The following patches will update ghostscript and its new input jbig2dec. I rebuilt some dependents successfully until my storage was full. -- Vincent Legoll
* gnu/packages/image.scm (jbig2dec): Update to 0.19. --- gnu/packages/image.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 958f1dcc59..6dff48bd87 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -674,15 +674,15 @@ arithmetic ops.") (define-public jbig2dec (package (name "jbig2dec") - (version "0.18") + (version "0.19") (source (origin (method url-fetch) (uri (string-append "https://github.com/ArtifexSoftware" "/ghostpdl-downloads/releases/download" - "/gs951/" name "-" version ".tar.gz")) + "/gs9533/" name "-" version ".tar.gz")) (sha256 (base32 - "0pigfw2v0ppvr0lbysm69gx0zsa5q2q92yrb8af2j3im6x97f6cy")))) + "0dwa24kjqyg9hmm40fh048sdxfpnasz43l2rm8wlkw1qbdlpd517")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static") #:phases (modify-phases %standard-phases -- 2.30.0
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. [source](patches): Remove it. [native-inputs]: Add jbig2dec. --- gnu/local.mk | 1 - gnu/packages/ghostscript.scm | 6 ++-- .../patches/ghostscript-CVE-2020-15900.patch | 36 ------------------- 3 files changed, 3 insertions(+), 40 deletions(-) delete mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch diff --git a/gnu/local.mk b/gnu/local.mk index b9757fe69e..3caa6c6fc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1061,7 +1061,6 @@ dist_patch_DATA = \ %D%/packages/patches/ghc-monad-par-fix-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-html-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-latex-test.patch \ - %D%/packages/patches/ghostscript-CVE-2020-15900.patch \ %D%/packages/patches/ghostscript-freetype-compat.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 19430d315a..53a631b095 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -160,7 +160,7 @@ printing, and psresize, for adjusting page sizes.") (define-public ghostscript (package (name "ghostscript") - (version "9.52") + (version "9.53.3") (source (origin (method url-fetch) @@ -170,9 +170,8 @@ printing, and psresize, for adjusting page sizes.") "/ghostscript-" version ".tar.xz")) (sha256 (base32 - "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p")) + "0d52w9ajv1rz533119ywgmkzkapp74riwny0d21v0zkcbg45p7ww")) (patches (search-patches "ghostscript-freetype-compat.patch" - "ghostscript-CVE-2020-15900.patch" "ghostscript-no-header-creationdate.patch" "ghostscript-no-header-id.patch" "ghostscript-no-header-uuid.patch")) @@ -271,6 +270,7 @@ printing, and psresize, for adjusting page sizes.") ("pkg-config" ,pkg-config) ;needed for freetype ("python" ,python-minimal-wrapper) ("tcl" ,tcl) + ("jbig2dec" ,jbig2dec) ;; When cross-compiling, some of the natively-built tools require all ;; these libraries. diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch deleted file mode 100644 index b6658d7c7f..0000000000 --- a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2020-15900. - -https://cve.circl.lu/cve/CVE-2020-15900 -https://artifex.com/security-advisories/CVE-2020-15900 - -Taken from upstream: -https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b - -diff --git a/psi/zstring.c b/psi/zstring.c ---- a/psi/zstring.c -+++ b/psi/zstring.c -@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) - return 0; - found: - op->tas.type_attrs = op1->tas.type_attrs; -- op->value.bytes = ptr; -- r_set_size(op, size); -+ op->value.bytes = ptr; /* match */ -+ op->tas.rsize = size; /* match */ - push(2); -- op[-1] = *op1; -- r_set_size(op - 1, ptr - op[-1].value.bytes); -- op1->value.bytes = ptr + size; -- r_set_size(op1, count + (!forward ? (size - 1) : 0)); -+ op[-1] = *op1; /* pre */ -+ op[-3].value.bytes = ptr + size; /* post */ -+ if (forward) { -+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ -+ op[-3].tas.rsize = count; /* post */ -+ } else { -+ op[-1].tas.rsize = count; /* pre */ -+ op[-3].tas.rsize -= count + size; /* post */ -+ } - make_true(op); - return 0; - } -- 2.30.0
The removed patch is in the new version (it was extracted from the repository to begin with) -- Vincent Legoll
On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote:
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file.
> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source](patches): Remove it.
> [native-inputs]: Add jbig2dec.
Thanks!
$ guix show jbig2dec | grep synopsis
synopsis: Decoder of the JBIG2 image compression format
It seems like it would be a run-time dependency, not just something used
to build ghostscript. In that case it would be an 'input', not a
'native-input'. What do you think?
Also, the idiomatic commit message would be like this:
------
gnu: ghostscript: Update to 9.53.3.
* gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
[source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
[native-inputs]: Add jbig2dec.
