openembedded-core.git/meta/recipes-extended/ghostscript, branch pyro Mirror of openembedded-core ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951 2017-04-28T10:26:07+00:00 Catalin Enache catalin.enache@windriver.com 2017-04-21T12:04:17+00:00 6679a4d4379f6f18554ed0042546cce94d5d0b19 The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.

The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.

The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
ghostscript: CVE-2017-7207 2017-04-08T21:48:04+00:00 Catalin Enache catalin.enache@windriver.com 2017-04-05T12:06:51+00:00 0f22a27c2abd2f2dd9119681f139dd85dcb6479d The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The mem_get_bits_rectangle function in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial
of service (NULL pointer dereference) via a crafted PostScript
document.

Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207

Upstream patch:
http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostscript: fix upstream version check 2016-12-17T09:56:43+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2016-12-15T12:48:07+00:00 4e8e884054b56c578d51d7b4af7150b77806368d (From OE-Core rev: 10001924baf112a4556c5e85c16c482cbf435950) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
(From OE-Core rev: 10001924baf112a4556c5e85c16c482cbf435950)

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostscript 9.19 -> 9.20 2016-12-17T09:56:42+00:00 Huang Qiyu huangqy.fnst@cn.fujitsu.com 2016-12-13T23:05:39+00:00 9133ba6b8138951f3ef798f0a1cc6f694fe71868 1)Upgrade ghostscript from 9.19 to 9.20. 2)Modify ghostscript-9.15-parallel-make.patch, since the data has been changed. (From OE-Core rev: 4f3483c3a0ba22f46d768d78d6f56880e8ac5608) Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
1)Upgrade ghostscript from 9.19 to 9.20.
2)Modify ghostscript-9.15-parallel-make.patch, since the data has been changed.

(From OE-Core rev: 4f3483c3a0ba22f46d768d78d6f56880e8ac5608)

Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostscript: Use MIPS MACHINE_OVERRIDES for objarch.h 2016-11-30T15:47:13+00:00 Zubair Lutfullah Kakakhel Zubair.Kakakhel@imgtec.com 2016-11-23T13:47:33+00:00 a169f11cee3f4288467120cbc363f5e664b86f0c MIPS MACHINE_OVERRIDES can be used to provide the same objarch.h files for MIPS pre-R2 and R6 ISA versions. Use them to reduce duplication in supporting MIPS R6 ISA Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
MIPS MACHINE_OVERRIDES can be used to provide the same objarch.h
files for MIPS pre-R2 and R6 ISA versions.

Use them to reduce duplication in supporting MIPS R6 ISA

Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
ghostscript: Reduce duplication in MIPS variants. 2016-11-15T15:11:56+00:00 Zubair Lutfullah Kakakhel Zubair.Kakakhel@imgtec.com 2016-11-08T17:12:32+00:00 c4aefe37ef5ff34ebd8e1a077c9198dcf3634e07 Reduce duplication in MIPS variants now that the MACHINEOVERRIDES variable is defined Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Reduce duplication in MIPS variants now that the MACHINEOVERRIDES
variable is defined

Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
ghostscript: upgrade to 9.19 2016-06-14T11:56:33+00:00 Hongxu Jia hongxu.jia@windriver.com 2016-06-13T09:16:27+00:00 227ca0a373b5a93602a419296ff1da1a96615ba2 - Ghostscript and GhostPDL releases from version 9.19 have been moved to GitHub hosting, tweak download site - Drop 0001-Bug-696497-Fix-support-for-building-with-no-jbig2-de.patch, and 0002-Bug-696497-part-2-fix-support-for-building-with-a-JP.patch, ghostscript 9.19 has fixed them. - Fix QA Warning unrecognised options: --enable-little-endian. It use AC_C_BIGENDIAN to detect big/little endian. http://www.delorie.com/gnu/docs/autoconf/autoconf_64.html Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
- Ghostscript and GhostPDL releases from version 9.19 have been moved to GitHub
  hosting, tweak download site

- Drop 0001-Bug-696497-Fix-support-for-building-with-no-jbig2-de.patch, and
  0002-Bug-696497-part-2-fix-support-for-building-with-a-JP.patch, ghostscript
  9.19 has fixed them.

