SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for ghostscript-devel-9.56.1-1.5.x86_64.rpm :

* Mon Jul 18 2022 Dirk Müller - update to 9.56.1:
* New PDF Interpreter: This is an entirely new implementation written in C (rather than PostScript, as before)
* Calling Ghostscript via the GS API is now thread safe. The one limitation is that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk, x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be made thread safe, due to their interaction with the X11 server, those devices have been modified to only allow one instance in an executable.
* The PSD output device now writes ICC profiles to their output files, for improved color fidelity.
* Our efforts in code hygiene and maintainability continue.
* The usual round of bug fixes, compatibility changes, and incremental improvements.
* We have added the capability to build with the Tesseract OCR engine. In such a build, new devices are available (pdfocr8/pdfocr24/ pdfocr32) which render the output file to an image, OCR that image, and output the image \"wrapped\" up as a PDF file, with the OCR generated text information included as \"invisible\" text (in PDF terms, text rendering mode 3).- drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream
* Mon Jul 18 2022 Dirk Müller - use _multibuild
* Wed Apr 13 2022 Dirk Müller - use system zlib (bsc#1198449)
* Thu Apr 07 2022 Frederic Crozat - Do no longer require apparmor-abstractions, it is not mandatory to use Ghostscript (bsc#1134289).
* Tue Jan 11 2022 jsmeixAATTsuse.de- CVE-2021-45949.patch fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml (bsc#1194304)- CVE-2021-45944 use-after-free in sampled_data_sample is already fixed in the Ghostscript 9.54.0 upstream sources (bsc#1194303)
* Fri Sep 10 2021 jsmeixAATTsuse.de- CVE-2021-3781.patch fixes CVE-2021-3781 Trivial -dSAFER bypass cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 (bsc#1190381)
* Fri May 21 2021 jsmeixAATTsuse.de- Version upgrade to 9.54.0 Highlights in this release include (excerpts from the Ghostscript upstream release summary in https://www.ghostscript.com/doc/9.54.0/News.htm):
* The 9.54.0 release is a maintenance release, and also adds new functionality.
* Overprint simulation is now available to all output devices, allowing quality previewing/proofing of PostScript and PDF jobs that rely on overprint. See the -dOverprint option documentation in: doc/9.54.0/Use.htm#Overprint
* The \"docxwrite\" device adds the ability to output to Microsoft Word \"docx\" format. See: doc/9.54.0/VectorDevices.htm#DOCX
* The pdfwrite device is now capable of using the Tesseract OCR engine when it is built into Ghostscript to improve searchability and copy and paste functionality when the input lacks the metadata for that purpose. See: doc/9.54.0/VectorDevices.htm#UseOCR
* Ghostscript/GhostPDL now includes a \"map text to black\" function, where text drawn by an input job (except when drawn using a Type 3 font) can be forced to draw in solid black. See: doc/9.54.0/Use.htm#BlackText
* Ghostscript/GhostPDL now supports simple N-up imposition \"internally\". See: doc/9.54.0/Use.htm#NupControl
* Our efforts in code hygiene and maintainability continue.
* The usual round of bug fixes, compatibility changes, and incremental improvements.
* For a list of open issues, or to report problems, please visit bugs.ghostscript.com For a release summary see: https://www.ghostscript.com/doc/9.54.0/News.htm For details see the News.htm and History9.htm files.- 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch is no longer needed because it is fixed in the upstream sources.
* Wed Apr 14 2021 Wolfgang Frisch - Hardening: compile with PIC, link as PIE
* Tue Oct 20 2020 Ismail Dönmez - 41ef9a0bc36b9db7115fbe9623f989bfb47bbade.patch fixes compilation with FreeType 2.10.3+ http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade c.f. https://bugs.ghostscript.com/show_bug.cgi?id=702985
* Tue Oct 20 2020 jsmeixAATTsuse.de- Version upgrade to 9.53.3 Highlights in this release include (excerpts from the Ghostscript upstream release summary in https://www.ghostscript.com/doc/9.53.3/News.htm):
* The 9.53.3 release is primarily maintenance.
