<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-extended/ghostscript, branch uninative-2.1</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=uninative-2.1</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=uninative-2.1'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2018-05-04T12:28:01+00:00</updated>
<entry>
<title>ghostscript: 9.21 -&gt; 9.23</title>
<updated>2018-05-04T12:28:01+00:00</updated>
<author>
<name>Hongxu Jia</name>
<email>hongxu.jia@windriver.com</email>
</author>
<published>2018-03-30T08:50:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=49e0838e1d2cb9e07b0e66a1220f13be251f255c'/>
<id>urn:sha1:49e0838e1d2cb9e07b0e66a1220f13be251f255c</id>
<content type='text'>
1. Drop backported patches
- CVE-2017-7207.patch
- CVE-2017-5951.patch
- CVE-2017-7975.patch
- CVE-2017-9216.patch
- CVE-2017-9611.patch
- CVE-2017-9612.patch
- CVE-2017-9739.patch
- CVE-2017-9726.patch
- CVE-2017-9727.patch
- CVE-2017-9835.patch
- CVE-2017-11714.patch

2. Rebase to 9.23
- ghostscript-9.15-parallel-make.patch
- ghostscript-9.16-Werror-return-type.patch
- do-not-check-local-libpng-source.patch
- avoid-host-contamination.patch
- mkdir-p.patch
- ghostscript-9.21-prevent_recompiling.patch
- ghostscript-9.02-genarch.patch
- cups-no-gcrypt.patch
- ghostscript-9.21-native-fix-disable-system-libtiff.patch
- base-genht.c-add-a-preprocessor-define-to-allow-fope.patch

3. Add packps from (native to target) to support cross compiling.

4. Add remove-direct-symlink.patch to fix
   do_populate_sysroot failure

(From OE-Core rev: f8b4636472c6784fb78ca09a7dd7ebe53011f631)

Signed-off-by: Hongxu Jia &lt;hongxu.jia@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: drop incorrectly applied patch</title>
<updated>2018-03-09T17:17:03+00:00</updated>
<author>
<name>Alexander Kanavin</name>
<email>alexander.kanavin@linux.intel.com</email>
</author>
<published>2018-03-08T18:17:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f749fd990c7f91799780369b0ecb80366e8ab418'/>
<id>urn:sha1:f749fd990c7f91799780369b0ecb80366e8ab418</id>
<content type='text'>
The patch was adding a change to the source file that was already there,
so the lines of code were repeated twice. This didn't create a bug or a
security issue, but it may well have.

Long story:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450

(From OE-Core rev: 1fc1a5f392ec6773cd520cbbd19b58931c6a2d66)

Signed-off-by: Alexander Kanavin &lt;alexander.kanavin@linux.intel.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: refresh patches</title>
<updated>2018-03-09T17:17:03+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2018-03-08T18:17:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=4fb2ba48f2ebaf9060bdd7ada8ab257c9b150603'/>
<id>urn:sha1:4fb2ba48f2ebaf9060bdd7ada8ab257c9b150603</id>
<content type='text'>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.

Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450).  This is obviously bad.

We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.

(From OE-Core rev: 49437de120ffdf26396fb295254f51ccc204560a)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Alexander Kanavin &lt;alexander.kanavin@linux.intel.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: CVE-2017-9727, -9835, -11714</title>
<updated>2017-08-23T07:47:03+00:00</updated>
<author>
<name>Joe Slater</name>
<email>jslater@windriver.com</email>
</author>
<published>2017-08-22T21:14:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=67afd9ead60c139484c5179be3c0dcbbf87938c3'/>
<id>urn:sha1:67afd9ead60c139484c5179be3c0dcbbf87938c3</id>
<content type='text'>
CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust
CVE-2017-9835: bounds check the array allocations methods
CVE-2017-11714: prevent trying to reloc a freed object

(From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f)

Signed-off-by: Joe Slater &lt;jslater@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: fix several CVEs by adding bounds checking</title>
<updated>2017-08-23T07:47:03+00:00</updated>
<author>
<name>Joe Slater</name>
<email>jslater@windriver.com</email>
</author>
<published>2017-08-22T20:18:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8efe72508002772df08664d9bb0d5f8b25497ce5'/>
<id>urn:sha1:8efe72508002772df08664d9bb0d5f8b25497ce5</id>
<content type='text'>
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726

(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)

