[PATCH 0/2 core-updates] ghostscript update

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Vincent Legoll
Owner
unassigned
Submitted by
Vincent Legoll
Severity
normal

Debbugs page

Vincent Legoll wrote 4 years ago
(name . Guix Patches)(address . guix-patches@gnu.org)
CAEwRq=qhaABBCsQb7AN9tmqSOrvxfF_8QNz3o+kP2yUno5Up3g@mail.gmail.com
The following patches will update ghostscript
and its new input jbig2dec.

I rebuilt some dependents successfully until my
storage was full.

--
Vincent Legoll
Vincent Legoll wrote 4 years ago
[PATCH 2/2] gnu: ghostscript: Update to 9.53.3.
(address . 46566@debbugs.gnu.org)(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20210216191247.6715-2-vincent.legoll@gmail.com
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
[source](patches): Remove it.
[native-inputs]: Add jbig2dec.
---
gnu/local.mk | 1 -
gnu/packages/ghostscript.scm | 6 ++--
.../patches/ghostscript-CVE-2020-15900.patch | 36 -------------------
3 files changed, 3 insertions(+), 40 deletions(-)
delete mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch

Toggle diff (88 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index b9757fe69e..3caa6c6fc9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1061,7 +1061,6 @@ dist_patch_DATA = \
%D%/packages/patches/ghc-monad-par-fix-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-html-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-latex-test.patch \
- %D%/packages/patches/ghostscript-CVE-2020-15900.patch \
%D%/packages/patches/ghostscript-freetype-compat.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 19430d315a..53a631b095 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -160,7 +160,7 @@ printing, and psresize, for adjusting page sizes.")
(define-public ghostscript
(package
(name "ghostscript")
- (version "9.52")
+ (version "9.53.3")
(source
(origin
(method url-fetch)
@@ -170,9 +170,8 @@ printing, and psresize, for adjusting page sizes.")
"/ghostscript-" version ".tar.xz"))
(sha256
(base32
- "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
+ "0d52w9ajv1rz533119ywgmkzkapp74riwny0d21v0zkcbg45p7ww"))
(patches (search-patches "ghostscript-freetype-compat.patch"
- "ghostscript-CVE-2020-15900.patch"
"ghostscript-no-header-creationdate.patch"
"ghostscript-no-header-id.patch"
"ghostscript-no-header-uuid.patch"))
@@ -271,6 +270,7 @@ printing, and psresize, for adjusting page sizes.")
("pkg-config" ,pkg-config) ;needed for freetype
("python" ,python-minimal-wrapper)
("tcl" ,tcl)
+ ("jbig2dec" ,jbig2dec)
;; When cross-compiling, some of the natively-built tools require all
;; these libraries.
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
deleted file mode 100644
index b6658d7c7f..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2020-15900.
-
-https://cve.circl.lu/cve/CVE-2020-15900
-https://artifex.com/security-advisories/CVE-2020-15900
-
-Taken from upstream:
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
-
-diff --git a/psi/zstring.c b/psi/zstring.c
---- a/psi/zstring.c
-+++ b/psi/zstring.c
-@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
- return 0;
- found:
- op->tas.type_attrs = op1->tas.type_attrs;
-- op->value.bytes = ptr;
-- r_set_size(op, size);
-+ op->value.bytes = ptr; /* match */
-+ op->tas.rsize = size; /* match */
- push(2);
-- op[-1] = *op1;
-- r_set_size(op - 1, ptr - op[-1].value.bytes);
-- op1->value.bytes = ptr + size;
-- r_set_size(op1, count + (!forward ? (size - 1) : 0));
-+ op[-1] = *op1; /* pre */
-+ op[-3].value.bytes = ptr + size; /* post */
-+ if (forward) {
-+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
-+ op[-3].tas.rsize = count; /* post */
-+ } else {
-+ op[-1].tas.rsize = count; /* pre */
-+ op[-3].tas.rsize -= count + size; /* post */
-+ }
- make_true(op);
- return 0;
- }
--
2.30.0
Vincent Legoll wrote 4 years ago
[PATCH 1/2] gnu: jbig2dec: Update to 0.19.
(address . 46566@debbugs.gnu.org)(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20210216191247.6715-1-vincent.legoll@gmail.com
* gnu/packages/image.scm (jbig2dec): Update to 0.19.
---
gnu/packages/image.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 958f1dcc59..6dff48bd87 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -674,15 +674,15 @@ arithmetic ops.")
(define-public jbig2dec
(package
(name "jbig2dec")
- (version "0.18")
+ (version "0.19")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/ArtifexSoftware"
"/ghostpdl-downloads/releases/download"
- "/gs951/" name "-" version ".tar.gz"))
+ "/gs9533/" name "-" version ".tar.gz"))
(sha256
(base32
- "0pigfw2v0ppvr0lbysm69gx0zsa5q2q92yrb8af2j3im6x97f6cy"))))
+ "0dwa24kjqyg9hmm40fh048sdxfpnasz43l2rm8wlkw1qbdlpd517"))))
(build-system gnu-build-system)
(arguments '(#:configure-flags '("--disable-static")
#:phases (modify-phases %standard-phases
--
2.30.0
Vincent Legoll wrote 4 years ago
Re: bug#46566: Acknowledgement ([PATCH 0/2 core-updates] ghostscript update)
(address . 46566@debbugs.gnu.org)
CAEwRq=rNCJjKkDZiX+TMekfx5uQ7rgWQQ2QqsvreB3t6nRFgiA@mail.gmail.com
The removed patch is in the new version (it was
extracted from the repository to begin with)