* Issues arose with 9.53.0/1/2 that prompted the release of a .3 patch: A crash related to management of ICC profile objects. A parameter type mismatch that would cause Ghostscript to error out during initialisation, which affected 64 big, big endian architectures. An unexpected side effect of another change that prevented multithreaded rendering and background rendering from working correctly.
* The most obvious change is the (re-)introduction of the patch level to the version number, this helps facilitate a revised policy on handling security related issues. To clarify: in the event we decide to release a patch revision, it will replace the release with the previous patch number. Release notes, highlights and warnings will remain the same, except for the addition of whatever fix(es) prompted the patch.
* Our efforts in code hygiene and maintainability continue.
* We have added Python bindings for the gsapi interface, can be found in demos/python. These are experimental, and we welcome feedback from interested developers.
* For those integrating Ghostscript/GhostPDL via the gsapi interface, we have added new capabilities to that, specifically in terms of setting and interrogating device parameters. These, along with the existing interface calls, are documented in: Ghostscript Interpreter API at https://www.ghostscript.com/doc/9.53.3/API.htm
* The usual round of bug fixes, compatibility changes, and incremental improvements.
* For a list of open issues, or to report problems, please visit bugs.ghostscript.com Incompatible changes:
* As of 9.53.0, we have (re-)introduced the patch level to the version number, this helps facilitate a revised policy on handling security related issues. Note for GSView Users: The patch level addition breaks GSView 5 (it is hardcoded to check for versions 704-999). It is possible, but not guaranteed that a GSView update might be forthcoming to resolve this. For a release summary see: https://www.ghostscript.com/doc/9.53.3/News.htm For details see the News.htm and History9.htm files.- CVE-2020-15900.patch is no longer needed because it is fixed in the upstream sources.- Ghostscript 9.53.3 fixes in particular txtwrite memory issues (boo#1177922).
* Tue Jul 28 2020 jsmeixAATTsuse.de- CVE-2020-15900.patch fixes CVE-2020-15900 Memory Corruption cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582 (bsc#1174415)
* Wed Apr 29 2020 jsmeixAATTsuse.de- The version upgrade to 9.52 fixes in particular CVE-2020-12268: jbic2dec: heap-based buffer overflow in jbig2_image_compose (bsc#1170603)- Version upgrade to 9.52 Highlights in this release include:
* The 9.52 release replaces the 9.51 release after a problem was reported with 9.51 which warranted the quick turnaround. Thus, like 9.51, 9.52 is primarily a maintenance release, consolidating the changes we introduced in 9.50.
* IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt (the \"mt\" indicating \"multi-thread\"). LCMS2 is not thread-safe, and cannot be made thread-safe without breaking the ABI. Our fork will be thread-safe and include performance enhancements (these changes have all been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. If there is sufficient interest, our fork will be available as its own package separately from Ghostscript (and MuPDF).
* The usual round of bug fixes, compatibility changes, and incremental improvements. Incompatible changes:
* New option -dALLOWPSTRANSPARENCY: The transparency compositor (and related features), whilst we are improving it, remains sensitive to being driven correctly, and incorrect use can have unexpected/undefined results. Hence, as part of improving security, we limited access to these operators, originally using the -dSAFER feature. As we made \"SAFER\" the default mode, that became unacceptable, hence the new option -dALLOWPSTRANSPARENCY which enables access to the operators, cf. https://www.ghostscript.com/doc/9.52/Use.htm#ALLOWPSTRANSPARENCY For a release summary see: https://www.ghostscript.com/doc/9.52/News.htm For details see the News.htm and History9.htm files.- Version upgrade to 9.51 Highlights in this release include:
* 9.51 is primarily a maintainance release, consolidating the changes we introduced in 9.50.
* We have continued our work on code hygiene for this release, with a focus on the static analysis tool Coverity (from Synopsys, Inc) and we are now maintaining a policy of zero Coverity issues in the Ghostscript/GhostPDL source base.
* IMPORTANT: In consultation with a representative of OpenPrinting (http://www.openprinting.org/) it is our intention to deprecate and, in the not distant future, remove the OpenPrinting Vector/Raster Printer Drivers (that is, the opvp and oprp devices). If you rely on either of these devices, please get in touch with us (i.e. Ghostscript upstream), so we can discuss your use case, and revise our plans accordingly.
