From 1da3fa7863091304ce3d85ce60c125e683d745dc Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sun, 20 Oct 2019 13:18:12 +0200 Subject: [PATCH] package/ghostscript: security bump version to 9.50 Fixes CVE-2019-10216: https://security-tracker.debian.org/tracker/CVE-2019-10216 Removed patch applied upstream. Release notes: https://ghostscript.com/pipermail/gs-devel/2019-October/010232.html Changelog: https://www.ghostscript.com/doc/9.50/News.htm Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni --- ...-the-crazy-md5-file-copying-nonsense.patch | 252 ------------------ package/ghostscript/ghostscript.hash | 4 +- package/ghostscript/ghostscript.mk | 2 +- 3 files changed, 3 insertions(+), 255 deletions(-) delete mode 100644 package/ghostscript/0002-Bug-700986-Remove-the-crazy-md5-file-copying-nonsense.patch diff --git a/package/ghostscript/0002-Bug-700986-Remove-the-crazy-md5-file-copying-nonsense.patch b/package/ghostscript/0002-Bug-700986-Remove-the-crazy-md5-file-copying-nonsense.patch deleted file mode 100644 index 49bcfcdd3b..0000000000 --- a/package/ghostscript/0002-Bug-700986-Remove-the-crazy-md5-file-copying-nonsense.patch +++ /dev/null @@ -1,252 +0,0 @@ -From d86210973df93ccca0befd56afba2132da925ebc Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Thu, 18 Apr 2019 16:58:41 +0100 -Subject: [PATCH] Bug 700986: Remove the crazy md5 file copying nonsense - -To preserve building as a standalone test exe, we avoided using Ghostscript -includes in the md5 source and header files, but dynamically add them to -copies of the files during the build. Since we no longer need/care for the -stand alone exe, remove the build complication, and just include the header -file normally. - -Signed-off-by: Fabrice Fontaine -[Retrieved from: -http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d86210973df9] ---- - base/gsmd5.h | 2 + - base/lib.mak | 10 +-- - base/md5main.c | 141 ----------------------------------------- - doc/Develop.htm | 1 - - windows/ghostscript.vcproj | 4 -- - windows/ghostscript_rt.vcxproj | 1 - - 6 files changed, 5 insertions(+), 154 deletions(-) - delete mode 100644 base/md5main.c - -diff --git a/base/gsmd5.h b/base/gsmd5.h -index 206ea6b..b159afb 100644 ---- a/base/gsmd5.h -+++ b/base/gsmd5.h -@@ -50,6 +50,8 @@ - #ifndef md5_INCLUDED - # define md5_INCLUDED - -+#include "memory_.h" -+ - /* - * This package supports both compile-time and run-time determination of CPU - * byte order. If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be -diff --git a/base/lib.mak b/base/lib.mak -index 3ed088a..21e2cb7 100644 ---- a/base/lib.mak -+++ b/base/lib.mak -@@ -387,13 +387,8 @@ gsmd5_h=$(GLSRC)gsmd5.h - # We have to use a slightly different compilation approach in order to - # get std.h included when compiling md5.c. - md5_=$(GLOBJ)gsmd5.$(OBJ) --$(GLOBJ)gsmd5.$(OBJ) : $(GLSRC)gsmd5.c $(AK) $(gsmd5_h)\ -- $(EXP)$(ECHOGS_XE) $(LIB_MAK) $(MAKEDIRS) -- $(EXP)$(ECHOGS_XE) -w $(GLGEN)gsmd5.h -x 23 include -x 2022 memory_.h -x 22 -- $(EXP)$(ECHOGS_XE) -a $(GLGEN)gsmd5.h -+R $(GLSRC)gsmd5.h -- $(CP_) $(GLSRC)gsmd5.c $(GLGEN)gsmd5.c -- $(GLCC) $(GLO_)gsmd5.$(OBJ) $(C_) $(GLGEN)gsmd5.c -- $(RM_) $(GLGEN)gsmd5.c $(GLGEN)gsmd5.h -+$(GLOBJ)gsmd5.$(OBJ) : $(GLSRC)gsmd5.c $(AK) $(gsmd5_h) $(LIB_MAK) $(MAKEDIRS) -+ $(GLCC) $(GLO_)gsmd5.