- Fix QA Warning unrecognised options: --enable-little-endian. It use AC_C_BIGENDIAN
  to detect big/little endian.
  http://www.delorie.com/gnu/docs/autoconf/autoconf_64.html

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostcript: Set UPSTREAM_CHECK_URI variable 2016-05-30T08:30:29+00:00 Leonardo Sandoval leonardo.sandoval.gonzalez@linux.intel.com 2016-05-24T06:36:44+00:00 94d80ae33e0671e439c845f25e54aab0ee69843b Set UPSTREAM_CHECK_URI (a github location), so package checking system gets the latest version of the package. Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Set UPSTREAM_CHECK_URI (a github location), so package checking system gets the
latest version of the package.

Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
ghostscript: Update URL_SRI considered as 'old release' 2016-05-22T15:09:21+00:00 Leonardo Sandoval leonardo.sandoval.gonzalez@linux.intel.com 2016-05-20T05:59:17+00:00 f4232f796875b007a438eb75fe438db6aba30572 The Ghostcript project started to place their tarballs in two places starting at 9.19 as explained in [1]. 9.18 version is considered old, so including the 'old-gs-releases' in the URL. [1] http://downloads.ghostscript.com/public/ [YOCTO #9573] Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The Ghostcript project started to place their tarballs in two places
starting at 9.19 as explained in [1]. 9.18 version is considered old,
so including the 'old-gs-releases' in the URL.

[1] http://downloads.ghostscript.com/public/

[YOCTO #9573]

Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
ghostscript: 9.16 -> 9.18 2016-03-09T16:54:37+00:00 Hongxu Jia hongxu.jia@windriver.com 2016-02-29T19:41:42+00:00 c7da39c43fc20e634c45212151400c663b39399a - Backport patches to fix build failure caused by '--without-jbig2dec' and '--without-jbig2dec'. ... |make[1]: *** No rule to make target `obj/sjbig2_.dev', needed by `obj/sjbig2.dev'. Stop. ... http://bugs.ghostscript.com/show_bug.cgi?id=696497 - Previously, it did not build the whole local libpng source in ghostscript, only picked up specific files and compile them. But on ghostscript 9.18, when the arm's FPU has been set to NEON (-mfpu=neon * with GCC), the selected file "libpng/pngrutil.c" needs to link 'png_init_filter_functions_neon' which should be compiled by a non-selected file "libpng/arm/arm_init.c". ... |./obj/pngrutil.o: In function `png_init_filter_functions': |armv7a-neon-poky-linux-gnueabi/ghostscript/9.18-r0/build/../ ghostscript-9.18/libpng/pngrutil.c:3921: undefined reference to `png_init_filter_functions_neon' ... So do not compile local libpng source in ghostscript, use shared libpng to instead. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
- Backport patches to fix build failure caused by
  '--without-jbig2dec' and '--without-jbig2dec'.
  ...
  |make[1]: *** No rule to make target `obj/sjbig2_.dev',
  needed by `obj/sjbig2.dev'.  Stop.
  ...
  http://bugs.ghostscript.com/show_bug.cgi?id=696497

- Previously, it did not build the whole local libpng
  source in ghostscript, only picked up specific files
  and compile them. But on ghostscript 9.18, when the
  arm's FPU has been set to NEON (-mfpu=neon * with GCC),
  the selected file "libpng/pngrutil.c" needs to link
  'png_init_filter_functions_neon' which should be
  compiled by a non-selected file "libpng/arm/arm_init.c".
  ...
  |./obj/pngrutil.o: In function `png_init_filter_functions':
  |armv7a-neon-poky-linux-gnueabi/ghostscript/9.18-r0/build/../
  ghostscript-9.18/libpng/pngrutil.c:3921: undefined reference to
  `png_init_filter_functions_neon'
  ...
  So do not compile local libpng source in ghostscript,
  use shared libpng to instead.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>