* We (i.e. Ghostscript upstream) are in the process of forking LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes, and incremental improvements. For a release summary see: https://www.ghostscript.com/doc/9.51/News.htm For details see the News.htm and History9.htm files.- Version upgrade to 9.50 Highlights in this release include:
* The change to version 9.50 follows recognition of the extent and importance of the file access control redesign/reimplementation outlined below.
* The file access control capability (enable with -dSAFER) has been completely rewritten, with a ground-up rethink of the design. For more details, see: \"SAFER\" at https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* It is important to note that -dSAFER now only enables the file access controls, and no longer applies restrictions to standard Postscript functionality (specifically, restrictions on setpagedevice). If your application relies on these Postscript restrictions, see \"OLDSAFER\" at https://www.ghostscript.com/doc/9.50/Use.htm#OldSafer and please get in touch, as we do plan to remove those Postscript restrictions unless we have reason not to. IMPORTANT: File access controls are now enabled by default. In order to run Ghostscript without these controls, see \"NOSAFER\" at https://www.ghostscript.com/doc/9.50/Use.htm#NoSafer
* We (i.e. Ghostscript upstream) are in the process of forking LittleCMS, cf. the other release notes entries below.
* The usual round of bug fixes, compatibility changes, and incremental improvements. Incompatible changes:
* There are a couple of subtle incompatibilities between the old and new SAFER implementations. Firstly, as mentioned above, SAFER now leaves standard Postcript functionality unchanged (except for the file access limitations). Secondly, the interaction with save/restore operations, see \"SAFER\" at https://www.ghostscript.com/doc/9.50/Use.htm#Safer
* The following is not strictly speaking new to 9.50, as not much has changed since 9.27 in this area, but for those who don\'t upgrade with every release: The process of \"tidying\" the Postscript name space should have removed only non-standard and undocumented operators. Nevertheless, it is possible that any integrations or utilities that rely on those non-standard and undocumented operators may stop working, or may change behaviour. If you encounter such a case, please contact us (i.e. Ghostscript upstream, either the #ghostscript IRC channel or the gs-devel mailing list would be best), and we\'ll work with you to either find an alternative solution or return the previous functionality, if there is genuinely no other option. One case we know this has occurred is GSView 5 (and earlier). GSView 5 support for PDF files relied upon internal use only features which are no longer available. GSView 5 will still work as previously for Postscript files. For PDF files, users are encouraged to look at MuPDF https://www.mupdf.com/ For a release summary see: https://www.ghostscript.com/doc/9.50/News.htm For details see the News.htm and History9.htm files.- CVE-2019-10216.patch gs-CVE-2019-14811-885444fc.patch gs-CVE-2019-14817-cd1b1cac.patch openjpeg4gs-CVE-2018-6616-8ee33522.patch are fixed in the version 9.52 upstream sources.
* Fri Jan 31 2020 Stefan Brüns - Use system openjpeg2 on Tumbleweed/Factory.
* Mon Sep 23 2019 Johannes Segitz - Made ghostscript profile enforcing and limit it to the ghostscript binaries (bsc#1150338)
* Mon Sep 16 2019 Dr. Werner Fink - Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882 for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884 for CVE-2019-14817
* Fri Sep 13 2019 Dr. Werner Fink - Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359 for CVE-2019-12973
* Thu Aug 22 2019 Jan Engelhardt - Update RPM groups.
* Tue Aug 13 2019 Dr. Werner Fink - Use update-alternatives to get the real ghostscript binary from /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to use this with its wrapper script
* Mon Aug 12 2019 Dr. Werner Fink - CVE-2019-10216.patch fixes CVE-2019-10216 forceput/superexec in .buildfont1 is still accessible https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621 https://bugs.ghostscript.com/show_bug.cgi?id=701394
* Wed May 08 2019 jsegitzAATTsuse.com- Set AA profile to complain and added fixes for ps2epsi (boo#1134327)
* Thu Apr 04 2019 jsmeixAATTsuse.de- Version upgrade to 9.27 Highlights in this release include:
* We (i.e. Ghostscript upstream) have extensively cleaned up the Postscript name space: removing access to internal and/or undocumented Postscript operators, procedures and data. This has benefits for security and maintainability. Incompatible changes: The process of \"tidying\" the Postscript name space should have removed only non-standard and undocumented operators. Nevertheless, it is possible that any integrations or utilities that rely on those non-standard and undocumented operators may stop working, or may change behaviour. If you encounter such a case, please contact us (i.e. Ghostscript upstream) - (either the #ghostscript IRC channel, or the gs-devel mailing list would be best), and we\'ll work with you to either find an alternative solution.