$(OBJ) $(C_) $(GLSRC)gsmd5.c - - # SHA-256 digest - sha2_h=$(GLSRC)sha2.h -@@ -12346,3 +12341,4 @@ $(GLSRC)gxshade4.h:$(GLSRC)gstypes.h - $(GLSRC)gxshade4.h:$(GLSRC)stdpre.h - $(GLSRC)gxshade4.h:$(GLGEN)arch.h - $(GLSRC)gxshade4.h:$(GLSRC)gs_dll_call.h -+$(GLSRC)gsmd5.h:$(GLSRC)memory_.h -diff --git a/base/md5main.c b/base/md5main.c -deleted file mode 100644 -index 75c523b..0000000 ---- a/base/md5main.c -+++ /dev/null -@@ -1,141 +0,0 @@ --/* -- Copyright (C) 2002-2018 Artifex Software, Inc. -- All rights reserved. -- -- This software is provided 'as-is', without any express or implied -- warranty. In no event will the authors be held liable for any damages -- arising from the use of this software. -- -- Permission is granted to anyone to use this software for any purpose, -- including commercial applications, and to alter it and redistribute it -- freely, subject to the following restrictions: -- -- 1. The origin of this software must not be misrepresented; you must not -- claim that you wrote the original software. If you use this software -- in a product, an acknowledgment in the product documentation would be -- appreciated but is not required. -- 2. Altered source versions must be plainly marked as such, and must not be -- misrepresented as being the original software. -- 3. This notice may not be removed or altered from any source distribution. -- -- L. Peter Deutsch -- ghost@aladdin.com -- -- */ --/* -- Independent implementation of MD5 (RFC 1321). -- -- This code implements the MD5 Algorithm defined in RFC 1321, whose -- text is available at -- http://www.ietf.org/rfc/rfc1321.txt -- The code is derived from the text of the RFC, including the test suite -- (section A.5) but excluding the rest of Appendix A. It does not include -- any code or documentation that is identified in the RFC as being -- copyrighted. -- -- The original and principal author of md5.c is L. Peter Deutsch -- . Other authors are noted in the change history -- that follows (in reverse chronological order): -- -- 2007-06-08 RG Namespaced the api calls to avoid conflict with other -- implementations when linking gs as a library. -- 2002-04-13 lpd Splits off main program into a separate file, md5main.c. -- */ -- --#include "gsmd5.h" --#include --#include --#include -- --/* -- * This file builds an executable that performs various functions related -- * to the MD5 library. Typical compilation: -- * gcc -o md5main -lm md5main.c md5.c -- */ --static const char *const usage = "\ --Usage:\n\ -- md5main --test # run the self-test (A.5 of RFC 1321)\n\ -- md5main --t-values # print the T values for the library\n\ -- md5main --version # print the version of the package\n\ --"; --static const char *const version = "2002-04-13"; -- --/* Run the self-test. */ --static int --do_test(void) --{ -- static const char *const test[7*2] = { -- "", "d41d8cd98f00b204e9800998ecf8427e", -- "a", "0cc175b9c0f1b6a831c399e269772661", -- "abc", "900150983cd24fb0d6963f7d28e17f72", -- "message digest", "f96b697d7cb7938d525a2f31aaf161d0", -- "abcdefghijklmnopqrstuvwxyz", "c3fcd3d76192e4007dfb496cca67e13b", -- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", -- "d174ab98d277d9f5a5611c2c9f419d9f", -- "12345678901234567890123456789012345678901234567890123456789012345678901234567890", "57edf4a22be3c955ac49da2e2107b67a" -- }; -- int i; -- int status = 0; -- -- for (i = 0; i < 7*2; i += 2) { -- gs_md5_state_t state; -- gs_md5_byte_t