package/ghostscript: security bump to version 9.52

Fix a bunch of CVEs: CVE-2020-16287, CVE-2020-16288, CVE-2020-16289, CVE-2020-16290, CVE-2020-16291, CVE-2020-16292, CVE-2020-16293, CVE-2020-16294, CVE-2020-16295, CVE-2020-16296, CVE-2020-16297, CVE-2020-16298, CVE-2020-16299, CVE-2020-16300, CVE-2020-16301, CVE-2020-16302, CVE-2020-16303, CVE-2020-16304, CVE-2020-16305 CVE-2020-16308, CVE-2020-16309, CVE-2020-17538 PKGCONFIG must be passed since version 9.51 and 2d84ecc578 Also drop patch (already in version) and update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-17 20:51:09 +02:00 · 2020-08-17 20:51:09 +02:00 · e90c68e775
commit e90c68e775
parent 03af637b18
3 changed files with 6 additions and 62 deletions
--- a/package/ghostscript/0002-Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghostscript-9-52.patch
+++ b/package/ghostscript/0002-Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghostscript-9-52.patch
@ -1,54 +0,0 @@
-From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
-From: Ray Johnston <ray.johnston@artifex.com>
-Date: Wed, 22 Jul 2020 09:57:54 -0700
-Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
- 9.52
-
-Fix the 'rsearch' calculation for the 'post' size to give the correct
-size.  Previous calculation would result in a size that was too large,
-and could underflow to max uint32_t. Also fix 'rsearch' to return the
-correct 'pre' string with empty string match.
-
-A future change may 'undefine' this undocumented, non-standard operator
-during initialization as we do with the many other non-standard internal
-PostScript operators and procedures.
-
-[Retrieved from:
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
- psi/zstring.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/psi/zstring.c b/psi/zstring.c
-index 33662dafa..58e1af2b3 100644
--- a/psi/zstring.c
-+++ b/psi/zstring.c
-@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
-     return 0;
- found:
-     op->tas.type_attrs = op1->tas.type_attrs;
-    op->value.bytes = ptr;
-    r_set_size(op, size);
-+    op->value.bytes = ptr;				/* match */
-+    op->tas.rsize = size;				/* match */
-     push(2);
-    op[-1] = *op1;
-    r_set_size(op - 1, ptr - op[-1].value.bytes);
-    op1->value.bytes = ptr + size;
-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
-+    op[-1] = *op1;					/* pre */
-+    op[-3].value.bytes = ptr + size;			/* post */
-+    if (forward) {
-+        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
-+        op[-3].tas.rsize = count;			/* post */
-+    } else {
-+        op[-1].tas.rsize = count;			/* pre */
-+        op[-3].tas.rsize -= count + size;		/* post */
-+    }
-     make_true(op);
-     return 0;
- }
-- 
-2.17.1
-
--- a/package/ghostscript/ghostscript.hash
+++ b/package/ghostscript/ghostscript.hash
@ -1,5 +1,5 @@
-# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs950/SHA512SUMS
-sha512 3c1e5db519a427f4b6bfb8d93f3c3dfb67d5ec9ccd19c7afa7670deb768515f3fc617c5588e54934bbfbedfdf8609ce2ffa36dd7da3cb618937fe034f64f43ee  ghostscript-9.50.tar.xz
+# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/SHA512SUMS
+sha512  4c4a33884e1138bad553eee61fac1a72158297ad5c2ce46a4b36150848dea8158affaf2b902f4ff03e4f72ebc8154c198b618112624f409230a610b7648faa67  ghostscript-9.52.tar.xz

 # Hash for license file:
-sha256 6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2  LICENSE
+sha256  6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2  LICENSE
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-GHOSTSCRIPT_VERSION = 9.50
+GHOSTSCRIPT_VERSION = 9.52
 GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION))
 GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
 GHOSTSCRIPT_LICENSE = AGPL-3.0
@ -23,9 +23,6 @@ GHOSTSCRIPT_DEPENDENCIES = \
 	libpng \
 	tiff

-# 0002-Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghostscript-9-52.patch
-GHOSTSCRIPT_IGNORE_CVES += CVE-2020-15900
-
 # Ghostscript includes (old) copies of several libraries, delete them.
 # Inspired by linuxfromscratch:
 # http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html
@ -38,7 +35,8 @@ GHOSTSCRIPT_POST_PATCH_HOOKS += GHOSTSCRIPT_REMOVE_LIBS

 GHOSTSCRIPT_CONF_ENV = \
 	CCAUX="$(HOSTCC)" \
-	CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)"
+	CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)" \
+	PKGCONFIG="$(PKG_CONFIG_HOST_BINARY)"

 GHOSTSCRIPT_CONF_OPTS = \
 	--disable-compile-inits \