* Fontmap can now reference invidual fonts in a TrueType Collection for font subsitution. Previously, a Fontmap entry could only reference a TrueType collection and use the default (first) font. Now, the Fontmap syntax allows for specifying a specific index in a TTC. See the comments at the top of (the default) Fontmap.GS for details.
* The usual round of bug fixes, compatibility changes, and incremental improvements. IMPORTANT: It is our intention, within the next 12 months (ideally sooner, in time for the next release) to make SAFER the default mode of operation. For many users this will have no effect, since they use SAFER explicitly, but some niche uses which rely on SAFER being disabled may need to start explicitly adding the \"-dNOSAFER\" option. IMPORTANT: We (i.e. Ghostscript upstream) are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF). For a release summary see: http://www.ghostscript.com/doc/9.27/News.htm For details see the News.htm and History9.htm files. The Ghostscript 9.27 release should fix (cf. the entry below dated \'Fri Sep 14 10:47:33 CEST 2018\' what \"should fix\" means) in particular those security issues:
* CVE-2019-3838 forceput in DefineResource is still accessible https://bugzilla.suse.com/show_bug.cgi?id=1129186 bsc#1129186 https://bugs.ghostscript.com/show_bug.cgi?id=700576
* CVE-2019-3835: superexec operator is available https://bugzilla.suse.com/show_bug.cgi?id=1129180 bsc#1129180 https://bugs.ghostscript.com/show_bug.cgi?id=700585- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch is no longer needed because it is fixed in the upstream sources.
* Thu Mar 14 2019 jsegitzAATTsuse.com- Added AA rules for dvips (bsc#1127934)- Allow execution of dirname (bsc#1128697)- Allow execution of hpijs (bsc#1128467). For now this is in complain mode- Sane profile name \"ghostscript\", moved profile from /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript (bsc#1128607)- Improved AA packaging (bsc#1128608) Thanks to Christian Boltz for his help
* Fri Mar 08 2019 Martin Wilck - Fix IJS printing problem (bsc#1128467)
* added ijs_exec_server_dont_use_sh.patch
* allow exec\'ing hpijs in apparmor profile
* Thu Feb 07 2019 jsegitzAATTsuse.com- Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits.
* Wed Jan 23 2019 jsmeixAATTsuse.de- Version upgrade to 9.26a The version 9.26a is a special security bugfix version to fix
* CVE-2019-6116: subroutines within pseudo-operators must themselves be pseudo-operators https://bugs.ghostscript.com/show_bug.cgi?id=700317 https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319
* Thu Jan 10 2019 jweberhoferAATTweberhofer.at- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch fixes Ghostscript issue #700315 and bsc#1121490 https://bugs.ghostscript.com/show_bug.cgi?id=700315 Segfault in GS 9.26 with certain PDFs with -dLastPage=1
* Fri Nov 30 2018 jsmeixAATTsuse.de- Version upgrade to 9.26 Highlights in this release include:
* Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. Thanks to Man Yue Mo of Semmle Security Research Team, Jens Mueller of Ruhr-Universitaet Bochum and Tavis Ormandy of Google\'s Project Zero for their help to identify specific security issues. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues.