digest[16]; -- char hex_output[16*2 + 1]; -- int di; -- -- gs_md5_init(&state); -- gs_md5_append(&state, (const gs_md5_byte_t *)test[i], strlen(test[i])); -- gs_md5_finish(&state, digest); -- for (di = 0; di < 16; ++di) -- gs_sprintf(hex_output + di * 2, "%02x", digest[di]); -- if (strcmp(hex_output, test[i + 1])) { -- printf("MD5 (\"%s\") = ", test[i]); -- puts(hex_output); -- printf("**** ERROR, should be: %s\n", test[i + 1]); -- status = 1; -- } -- } -- if (status == 0) -- puts("md5 self-test completed successfully."); -- return status; --} -- --/* Print the T values. */ --static int --do_t_values(void) --{ -- int i; -- for (i = 1; i <= 64; ++i) { -- unsigned long v = (unsigned long)(4294967296.0 * fabs(sin((double)i))); -- -- /* -- * The following nonsense is only to avoid compiler warnings about -- * "integer constant is unsigned in ANSI C, signed with -traditional". -- */ -- if (v >> 31) { -- printf("#define T%d /* 0x%08lx */ (T_MASK ^ 0x%08lx)\n", i, -- v, (unsigned long)(unsigned int)(~v)); -- } else { -- printf("#define T%d 0x%08lx\n", i, v); -- } -- } -- return 0; --} -- --/* Main program */ --int --main(int argc, char *argv[]) --{ -- if (argc == 2) { -- if (!strcmp(argv[1], "--test")) -- return do_test(); -- if (!strcmp(argv[1], "--t-values")) -- return do_t_values(); -- if (!strcmp(argv[1], "--version")) { -- puts(version); -- return 0; -- } -- } -- puts(usage); -- return 0; --} -diff --git a/doc/Develop.htm b/doc/Develop.htm -index c1ffceb..1ed3030 100644 ---- a/doc/Develop.htm -+++ b/doc/Develop.htm -@@ -684,7 +684,6 @@ Other: - base/gx.h, - base/gsmd5.c, - base/gsmd5.h, --base/md5main.c, - base/aes.c, - base/aes.h. - -diff --git a/windows/ghostscript.vcproj b/windows/ghostscript.vcproj -index d607949..fdbeaa1 100644 ---- a/windows/ghostscript.vcproj -+++ b/windows/ghostscript.vcproj -@@ -2510,10 +2510,6 @@ - > - - -- -- - -diff --git a/windows/ghostscript_rt.vcxproj b/windows/ghostscript_rt.vcxproj -index 589b2d1..fca736b 100644 ---- a/windows/ghostscript_rt.vcxproj -+++ b/windows/ghostscript_rt.vcxproj -@@ -597,7 +597,6 @@ - - - -- - - - --- -2.9.1 - - diff --git a/package/ghostscript/ghostscript.hash b/package/ghostscript/ghostscript.hash index 383a414da4..51b3a2a094 100644 --- a/package/ghostscript/ghostscript.hash +++ b/package/ghostscript/ghostscript.hash @@ -1,5 +1,5 @@ -# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/SHA512SUMS -sha512 5e67ad45a80f01c6ef0eabb1c76dfa8fb6e7f0fde8d82fd5daaf12f370c288a672f8fa69c74d9e30255582267e9a906e4e8b13655f8d993fefdfc8dbdb5d5401 ghostscript-9.27.tar.xz +# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs950/SHA512SUMS +sha512 3c1e5db519a427f4b6bfb8d93f3c3dfb67d5ec9ccd19c7afa7670deb768515f3fc617c5588e54934bbfbedfdf8609ce2ffa36dd7da3cb618937fe034f64f43ee ghostscript-9.50.tar.xz # Hash for license file: sha256 6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2 LICENSE diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk index fefac2aee3..a6e85d9894 100644 --- a/package/ghostscript/ghostscript.mk +++ b/package/ghostscript/ghostscript.mk @@ -4,7 +4,7 @@ # ################################################################################ -GHOSTSCRIPT_VERSION = 9.27 +GHOSTSCRIPT_VERSION = 9.50 GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION)) GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz GHOSTSCRIPT_LICENSE = AGPL-3.0 -- 2.30.2