Signed-off-by: Joe Slater &lt;jslater@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: remove legacy patch png_mak.patch</title>
<updated>2017-07-21T21:51:37+00:00</updated>
<author>
<name>Kai Kang</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2017-07-17T08:40:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=744460e9f21122f89dca0f5c7bcd0d95d87a1719'/>
<id>urn:sha1:744460e9f21122f89dca0f5c7bcd0d95d87a1719</id>
<content type='text'>
png_mak.patch was created for ghostscript 9.16 and causes make circular
dependency now. Check source code base/png.mak after apply png_mak.patch:

Line 77: $(MAKEDIRS) : $(pnglibconf_h)
Line 83: $(pnglibconf_h) : $(PNGSRC)scripts$(D)pnglibconf.h.prebuilt $(TOP_MAKEFILES) $(MAKEDIRS)

So remove png_mak.patch.

(From OE-Core rev: 8a5890cc0b0a6c110edb36aec3614c3ebeb54e24)

Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>meta: Add/fix missing Upstream-Status to patches</title>
<updated>2017-06-27T09:38:43+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2017-06-26T10:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a5bf271c7c4cf5d3bfdf8d1b05eec70ca43726b8'/>
<id>urn:sha1:a5bf271c7c4cf5d3bfdf8d1b05eec70ca43726b8</id>
<content type='text'>
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.

(From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: add X11 PACKAGECONFIG info</title>
<updated>2017-06-23T10:44:13+00:00</updated>
<author>
<name>Joe Slater</name>
<email>jslater@windriver.com</email>
</author>
<published>2017-06-15T21:35:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8f6c991a302a96b82bc3132ba75713f2153477d1'/>
<id>urn:sha1:8f6c991a302a96b82bc3132ba75713f2153477d1</id>
<content type='text'>
Add information necessary to build for x11, but
do not enable that option.

Fix parallel build directory creation issue.

(From OE-Core rev: 2bfc7be412da501d8a9138a3dde33636c5fe2616)

Signed-off-by: Joe Slater &lt;jslater@windriver.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: move to version 9.21</title>
<updated>2017-06-23T10:44:13+00:00</updated>
<author>
<name>Joe Slater</name>
<email>jslater@windriver.com</email>
</author>
<published>2017-06-15T21:35:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d3e8504ce7a25908fe5ad7973d807d199950dc9a'/>
<id>urn:sha1:d3e8504ce7a25908fe5ad7973d807d199950dc9a</id>
<content type='text'>
Eliminate CVE patches that are now in source.

Add CUPSCONFIG to configure options.

(From OE-Core rev: 3041f94896b50a5a5d19caf0dd0e7910c730e18e)

Signed-off-by: Joe Slater &lt;jslater@windriver.com&gt;

to be scrunched

Signed-off-by: Joe Slater &lt;jslater@windriver.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ghostscript: CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2017-9216</title>
<updated>2017-05-30T09:15:19+00:00</updated>
<author>
<name>Catalin Enache</name>
<email>catalin.enache@windriver.com</email>
</author>
<published>2017-05-29T11:23:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9ed9d383b879df9b7b58c2ff419ffa27a2b38605'/>
<id>urn:sha1:9ed9d383b879df9b7b58c2ff419ffa27a2b38605</id>
<content type='text'>
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently read arbitrary files via the
use of the .libfile operator in a crafted postscript document.

Use-after-free vulnerability in Ghostscript 9.20 might allow remote
attackers to execute arbitrary code via vectors related to a reference
leak in .setdevice.

Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently execute arbitrary code by
leveraging type confusion in .initialize_dsc_parser.

libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript,
has a NULL pointer dereference in the jbig2_huffman_get function in
jbig2_huffman.c. For example, the jbig2dec utility will
crash (segmentation fault) when parsing an invalid file.

References:
https://nvd.nist.gov/vuln/detail/CVE-2016-7977
https://nvd.nist.gov/vuln/detail/CVE-2016-7978
https://nvd.nist.gov/vuln/detail/CVE-2016-7979
https://nvd.nist.gov/vuln/detail/CVE-2017-9216

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=875a0095f37626a721c7ff57d606a0f95af03913
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853

(From OE-Core rev: 584dfa2f780d5785aaff01f84fbabc18b3478d76)

Signed-off-by: Catalin Enache &lt;catalin.enache@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