* The usual round of bug fixes, compatibility changes, and incremental improvements. For a release summary see: http://www.ghostscript.com/doc/9.26/News.htm For details see the News.htm and History9.htm files. The Ghostscript 9.26 release should fix (cf. the entry below dated \'Fri Sep 14 10:47:33 CEST 2018\' what \"should fix\" means) in particular those security issues (bsc#1117331)
* CVE-2018-19475: psi/zdevice2.c allows attackers to bypass intended access restrictions https://bugs.ghostscript.com/show_bug.cgi?id=700153 https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327
* CVE-2018-19476: psi/zicc.c allows attackers to bypass intended access restrictions because of a setcolorspace type confusion https://bugs.ghostscript.com/show_bug.cgi?id=700169 https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313
* CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass intended access restrictions because of a JBIG2Decode type confusion https://bugs.ghostscript.com/show_bug.cgi?id=700168 https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274
* CVE-2018-19409: LockSafetyParams is not checked correctly if another device is used https://bugs.ghostscript.com/show_bug.cgi?id=700176 https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022 and those security issues
* CVE-2018-18284: 1Policy operator gives access to .forceput https://bugs.ghostscript.com/show_bug.cgi?id=69963 https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229
* CVE-2018-18073: saved execution stacks can leak operator arrays https://bugs.ghostscript.com/show_bug.cgi?id=699927 https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480
* CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox https://bugs.ghostscript.com/show_bug.cgi?id=699816 https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479
* CVE-2018-17183: remote attackers could be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code https://bugs.ghostscript.com/show_bug.cgi?id=699708 https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105
* Fri Nov 09 2018 jsmeixAATTsuse.de- Version upgrade to 9.26rc1 (first release candidate for 9.26). Highlights in this release include:
* Purely security and a few bug fixes, there are no new features, and no API changes to report.
* Fri Sep 14 2018 jsmeixAATTsuse.de- Version upgrade to 9.25 For the highlights in this release see the highlights in the 9.25rc1 first release candidate for 9.25 entry below. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues. For a release summary see: http://www.ghostscript.com/doc/9.25/News.htm For details see the News.htm and History9.htm files. The Ghostscript 9.25 release should fix (see below) in particular those security issues:
* CVE-2018-15909: shading_param incomplete type checking https://bugs.ghostscript.com/show_bug.cgi?id=699660 https://bugzilla.suse.com/show_bug.cgi?id=1106172 bsc#1106172
* CVE-2018-15908: .tempfile file permission issues https://bugs.ghostscript.com/show_bug.cgi?id=699657 https://bugzilla.suse.com/show_bug.cgi?id=1106171 bsc#1106171
* CVE-2018-15910: LockDistillerParams type confusion https://bugs.ghostscript.com/show_bug.cgi?id=699656 https://bugzilla.suse.com/show_bug.cgi?id=1106173 bsc#1106173
* CVE-2018-15911: uninitialized memory access in the aesdecode https://bugs.ghostscript.com/show_bug.cgi?id=699665 https://bugzilla.suse.com/show_bug.cgi?id=1106195 bsc#1106195
* CVE-2018-16513: setcolor missing type check https://bugs.ghostscript.com/show_bug.cgi?id=699655 https://bugzilla.suse.com/show_bug.cgi?id=1107412 bsc#1107412
* CVE-2018-16509: /invalidaccess bypass after failed restore https://bugs.ghostscript.com/show_bug.cgi?id=699654 https://bugzilla.suse.com/show_bug.cgi?id=1107410 bsc#1107410
* CVE-2018-16510: Incorrect exec stack handling in the \"CS\" and \"SC\" PDF primitives https://bugs.ghostscript.com/show_bug.cgi?id=699671 https://bugzilla.suse.com/show_bug.cgi?id=1107411 bsc#1107411
* CVE-2018-16542: .definemodifiedfont memory corruption if /typecheck is handled https://bugs.ghostscript.com/show_bug.cgi?id=699668 https://bugzilla.suse.com/show_bug.cgi?id=1107413 bsc#1107413
* CVE-2018-16541 incorrect free logic in pagedevice replacement https://bugs.ghostscript.com/show_bug.cgi?id=699664 https://bugzilla.suse.com/show_bug.cgi?id=1107421 bsc#1107421
* CVE-2018-16540 use-after-free in copydevice handling https://bugs.ghostscript.com/show_bug.cgi?id=699661 https://bugzilla.suse.com/show_bug.cgi?id=1107420 bsc#1107420
* CVE-2018-16539: incorrect access checking in temp file handling to disclose contents of files https://bugs.ghostscript.com/show_bug.cgi?id=699658 https://bugzilla.suse.com/show_bug.cgi?id=1107422 bsc#1107422
* CVE-2018-16543: gssetresolution and gsgetresolution allow for unspecified impact https://bugs.ghostscript.com/show_bug.cgi?id=699670 https://bugzilla.suse.com/show_bug.cgi?id=1107423 bsc#1107423