--
Vincent Legoll
Leo Famulari wrote 4 years ago
Re: [bug#46566] [PATCH 2/2] gnu: ghostscript: Update to 9.53.3.
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 46566@debbugs.gnu.org)
YDFUFtiPJ9TYDlwB@jasmine.lan
On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote:
Toggle quote (6 lines)
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file.
> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source](patches): Remove it.
> [native-inputs]: Add jbig2dec.

Thanks!

$ guix show jbig2dec | grep synopsis
synopsis: Decoder of the JBIG2 image compression format

It seems like it would be a run-time dependency, not just something used
to build ghostscript. In that case it would be an 'input', not a
'native-input'. What do you think?

Also, the idiomatic commit message would be like this:

------
gnu: ghostscript: Update to 9.53.3.

* gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
[source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
[native-inputs]: Add jbig2dec.
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
------
Vincent Legoll wrote 4 years ago
(name . Leo Famulari)(address . leo@famulari.name)(address . 46566@debbugs.gnu.org)
CAEwRq=oE0wUCa3Sixb_fJXe8qLkFCdEfyaQMYEWqkMMUiVMr4w@mail.gmail.com
On Sat, Feb 20, 2021 at 7:25 PM Leo Famulari <leo@famulari.name> wrote:
Toggle quote (28 lines)
> On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote:
> > * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file.
> > * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
> > * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> > [source](patches): Remove it.
> > [native-inputs]: Add jbig2dec.
>
> Thanks!
>
> $ guix show jbig2dec | grep synopsis
> synopsis: Decoder of the JBIG2 image compression format
>
> It seems like it would be a run-time dependency, not just something used
> to build ghostscript. In that case it would be an 'input', not a
> 'native-input'. What do you think?
>
> Also, the idiomatic commit message would be like this:
>
> ------
> gnu: ghostscript: Update to 9.53.3.
>
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
> [native-inputs]: Add jbig2dec.
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.
> ------

Thanks, I'll double check and update the patch & commitmsg.

--
Vincent Legoll
Vincent Legoll wrote 4 years ago
(name . Leo Famulari)(address . leo@famulari.name)(address . 46566@debbugs.gnu.org)
CAEwRq=odjf8Yw=U9kx=3nHOn3CziGgeLNWQ-k06+unc=pFoHew@mail.gmail.com
OK, now that I've looked at it some more, the
native-input addition was a mistake (jbig2dec
was already in inputs, which is how I knew it
needed to be updated for gs-9.5.53 in the
first place).

So sorry for that, the following has that fixed
and your commit msg.

