6629" - -def gs_verdir(v): - return "".join(v.split(".")) - - -SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \ - file://ghostscript-9.15-parallel-make.patch \ - file://ghostscript-9.16-Werror-return-type.patch \ - file://do-not-check-local-libpng-source.patch \ - file://avoid-host-contamination.patch \ - file://mkdir-p.patch \ - file://cross-compile.patch \ - file://cve-2023-28879.patch \ -" - -SRC_URI = "${SRC_URI_BASE} \ - file://cups-no-gcrypt.patch \ - " - -SRC_URI:class-native = "${SRC_URI_BASE} \ - file://ghostscript-9.21-native-fix-disable-system-libtiff.patch \ - file://base-genht.c-add-a-preprocessor-define-to-allow-fope.patch \ - " - -SRC_URI[sha256sum] = "a57764d70caf85e2fc0b0f59b83b92e25775631714dcdb97cc6e0cea414bb5a3" - -# Put something like -# -# PACKAGECONFIG:append:pn-ghostscript = " x11" -# -# in local.conf to enable building with X11. Be careful. The order -# of the overrides matters! -# -#PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" -PACKAGECONFIG:class-native = "" - -PACKAGECONFIG[x11] = "--with-x --x-includes=${STAGING_INCDIR} --x-libraries=${STAGING_LIBDIR}, \ - --without-x, virtual/libx11 libxext libxt gtk+3\ - " - -EXTRA_OECONF = "--without-libpaper --with-system-libtiff --with-jbig2dec \ - --with-fontpath=${datadir}/fonts \ - --without-libidn --with-cups-serverbin=${exec_prefix}/lib/cups \ - --with-cups-datadir=${datadir}/cups \ - CUPSCONFIG="${STAGING_BINDIR_CROSS}/cups-config" \ - " - -EXTRA_OECONF:append:mipsarcho32 = " --with-large_color_index=0" - -# Explicity disable libtiff, fontconfig, -# freetype, cups for ghostscript-native -EXTRA_OECONF:class-native = "--without-x --with-system-libtiff=no \ - --without-libpaper \ - --with-fontpath=${datadir}/fonts \ - --without-libidn --disable-fontconfig \ - --enable-freetype --disable-cups " - -# This has been fixed upstream but for now we need to subvert the check for time.h -# http://bugs.ghostscript.com/show_bug.cgi?id=692443 -# http://bugs.ghostscript.com/show_bug.cgi?id=692426 -CFLAGS += "-DHAVE_SYS_TIME_H=1" -BUILD_CFLAGS += "-DHAVE_SYS_TIME_H=1" - -inherit autotools-brokensep - -do_configure:prepend:class-target () { - rm -rf ${S}/jpeg/ -} - -do_configure:append () { - # copy tools from the native ghostscript build - if [ "${PN}" != "ghostscript-native" ]; then - mkdir -p obj/aux soobj - for i in genarch genconf mkromfs echogs gendev genht packps; do - cp ${STAGING_BINDIR_NATIVE}/ghostscript-${PV}/$i obj/aux/$i - done - fi -} - -do_install:append () { - mkdir -p ${D}${datadir}/ghostscript/${PV}/ - cp -r ${S}/Resource ${D}${datadir}/ghostscript/${PV}/ - cp -r ${S}/iccprofiles ${D}${datadir}/ghostscript/${PV}/ -} - -do_compile:class-native () { - mkdir -p obj - for i in genarch genconf mkromfs echogs gendev genht packps; do - oe_runmake obj/aux/$i - done -} - -do_install:class-native () { - install -d ${D}${bindir}/ghostscript-${PV} - for i in genarch genconf mkromfs echogs gendev genht packps; do - install -m 755 obj/aux/$i ${D}${bindir}/ghostscript-${PV}/$i - done -} - -BBCLASSEXTEND = "native" - -# ghostscript does not supports "arc" -COMPATIBLE_HOST = "^(?!arc).*" - -# some entries in NVD uses gpl_ghostscript -CVE_PRODUCT = "ghostscript gpl_ghostscript" diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb new file mode 100644 index 0000000000..5d4b8cdc91 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb @@ -0,0 +1,128 @@ +SUMMARY = "The GPL Ghostscript PostScript/PDF interpreter" +DESCRIPTION = "Ghostscript is used for PostScript/PDF preview and printing. Usually as \ +a back-end to a program such as ghostview, it can display PostScript and PDF \ +documents in an X11 environment. \ +\ +Furthermore, it can render PostScript and PDF files as graphics to be printed \ +on non-PostScript printers. Supported