summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
Commit message (Collapse)AuthorAgeFilesLines
* meta: remove consecutive blank linesAlexander Kanavin2025-06-201-1/+0
| | | | | | | | | | | | | | | | | Some of them were introduced by mass-removal of S = WORKDIR/git assignments; rather than try to fix up (or redo) just these, I've run this sed command over the whole tree: sed -i -z -E 's/([ \t\f\v\r]*\n){3,}/\n\n/g' `find . -name *.bb -o -name *.inc` The rationale is that more than one empty line is wasting vertical screen space, and does nothing for readability. (From OE-Core rev: cedc4ff7c9bcfb22a20e43e47f9759f4007a4f1a) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Use TARGET_CFLAGS to pass compiler optionsRichard Purdie2025-06-091-1/+1
| | | | | | | | | Passing compiler options via CC is error prone when we allow toolchain selection. Use TARGET_CFLAGS instead. (From OE-Core rev: 2091ebf845004040a6227d18cfa6bb508d1b9c9f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.05.0 -> 10.05.1Wang Mingyu2025-05-131-1/+1
| | | | | | | (From OE-Core rev: cc9ba7005fb155f4d5f2be9b23c12d14362a306b) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix build with gcc-15 on hostMartin Jansa2025-04-292-0/+68
| | | | | | | (From OE-Core rev: 02e282f6417274a93c6f01978bf33e2d171297b0) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Pin to C17 stdKhem Raj2025-03-271-0/+2
| | | | | | | | | | | | | | | The code defines a custom 'bool' type (as an 'int'), which is incompatible with C23 in which bool is a keyword, and trying to use <stdbool.h> fails because 'int' and 'bool' are used interchangeably in the code. Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers and clang++ is less forgiving when C compiler only option is used on its cmdline so it complains about -std=gnu17 and bails out. (From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.04.0 -> 10.05.0Richard Purdie2025-03-173-8/+5
| | | | | | (From OE-Core rev: baef546edd9a719448cc39962dea24925aab70b8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.03.1 -> 10.04.0Wang Mingyu2024-09-302-4/+4
| | | | | | | | | | | | | | | | | | avoid-host-contamination.patch refreshed for 10.04.0 Changelog: =========== - addresses CVEs: CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, CVE-2024-46956 - add protection for device selection from PostScript input. - efforts in code hygiene and maintainability continue. - The usual round of bug fixes, compatibility changes, and incremental improvements. - add the capability to build with the Tesseract OCR engine. (From OE-Core rev: b9aa935d1d834e86b1a9cd2e5311e41dd7cd092f) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.03.0 -> 10.03.1Changqing Li2024-05-301-1/+1
| | | | | | | | | | | | | | | Patch release to address security bugs: CVE-2024-33869 CVE-2023-52722 CVE-2024-33870 CVE-2024-33871 CVE-2024-29510 (From OE-Core rev: 9a424fbcdc0c792ff3b99bf0e8a5e380582f53bc) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.02.1 -> 10.03.0Wang Mingyu2024-04-163-108/+5
| | | | | | | | | | | | | avoid-host-contamination.patch refreshed for 10.03.0 configure.ac-add-option-to-explicitly-disable-neon.patch removed since it's included in 10.03.0 (From OE-Core rev: 0e389b7b20cf77327127ae0ced856e2b2ec7aee2) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Update CVE_STATUS for incorrect cpesSimone Weiß2024-02-241-0/+1
| | | | | | | | | | Set CVE_STATUS as none of the issues apply against the versions used in the recipes. (From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: correct LICENSE with AGPLv3Kai Kang2024-02-081-1/+1
| | | | | | | | | | | | | | | | The license of ghostscript has switched to Affero GPL since version 9.07 via commit: * 3cc5318 Switch Ghostscript/GhostPDL to Affero GPL https://github.com/ArtifexSoftware/ghostpdl/commit/3cc5318 Correct it with `AGPL-3.0-or-later`. (From OE-Core rev: 7dec33a8026d9aa96177060b13bb63d74eeb4855) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Build and install shared libMarkus Volk2023-11-131-1/+2