Thanks

--
Vincent Legoll
Vincent Legoll wrote 4 years ago
[PATCH 1/2] gnu: jbig2dec: Update to 0.19.
(address . 46566@debbugs.gnu.org)(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20210220211009.6014-1-vincent.legoll@gmail.com
* gnu/packages/image.scm (jbig2dec): Update to 0.19.
---
gnu/packages/image.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 958f1dcc59..6dff48bd87 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -674,15 +674,15 @@ arithmetic ops.")
(define-public jbig2dec
(package
(name "jbig2dec")
- (version "0.18")
+ (version "0.19")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/ArtifexSoftware"
"/ghostpdl-downloads/releases/download"
- "/gs951/" name "-" version ".tar.gz"))
+ "/gs9533/" name "-" version ".tar.gz"))
(sha256
(base32
- "0pigfw2v0ppvr0lbysm69gx0zsa5q2q92yrb8af2j3im6x97f6cy"))))
+ "0dwa24kjqyg9hmm40fh048sdxfpnasz43l2rm8wlkw1qbdlpd517"))))
(build-system gnu-build-system)
(arguments '(#:configure-flags '("--disable-static")
#:phases (modify-phases %standard-phases
--
2.30.0
Vincent Legoll wrote 4 years ago
[PATCH 2/2] gnu: ghostscript: Update to 9.53.3.
(address . 46566@debbugs.gnu.org)(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20210220211009.6014-2-vincent.legoll@gmail.com
* gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
[source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/ghostscript.scm | 5 ++-
.../patches/ghostscript-CVE-2020-15900.patch | 36 -------------------
3 files changed, 2 insertions(+), 40 deletions(-)
delete mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch

Toggle diff (80 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index b9757fe69e..3caa6c6fc9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1061,7 +1061,6 @@ dist_patch_DATA = \
%D%/packages/patches/ghc-monad-par-fix-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-html-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-latex-test.patch \
- %D%/packages/patches/ghostscript-CVE-2020-15900.patch \
%D%/packages/patches/ghostscript-freetype-compat.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 19430d315a..2a13cbd83f 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -160,7 +160,7 @@ printing, and psresize, for adjusting page sizes.")
(define-public ghostscript
(package
(name "ghostscript")
- (version "9.52")
+ (version "9.53.3")
(source
(origin
(method url-fetch)
@@ -170,9 +170,8 @@ printing, and psresize, for adjusting page sizes.")
"/ghostscript-" version ".tar.xz"))
(sha256
(base32
- "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
+ "0d52w9ajv1rz533119ywgmkzkapp74riwny0d21v0zkcbg45p7ww"))
(patches (search-patches "ghostscript-freetype-compat.patch"
- "ghostscript-CVE-2020-15900.patch"
"ghostscript-no-header-creationdate.patch"
"ghostscript-no-header-id.patch"
"ghostscript-no-header-uuid.patch"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
deleted file mode 100644
index b6658d7c7f..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2020-15900.
-
-https://cve.circl.lu/cve/CVE-2020-15900
-https://artifex.com/security-advisories/CVE-2020-15900
-
-Taken from upstream:
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
-
-diff --git a/psi/zstring.c b/psi/zstring.c
---- a/psi/zstring.c
-+++ b/psi/zstring.c
-@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
- return 0;
- found:
- op->tas.type_attrs = op1->tas.type_attrs;
-- op->value.bytes = ptr;
-- r_set_size(op, size);
-+ op->value.bytes = ptr; /* match */
-+ op->tas.rsize = size; /* match */
- push(2);
-- op[-1] = *op1;
-- r_set_size(op - 1, ptr - op[-1].value.bytes);
-- op1->value.bytes = ptr + size;
-- r_set_size(op1, count + (!forward ? (size - 1) : 0));
-+ op[-1] = *op1; /* pre */
-+ op[-3].value.bytes = ptr + size; /* post */
-+ if (forward) {
-+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
-+ op[-3].tas.rsize = count; /* post */
-+ } else {
-+ op[-1].tas.rsize = count; /* pre */
-+ op[-3].tas.rsize -= count + size; /* post */
-+ }
- make_true(op);
- return 0;
- }
--
2.30.0
Leo Famulari wrote 4 years ago
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 46566-done@debbugs.gnu.org)
YDGPsbH3h/qLEOrU@jasmine.lan
On Sat, Feb 20, 2021 at 10:10:09PM +0100, Vincent Legoll wrote:
Toggle quote (5 lines)
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

Thanks for the revised patches! Pushed as
f49c13f1833f0db5a5ddcb751c16f6e9ed56355f
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 46566@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 46566
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help