printers include common \ +dot-matrix, inkjet and laser models. \ +" +HOMEPAGE = "http://www.ghostscript.com" +SECTION = "console/utils" + +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=f98ffa763e50cded76f49bce73aade16" + +DEPENDS = "ghostscript-native tiff jpeg fontconfig cups libpng" +DEPENDS:class-native = "libpng-native" + +UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" +UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" + +# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources +# however we use an external jpeg which doesn't have the issue. +CVE_CHECK_IGNORE += "CVE-2013-6629" + +def gs_verdir(v): + return "".join(v.split(".")) + + +SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \ + file://ghostscript-9.15-parallel-make.patch \ + file://ghostscript-9.16-Werror-return-type.patch \ + file://do-not-check-local-libpng-source.patch \ + file://avoid-host-contamination.patch \ + file://mkdir-p.patch \ +" + +SRC_URI = "${SRC_URI_BASE} \ + file://cups-no-gcrypt.patch \ + " + +SRC_URI:class-native = "${SRC_URI_BASE} \ + file://ghostscript-9.21-native-fix-disable-system-libtiff.patch \ + file://base-genht.c-add-a-preprocessor-define-to-allow-fope.patch \ + " + +SRC_URI[sha256sum] = "4df18a808cd4369f25e02dbcec2f133cb6d674627b2c6b1502020e58d43e32ce" + +# Put something like +# +# PACKAGECONFIG:append:pn-ghostscript = " x11" +# +# in local.conf to enable building with X11. Be careful. The order +# of the overrides matters! +# +#PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" +PACKAGECONFIG:class-native = "" + +PACKAGECONFIG[x11] = "--with-x --x-includes=${STAGING_INCDIR} --x-libraries=${STAGING_LIBDIR}, \ + --without-x, virtual/libx11 libxext libxt gtk+3\ + " + +EXTRA_OECONF = "--without-libpaper --with-system-libtiff --with-jbig2dec \ + --with-fontpath=${datadir}/fonts \ + --without-libidn --with-cups-serverbin=${exec_prefix}/lib/cups \ + --with-cups-datadir=${datadir}/cups \ + CUPSCONFIG="${STAGING_BINDIR_CROSS}/cups-config" \ + " + +EXTRA_OECONF:append:mipsarcho32 = " --with-large_color_index=0" + +# Explicity disable libtiff, fontconfig, +# freetype, cups for ghostscript-native +EXTRA_OECONF:class-native = "--without-x --with-system-libtiff=no \ + --without-libpaper \ + --with-fontpath=${datadir}/fonts \ + --without-libidn --disable-fontconfig \ + --enable-freetype --disable-cups " + +# This has been fixed upstream but for now we need to subvert the check for time.h +# http://bugs.ghostscript.com/show_bug.cgi?id=692443 +# http://bugs.ghostscript.com/show_bug.cgi?id=692426 +CFLAGS += "-DHAVE_SYS_TIME_H=1" +BUILD_CFLAGS += "-DHAVE_SYS_TIME_H=1" + +inherit autotools-brokensep + +do_configure:prepend:class-target () { + rm -rf ${S}/jpeg/ +} + +do_configure:append () { + # copy tools from the native ghostscript build + if [ "${PN}" != "ghostscript-native" ]; then + mkdir -p obj/aux soobj + for i in genarch genconf mkromfs echogs gendev genht packps; do + cp ${STAGING_BINDIR_NATIVE}/ghostscript-${PV}/$i obj/aux/$i + done + fi +} + +do_install:append () { + mkdir -p ${D}${datadir}/ghostscript/${PV}/ + cp -r ${S}/Resource ${D}${datadir}/ghostscript/${PV}/ + cp -r ${S}/iccprofiles ${D}${datadir}/ghostscript/${PV}/ +} + +do_compile:class-native () { + mkdir -p obj + for i in genarch genconf mkromfs echogs gendev genht packps; do + oe_runmake obj/aux/$i + done +} + +do_install:class-native () { + install -d ${D}${bindir}/ghostscript-${PV} + for i in genarch genconf mkromfs echogs gendev genht packps; do + install -m 755 obj/aux/$i ${D}${bindir}/ghostscript-${PV}/$i + done +} + +BBCLASSEXTEND = "native" + +# ghostscript does not supports "arc" +COMPATIBLE_HOST = "^(?!arc).*" + +# some entries in NVD uses gpl_ghostscript +CVE_PRODUCT = "ghostscript gpl_ghostscript" -- cgit v1.2.3-54-g00ecf