* CVE-2018-16511: type confusion in \"ztype\" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact https://bugs.ghostscript.com/show_bug.cgi?id=699659 https://bugzilla.suse.com/show_bug.cgi?id=1107426 bsc#1107426
* CVE-2018-16585 .setdistillerkeys PostScript command is accepted even though it is not intended for use https://bugzilla.suse.com/show_bug.cgi?id=1107581 bsc#1107581
* CVE-2018-16802: Incorrect\"restoration of privilege\" checking when running out of stack during exceptionhandling could be used by attackers able to supply crafted PostScript to execute code using the \"pipe\" instruction. This is due to an incomplete fix for CVE-2018-16509 https://bugs.ghostscript.com/show_bug.cgi?id=699714 https://bugs.ghostscript.com/show_bug.cgi?id=699718 https://bugzilla.suse.com/show_bug.cgi?id=1108027 bnc#1108027 Regarding what the above \"should fix\" means: PostScript is a general purpose Turing-complete programming language (cf. https://en.wikipedia.org/wiki/PostScript) that supports in particular file access on the system disk. When Ghostscript processes PostScript it runs a PostScript program as the user who runs Ghostscript. When Ghostscript processes an arbitrary PostScript file, the user who runs Ghostscript runs an arbitrary program which can do anything on the system where Ghostscript runs that this user is allowed to do on that system. To make it safer when Ghostscript runs a PostScript program the Ghostscript command line option \'-dSAFER\' disables certain file access functionality, for details see /usr/share/doc/ghostscript/9.25/Use.htm Its name \'SAFER\' says everything: It makes it \'safer\' to let Ghostscript run a PostScript program, but it does not make it completely safe. In theory software is safe against misuse (i.e. has no bugs). In practice there is an endless sequence of various kind of security issues (i.e. software can be misused to do more than what is intended) that get fixed issue by issue ad infinitum. In the end all that means: In practice the user who runs Ghostscript must not let it process arbitrary PostScript files from untrusted origin. In particular Ghostscript is usually run when printing documents (with the \'-dSAFER\' option set), see the part about \"It is crucial to limit access to CUPS to trusted users\" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
* Thu Sep 13 2018 jsmeixAATTsuse.de- Version upgrade to 9.25rc1 (first release candidate for 9.25). Highlights in this release include:
* This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the 9.24 release.
* Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues.
* Avoid that ps2epsi fails with \'Error: /undefined in --setpagedevice--\' Recent changes required to harden SAFER mode mean that it is no longer possible to run ps2epsi in SAFER mode, because it relies upon unsafe Ghostscript non-standard extension operators. Removing SAFER and DELAYSAFER, and the code to reset SAFER, allow ps2epsi to run as well as it ever did (ie badly). This program (i.e. ps2epsi) should now be considered unsafe, you should not use it on untrusted PostScript programs. Likely we (i.e. Ghostscript upstream) will deprecate and remove this program in future. For details see the News.htm and History9.htm files. Regarding installing packages (in particular release candidates) from the openSUSE build service development project \"Printing\" see https://build.opensuse.org/project/show/Printing
* Thu Sep 13 2018 jsmeixAATTsuse.de- Version upgrade to 9.24 Highlights in this release include:
* Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues.
* As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files.
* IMPORTANT: We (i.e. Ghostscript upstream) are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF).
* The usual round of bug fixes, compatibility changes, and incremental improvements. For a release summary see: http://www.ghostscript.com/doc/9.24/News.htm For details see the News.htm and History9.htm files.- fix_ln_docdir_gsdatadir.patch is no longer needed because the issue is fixed in the upstream sources.- CVE-2018-10194.patch is no longer needed because the issue is fixed in the upstream sources.
* Tue Jun 05 2018 jsmeixAATTsuse.de- CVE-2018-10194.patch fixes stack-based buffer overflow in gdevpdts.c (bsc#1090099), see https://bugs.ghostscript.com/show_bug.cgi?id=699255 and http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
* Thu Mar 22 2018 jsmeixAATTsuse.de- Version upgrade to 9.23 Highlights in this release include:
* Ghostscript now has a family of \'pdfimage\' devices (pdfimage8, pdfimage24 and pdfimage32) which produce rendered output wrapped up as an image in a PDF. Additionally, there is a \'pclm\' device which produces PCLm format output.