| | | | | | | | | | | | libgs is eg. needed to build ghostscript support for gimp also install the data target (From OE-Core rev: cedd211d8b73076d1ef6f32af1c59e87a436d637) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.02.0 -> 10.02.1Wang Mingyu2023-11-051-1/+1
| | | | | | | | (From OE-Core rev: 9492c2d51a08fbd4c107540a5a833b1a3fb70504) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 10.01.2 -> 10.02.0Alexander Kanavin2023-09-262-34/+2
| | | | | | | | (From OE-Core rev: e705edc553fa57361cb948ec7923b261f373f385) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: avoid neon on unsupported machinesBenjamin Bara2023-09-052-0/+103
| | | | | | | | | Disable neon if the machine does not support it. (From OE-Core rev: 22d40fcb984849bc8735bf03b306c3a3b11eb779) Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: ignore CVE-2023-38560Ross Burton2023-08-091-0/+2
| | | | | | | | | | | The ghostscript recipe isn't vulnerable to CVE-2023-38560, as this is an issue in the GhostPCL release, whereas this recipe is the Ghostscript release. (From OE-Core rev: f82a13beabc784da1455f86064ce9f0f225b6e5a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: backport fix for CVE-2023-38559Ross Burton2023-08-092-0/+32
| | | | | | | (From OE-Core rev: 38478a82598260e5e0616598e8cf78416dac1867) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: advance to version 10.01.2Joe Slater2023-07-141-1/+1
| | | | | | | | | | Fix CVE-2023-28879 and CVE-2023-36664. (From OE-Core rev: 7a66d238af8545dfb9a79e551ccaac889b2d52dd) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: remove CVE_CHECK_IGNORE for CVE-2013-6629Ross Burton2023-06-291-3/+0
| | | | | | | | | | | This CVE now has a version range, indicating that this Ghostscript release isn't vulnerable. (From OE-Core rev: da6d0763a7fb9c7a322bf5964f8abdf6bed7e219) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: mostly rewrite recipeRoss Burton2023-06-208-314/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This started as a patch cleanup but escalated rapidly. Remove unneeded patches: - mkdir-p.patch isn't needed now the Makefiles appear to have the correct dependencies. - ghostscript-9.15-parallel-make.patch appears to be unneeded for the same reason - base-genht.c-add-a-preprocessor-define-to-allow-fope.patch isn't needed - cups-no-gcrypt.patch isn't needed - do-not-check-local-libpng-source.patch can be replaced by deleting the libpng/ directory, as is already done for jpeg/ - ghostscript-9.21-native-fix-disable-system-libtiff.patch is not needed when we stop doing native builds (see below) Remove the need for ghostscript-native to build and install tools that are needed at target build-time: ghostscript can do this itself. Remove the BBCLASSEXTEND and all of the native overrides. Inherit pkgconfig and explicitly tell configure to use the pkgconfig binary: unless told otherwise this configure will refuse to use an unprefixed pkgconfig in cross builds. Review DEPENDS and add missing freetype and zlib dependencies. Ghostcript will use the embedded copies of libraries over system libraries, so extend the deletion of jpeg and libpng to include expat, freetype, and cups as we want to link to our build of those. We can't delete zlib as it is explicitly used when building the native tools. Add PACKAGECONFIGs for optional libidn and libpaper dependencies. Remove HAVE_SYS_TIME_H assignments, the upstream bug was fixed in 2011. Clean up comments: there's no need to explain how to use PACKAGECONFIG, and justify the use of autotools-brokensep. (From OE-Core rev: b62e6d676ce2075a52eea729957f186cfb3bd42b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade to 10.01.1Ross Burton2023-06-063-103/+1
| | | | | | | | | Drop the merged fix for CVE-2023-28879. (From OE-Core rev: 659b0cf41db00420366d0eca103f16922c2c5d72) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2023-28879Joe Slater2023-05-052-0/+61
| | | | | | | | | | | Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. (From OE-Core rev: 8a70d6935afa38173dbf012b8e1c3d59228504df) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.56.1 -> 10.0.0Alexander Kanavin2022-12-183-6/+47
