The code defines a custom 'bool' type (as an 'int'), which is incompatible
with C23 in which bool is a keyword, and trying to use <stdbool.h> fails
because 'int' and 'bool' are used interchangeably in the code.
Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers
and clang++ is less forgiving when C compiler only option is used on its
cmdline so it complains about -std=gnu17 and bails out.
(From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
avoid-host-contamination.patch
refreshed for 10.04.0
Changelog:
===========
- addresses CVEs: CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, CVE-2024-46956
- add protection for device selection from PostScript input.
- efforts in code hygiene and maintainability continue.
- The usual round of bug fixes, compatibility changes, and incremental improvements.
- add the capability to build with the Tesseract OCR engine.
(From OE-Core rev: b9aa935d1d834e86b1a9cd2e5311e41dd7cd092f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
avoid-host-contamination.patch
refreshed for 10.03.0
configure.ac-add-option-to-explicitly-disable-neon.patch
removed since it's included in 10.03.0
(From OE-Core rev: 0e389b7b20cf77327127ae0ced856e2b2ec7aee2)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set CVE_STATUS as none of the issues apply against the versions
used in the recipes.
(From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libgs is eg. needed to build ghostscript support for gimp
also install the data target
(From OE-Core rev: cedd211d8b73076d1ef6f32af1c59e87a436d637)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ghostscript recipe isn't vulnerable to CVE-2023-38560, as this is an
issue in the GhostPCL release, whereas this recipe is the Ghostscript
release.
(From OE-Core rev: f82a13beabc784da1455f86064ce9f0f225b6e5a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE now has a version range, indicating that this Ghostscript
release isn't vulnerable.
(From OE-Core rev: da6d0763a7fb9c7a322bf5964f8abdf6bed7e219)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This started as a patch cleanup but escalated rapidly.
Remove unneeded patches:
- mkdir-p.patch isn't needed now the Makefiles appear to have the correct
dependencies.
- ghostscript-9.15-parallel-make.patch appears to be unneeded for the same
reason
- base-genht.c-add-a-preprocessor-define-to-allow-fope.patch isn't needed
- cups-no-gcrypt.patch isn't needed
- do-not-check-local-libpng-source.patch can be replaced by deleting
the libpng/ directory, as is already done for jpeg/
- ghostscript-9.21-native-fix-disable-system-libtiff.patch is not needed
when we stop doing native builds (see below)
Remove the need for ghostscript-native to build and install tools that
are needed at target build-time: ghostscript can do this itself. Remove
the BBCLASSEXTEND and all of the native overrides.
Inherit pkgconfig and explicitly tell configure to use the pkgconfig
binary: unless told otherwise this configure will refuse to use an
unprefixed pkgconfig in cross builds.
Review DEPENDS and add missing freetype and zlib dependencies.
Ghostcript will use the embedded copies of libraries over system
libraries, so extend the deletion of jpeg and libpng to include expat,
freetype, and cups as we want to link to our build of those. We can't
delete zlib as it is explicitly used when building the native tools.
Add PACKAGECONFIGs for optional libidn and libpaper dependencies.
Remove HAVE_SYS_TIME_H assignments, the upstream bug was fixed in 2011.
Clean up comments: there's no need to explain how to use PACKAGECONFIG,
and justify the use of autotools-brokensep.
(From OE-Core rev: b62e6d676ce2075a52eea729957f186cfb3bd42b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop the merged fix for CVE-2023-28879.
(From OE-Core rev: 659b0cf41db00420366d0eca103f16922c2c5d72)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop --without-jbig2dec as it is now required by pdf support
and jbig2dec library is in ghostscript's source tree.
(From OE-Core rev: 761a17b7beab248056b69b9c3d84b1ddc4d2082d)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jbig2dec seems no longer optional; the source for it
is bundle with ghostscript.