* There is now a ColorAccuracy parameter allowing the user to decide between speed or accuracy in ICC color transforms.
* JPEG Passthrough: devices which support it can now receive the \'raw\' JPEG stream from the interpreter. The main use of this is the pdfwrite/ps2write family of devices that can now take JPEG streams from the input file(s) and write them unchanged to the output (thus avoiding additional quantization effects).
* PDF transparency performance improvements
* IMPORTANT: We (i.e. Ghostscript upstream) are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF).
* We have continued the focus on code hygiene in this release cleaning up security issues, ignored return values, and compiler warnings.
* The usual round of bug fixes, compatibility changes, and incremental improvements. Incompatible changes
* The planned device API tidy has, unfortunately, been indefinitely postponed, until appropriate resources are available. For a release summary see: http://www.ghostscript.com/doc/9.23/News.htm For details see the News.htm and History9.htm files. See also the entries below since \"Version upgrade to 9.22\" (boo#1082896 and boo#1074266).
* Fri Mar 16 2018 jsmeixAATTsuse.de- For now use lcms2 from SUSE because that is what currently Ghostscript upstream recommends according to https://ghostscript.com/pipermail/gs-devel/2018-March/010061.html because since Ghostscript 9.23rc1 there is no longer lcms2 in Ghostscript but now it is lcms2art which is the beginning of a lcms2 fork, see News.htm that reads in particular \"LCMS2 is not thread safe ... Our fork will be thread safe ... We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity\", see also https://bugzilla.opensuse.org/show_bug.cgi?id=1082896#c14- On SLE11 and on SLE12-SP1 there is liblcms2-2-2.5 which is too old so that configure fails there with configure: error: lcms2 not found, or too old but there is no configure option to build it without lcms2 so that for SLE11 and SLE12-SP1 it is built with the lcms2art in Ghostscript.- ppc64le-support.patch is no longer needed because it only contained a fix for lcms2art/include/lcms2art.h in Ghostscript but currently lcms2 from SUSE is used instead (see above).- Do no longer require any fonts packages in particular neither require ghostscript-fonts-std because the PostScript Base35 fonts are provided by Ghostscript (in \'Resource\') nor require ghostscript-fonts-other (provides Bitream Charter, Adobe Utopia, URW Antiqua, URW Grotesq and Hershey fonts where all but the last are also provided by texlive--fonts) and those fonts are not required for PostScript compliance, see https://bugzilla.opensuse.org/show_bug.cgi?id=1082896#c13
* Thu Mar 15 2018 jsmeixAATTsuse.de- Version upgrade to 9.23rc1 (first release candidate for 9.23). For details see the News.htm and History9.htm files. Regarding installing packages (in particular release candidates) from the openSUSE build service development project \"Printing\" see https://build.opensuse.org/project/show/Printing- Adapted ppc64le-support.patch: In Ghostscript 9.23 there is now lcms2art/include/lcms2art.h (instead of lcms2/include/lcms2.h).- ghostscript-fix-debug-use.patch is no longer needed because the issue is fixed in the upstream sources.- fix_ln_docdir_gsdatadir.patch avoids \"base/unixinst.mak:162: recipe for target \'install-doc\' failed\"- Adapted spec file to the new Ghostscript upstream documentation directory /usr/share/doc/ghostscript/9.23/
* Wed Feb 28 2018 stefan.bruensAATTrwth-aachen.de- Use -p /sbin/ldconfig instead of shell post(un) scriptlet, drop explicit Prereq for ldconfig- Use shared libgs library for gs binary instead of static linked version- Use --disable-compile-inits, to allow unbundling of Resource files- Remove --disable-omni switch, has been removed in GS 9.20- Keep patch ordering in full/mini consistent- Remove patch backup files to avoid packaging
* Tue Feb 27 2018 novellAATTmirell.de- Add ghostscript-fix-debug-use.patch from upstream to fix broken printing with some drivers (especially Dell Printers) from https://bugs.ghostscript.com/show_bug.cgi?id=698837- Fix build for SLE targets
  
ICM