| | | | | | | | | | | Drop --without-jbig2dec as it is now required by pdf support and jbig2dec library is in ghostscript's source tree. (From OE-Core rev: 761a17b7beab248056b69b9c3d84b1ddc4d2082d) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: remove unneeded patchAlexander Kanavin2022-09-022-79/+0
| | | | | | | | | | | | | The patch has been added here https://git.yoctoproject.org/poky/commit/?id=ca63a0158ae42010477080ad6bb776329f1230b0 and isn't necessary anymore, as cross compilation works fine without it. (From OE-Core rev: 37e521d8a5d1a89ba46d5058bc9c86cbe2195652) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.55.0 -> 9.56.1wangmy2022-04-191-1/+1
| | | | | | | | (From OE-Core rev: 83a45e8a2532689da6cffe444ad4326ad1b1a4f2) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/scripts: Automated conversion of OE renamed variablesRichard Purdie2022-02-211-1/+1
| | | | | | (From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX ↵Richard Purdie2022-02-201-1/+1
| | | | | | | | | | | | | license identifiers An automated conversion using scripts/contrib/convert-spdx-licenses.py to convert to use the standard SPDX license identifiers. Two recipes in meta-selftest were not converted as they're that way specifically for testing. A change in linux-firmware was also skipped and may need a more manual tweak. (From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.54.0 -> 9.55.0Alexander Kanavin2021-10-231-3/+3
| | | | | | | | | | | | jbig2dec seems no longer optional; the source for it is bundle with ghostscript. License-Update: removed patent references (From OE-Core rev: 44a3bea7e8fedbc76b6e8f97e1f669def81e158a) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Convert to new override syntaxRichard Purdie2021-08-021-11/+11
| | | | | | | | | | | | This is the result of automated script conversion: scripts/contrib/convert-overrides.py <oe-core directory> converting the metadata to use ":" as the override character instead of "_". (From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Exclude CVE-2013-6629 from cve-checkRichard Purdie2021-05-121-0/+4
| | | | | | | | | The CVE is in the jpeg sources included with ghostscript. We use our own external jpeg library so this doesn't affect us. (From OE-Core rev: 8556d6a6722f21af5e6f97589bec3cbd31da206c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.53.3 -> 9.54.0wangmy2021-04-181-1/+1
| | | | | | | (From OE-Core rev: bb4cdbda73b77808ebbd17cce3420fab767b496d) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.52 -> 9.53.3Alexander Kanavin2020-10-303-74/+12
| | | | | | | | | | | | | ghostscript-9.15-parallel-make.patch rebased; one of the chunks removed upstream. Remove bundled jpeg source, as that seems to be the only way to get ghostscript to fall back to system jpeg library. (From OE-Core rev: ad8c8ffc5a008872d40a36ea825da30accd6a11a) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2020-15900Lee Chee Yang2020-08-082-0/+55
| | | | | | | (From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Remove leftover fileRichard Purdie2020-05-181-1/+0
| | | | | | | | | This should have been removed in a previous change but was accidentally left behind and points at an invalid directory. (From OE-Core rev: 9d6ce24207189c711099f45265b240d0cdc0e686) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: update 9.50 -> 9.52Alexander Kanavin2020-05-0321-826/+19
| | | | | | | | | | | | | | Drop all custom objarch.h files; ghostscript nowadays generates that with autoconf. Freetype can no longer be disabled. Building out of source tree is broken. (From OE-Core rev: bb699a99b2e99a868520430c614d55ea3004427c) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: do not hardcode version in SRC_URIAlexander Kanavin2020-05-031-1/+5
| | | | | | | (From OE-Core rev: e0d972a054e286d62ccf9e3ccc4ec00892198038) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* microblaze: Adjust Linux items from microblazeeb to microblazeMark Hatle2020-02-061-0/+0