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
------
On Sat, Feb 20, 2021 at 7:25 PM Leo Famulari <leo@famulari.name> wrote:
> On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote:
> > * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file.
> > * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
> > * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> > [source](patches): Remove it.
> > [native-inputs]: Add jbig2dec.
>
> Thanks!
>
> $ guix show jbig2dec | grep synopsis
> synopsis: Decoder of the JBIG2 image compression format
>
> It seems like it would be a run-time dependency, not just something used
> to build ghostscript. In that case it would be an 'input', not a
> 'native-input'. What do you think?
>
> Also, the idiomatic commit message would be like this:
>
> ------
> gnu: ghostscript: Update to 9.53.3.
>
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
> [native-inputs]: Add jbig2dec.
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.
> ------
Thanks, I'll double check and update the patch & commitmsg.
--
Vincent Legoll
OK, now that I've looked at it some more, the native-input addition was a mistake (jbig2dec was already in inputs, which is how I knew it needed to be updated for gs-9.5.53 in the first place). So sorry for that, the following has that fixed and your commit msg. Thanks -- Vincent Legoll
* gnu/packages/image.scm (jbig2dec): Update to 0.19. --- gnu/packages/image.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 958f1dcc59..6dff48bd87 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -674,15 +674,15 @@ arithmetic ops.") (define-public jbig2dec (package (name "jbig2dec") - (version "0.18") + (version "0.19") (source (origin (method url-fetch) (uri (string-append "https://github.com/ArtifexSoftware" "/ghostpdl-downloads/releases/download" - "/gs951/" name "-" version ".tar.gz")) + "/gs9533/" name "-" version ".tar.gz")) (sha256 (base32 - "0pigfw2v0ppvr0lbysm69gx0zsa5q2q92yrb8af2j3im6x97f6cy")))) + "0dwa24kjqyg9hmm40fh048sdxfpnasz43l2rm8wlkw1qbdlpd517")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static") #:phases (modify-phases %standard-phases -- 2.30.0
* gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'. * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/ghostscript.scm | 5 ++- .../patches/ghostscript-CVE-2020-15900.patch | 36 ------------------- 3 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch diff --git a/gnu/local.mk b/gnu/local.mk index b9757fe69e..3caa6c6fc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1061,7 +1061,6 @@ dist_patch_DATA = \ %D%/packages/patches/ghc-monad-par-fix-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-html-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-latex-test.patch \ - %D%/packages/patches/ghostscript-CVE-2020-15900.patch \ %D%/packages/patches/ghostscript-freetype-compat.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 19430d315a..2a13cbd83f 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -160,7 +160,7 @@ printing, and psresize, for adjusting page sizes.") (define-public ghostscript (package (name "ghostscript") - (version "9.52") + (version "9.53.3") (source (origin (method url-fetch) @@ -170,9 +170,8 @@ printing, and psresize, for adjusting page sizes.") "/ghostscript-" version ".tar.xz")) (sha256 (base32 - "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p")) + "0d52w9ajv1rz533119ywgmkzkapp74riwny0d21v0zkcbg45p7ww")) (patches (search-patches "ghostscript-freetype-compat.patch" - "ghostscript-CVE-2020-15900.patch" "ghostscript-no-header-creationdate.patch" "ghostscript-no-header-id.patch" "ghostscript-no-header-uuid.patch")) diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch deleted file mode 100644 index b6658d7c7f..0000000000 --- a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2020-15900. - -https://cve.circl.lu/cve/CVE-2020-15900 -https://artifex.com/security-advisories/CVE-2020-15900 - -Taken from upstream: -https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b - -diff --git a/psi/zstring.c b/psi/zstring.c ---- a/psi/zstring.c -+++ b/psi/zstring.c -@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) - return 0; - found: - op->tas.type_attrs = op1->tas.type_attrs; -- op->value.bytes = ptr; -- r_set_size(op, size); -+ op->value.bytes = ptr; /* match */ -+ op->tas.rsize = size; /* match */ - push(2); -- op[-1] = *op1; -- r_set_size(op - 1, ptr - op[-1].value.bytes); -- op1->value.bytes = ptr + size; -- r_set_size(op1, count + (!forward ? (size - 1) : 0)); -+ op[-1] = *op1; /* pre */ -+ op[-3].value.bytes = ptr + size; /* post */ -+ if (forward) { -+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ -+ op[-3].tas.rsize = count; /* post */ -+ } else { -+ op[-1].tas.rsize = count; /* pre */ -+ op[-3].tas.rsize -= count + size; /* post */ -+ } - make_true(op); - return 0; - } -- 2.30.0
On Sat, Feb 20, 2021 at 10:10:09PM +0100, Vincent Legoll wrote:
> * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3.
> [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'.
> * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.
Thanks for the revised patches! Pushed as
f49c13f1833f0db5a5ddcb751c16f6e9ed56355f