License-Update: removed patent references
(From OE-Core rev: 44a3bea7e8fedbc76b6e8f97e1f669def81e158a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
(From OE-Core rev: 8556d6a6722f21af5e6f97589bec3cbd31da206c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostscript-9.15-parallel-make.patch rebased; one of the
chunks removed upstream.
Remove bundled jpeg source, as that seems to be the only way
to get ghostscript to fall back to system jpeg library.
(From OE-Core rev: ad8c8ffc5a008872d40a36ea825da30accd6a11a)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This should have been removed in a previous change but was accidentally
left behind and points at an invalid directory.
(From OE-Core rev: 9d6ce24207189c711099f45265b240d0cdc0e686)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop all custom objarch.h files; ghostscript nowadays generates
that with autoconf.
Freetype can no longer be disabled.
Building out of source tree is broken.
(From OE-Core rev: bb699a99b2e99a868520430c614d55ea3004427c)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Due to recent changes to the tune, in order to match config.guess, the name
of the big-endian microblaze architecture was changes to 'microblaze'.
(From OE-Core rev: 6f6a6bbac684ead3fe6d070d61f17c2f611a2c87)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A flaw was found in all versions of ghostscript 9.x before 9.28,
where the `.charkeys` procedure, where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER` restrictions.
An attacker could abuse this flaw by creating a specially crafted
PostScript file that could escalate privileges within the Ghostscript
and access files outside of restricted areas or execute commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14869
Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904
(From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OE does not provide libpaper recipe, and the configure check looks for
libpaper if not disabled, this causes problems especially when shared
state is built on a machine which has libpaper installed on host but the
consumer machine although running same OS, but does not have libpaper
installed, the artifact from sstate are re-used but then native binary
./obj/aux/packps fails to execute
./obj/aux/packps: error while loading shared libraries: libpaper.so.1: cannot open shared object file: No such file or directory
So either we need to provide libpaper in OE or we disable it, disabling
is best for now
(From OE-Core rev: 11e85220d97299be5f65d5208ec21d4ad215317a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Artifex Ghostscript allows attackers to bypass a sandbox protection
mechanism by leveraging exposure of system operators in the saved
execution stack in an error object.
(From OE-Core rev: 6098c19e1f179896af7013c4b5db3081549c97bc)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a
sandbox protection mechanism via vectors involving errorhandler
setup. NOTE: this issue exists because of an incomplete fix for
CVE-2018-17183.
(From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed below patches, as v9.25 source already has those
changes/security fixes:
0001-Bug-699665-memory-corruption-in-aesdecode.patch
0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
0004-Hide-the-.shfill-operator.patch
0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
remove-direct-symlink.patch
Re-worked ghostscript-9.21-native-fix-disable-system-libtiff.patch
and ghostscript-9.21-prevent_recompiling.patch
to fix warnings in do_patch task of ghostscript v9.25 recipe.
Highlights of ghostscript v9.25 release:
---------------------------------------
- This release fixes problems with argument handling, some unintended results
of the security fixes to the SAFER file access restrictions
(specifically accessing ICC profile files), and some additional security
issues over the recent 9.24 release.
- Note: The ps2epsi utility does not, and cannot call Ghostscript with
the -dSAFER command line option. It should never be called with input
from untrusted sources.
- Security issues have been the primary focus of this release, including
solving several (well publicised) real and potential exploits.
- As well as Ghostscript itself, jbig2dec has had a significant amount of work
improving its robustness in the face of out specification files.
- IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread
safe, and cannot be made thread safe without breaking the ABI.
Our fork will be thread safe, and include performance enhancements
(these changes have all be been offered and rejected upstream). We will
maintain compatibility between Ghostscript and LCMS2 for a time, but not in
perpetuity. Our fork will be available as its own package separately from
Ghostscript (and MuPDF).
- The usual round of bug fixes, compatibility changes, and incremental
improvements.
(From OE-Core rev: 4340928b8878b91b5a2750eb6bc87918740511ca)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