| | | | | | | | | | Due to recent changes to the tune, in order to match config.guess, the name of the big-endian microblaze architecture was changes to 'microblaze'. (From OE-Core rev: 6f6a6bbac684ead3fe6d070d61f17c2f611a2c87) Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Add powerpc64 LE specific objarch.hKhem Raj2020-01-191-0/+40
| | | | | | | (From OE-Core rev: 2b2ebb11da16975e3b0cba7854c3cfe54e0305a3) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: upgrade 9.27 -> 9.50Trevor Gamblin2019-12-094-581/+3
| | | | | | | | | | | | | Version 9.50 incorporates previously-backported fixes for CVE-2019-14811 and CVE-2019-14817. CVE: CVE-2019-14811 CVE: CVE-2019-14817 (From OE-Core rev: 8c626421840da9441be03587a57e9cf1ebd3d6f0) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix for CVE-2019-14811 is same as CVE-2019-14813Anuj Mittal2019-11-291-0/+1
| | | | | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813 https://www.openwall.com/lists/oss-security/2019/08/28/2 (From OE-Core rev: afef29326b4332fc87c53a5d9d43288cddcdd944) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14869Stefan Ghinea2019-11-252-0/+71
| | | | | | | | | | | | | | | | | | | | | A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14869 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904 (From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Disable libpaperKhem Raj2019-10-081-2/+2
| | | | | | | | | | | | | | | | | | | OE does not provide libpaper recipe, and the configure check looks for libpaper if not disabled, this causes problems especially when shared state is built on a machine which has libpaper installed on host but the consumer machine although running same OS, but does not have libpaper installed, the artifact from sstate are re-used but then native binary ./obj/aux/packps fails to execute ./obj/aux/packps: error while loading shared libraries: libpaper.so.1: cannot open shared object file: No such file or directory So either we need to provide libpaper in OE or we disable it, disabling is best for now (From OE-Core rev: 11e85220d97299be5f65d5208ec21d4ad215317a) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: CVE-2019-14811, CVE-2019-14817Stefan Ghinea2019-09-164-0/+577
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14811 https://nvd.nist.gov/vuln/detail/CVE-2019-14817 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 (From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.26 -> 9.27Hongxu Jia2019-05-1215-2698/+10
| | | | | | | | | | | - Rebase ghostscript-9.02-genarch.patch - Drop backported CVE patches (From OE-Core rev: 62510fc82a8eee19bfc51d7b5bc1c6f2aec3825b) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: set CVE_PRODUCTChen Qi2019-05-081-0/+3
| | | | | | | (From OE-Core rev: 721e69aa12dd9ee22618ef13f29fb6d28eeab9af) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: Fix 3 CVEsOvidiu Panait2019-04-0914-0/+2688
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. References: https://nvd.nist.gov/vuln/detail/CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://nvd.nist.gov/vuln/detail/CVE-2019-3835 https://nvd.nist.gov/vuln/detail/CVE-2019-3838 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e (From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: 9.25 -> 9.26Hongxu Jia2018-12-019-1296/+3
| | | | | | | | | | - Drop backported CVE fixes 000[1-8]*.patch (From OE-Core rev: f30bd6bf01dbf81f0872382be44d507fb981f953) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18284Hongxu Jia2018-11-072-0/+246
| | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (From OE-Core rev: 98ab5c5770d20b39bf3c58083f31f31838f2e940) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-18073Hongxu Jia2018-11-073-0/+241
| | | | | | | | | | | Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (From OE-Core rev: 6098c19e1f179896af7013c4b5db3081549c97bc) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: fix CVE-2018-17961Hongxu Jia2018-11-076-0/+806
| | | | | | | | | | | | Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-24 07:24:49 +0000