Bug 231148 - print/ghostscript9-agpl-base: Update to 9.24
Summary: print/ghostscript9-agpl-base: Update to 9.24
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Tijl Coosemans
URL:
Keywords: security
Depends on:
Blocks: 231175
  Show dependency treegraph
 
Reported: 2018-09-04 11:03 UTC by Tijl Coosemans
Modified: 2018-09-21 02:18 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (doceng)
koobs: merge-quarterly+

Attachments
patch (8.50 KB, patch)
2018-09-04 11:03 UTC, Tijl Coosemans 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tijl Coosemans freebsd_committer freebsd_triage 2018-09-04 11:03:18 UTC 
Created attachment 196848 [details]
patch

- Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to 9.24.
- Set USE_CSTD=gnu99 and eliminate a patch.
- Add cpe string.
- Patch configure to respect CFLAGS.

This release contains fixes for severe security problems so please fast-track this.

https://www.kb.cert.org/vuls/id/332928
CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911
Comment 1 Marc Fonvieille freebsd_committer freebsd_triage 2018-09-04 11:50:57 UTC 
Approved, please commit it.

Marc with doceng hat.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-09-04 12:29:22 UTC 
A commit references this bug:

Author: tijl
Date: Tue Sep  4 12:28:46 UTC 2018
New revision: 478951
URL: https://svnweb.freebsd.org/changeset/ports/478951

Log:
  - Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to
    9.24.
  - Set USE_CSTD=gnu99 and eliminate a patch.
  - Add cpe string.
  - Patch configure to respect CFLAGS.

  PR:		231148
  Approved by:	doceng (blackend)
  Security:	https://www.kb.cert.org/vuls/id/332928

Changes:
  head/print/ghostscript9-agpl-base/Makefile
  head/print/ghostscript9-agpl-base/distinfo
  head/print/ghostscript9-agpl-base/files/patch-base-stdpre.h
  head/print/ghostscript9-agpl-base/files/patch-configure
  head/print/ghostscript9-agpl-base/pkg-plist
  head/print/ghostscript9-agpl-x11/Makefile
  head/print/ghostscript9-agpl-x11/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-09-04 12:47:39 UTC 
A commit references this bug:

Author: tijl
Date: Tue Sep  4 12:47:09 UTC 2018
New revision: 478953
URL: https://svnweb.freebsd.org/changeset/ports/478953

Log:
  Document Ghostscript -dSAFER sandbox bypass vulnerabilities.

  PR:		231148
  Security:	https://www.kb.cert.org/vuls/id/332928

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Li-Wen Hsu freebsd_committer freebsd_triage 2018-09-07 23:34:50 UTC 
It seems that this update breaks doc build:

lwhsu@:~/freebsd-doc/en_US.ISO8859-1/articles/building-products > make
install /usr/home/lwhsu/freebsd-doc/share/xml/catalog-cwd.xml /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/catalog-cwd.xml
echo '<!ENTITY base "..">' >> /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/autogen.ent
env XML_CATALOG_FILES="file:///usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/catalog-cwd.xml  file:///usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/share/xml/catalog.xml  file:///usr/home/lwhsu/freebsd-doc/share/xml/catalog.xml  file:///usr/local/share/xml/catalog" /usr/local/bin/xmllint --nonet --noent --valid --dropdtd --xinclude /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/article.xml > article.parsed.xml.tmp
/bin/mv article.parsed.xml.tmp article.parsed.xml
/usr/bin/sed 's|@@URL_RELPREFIX@@|https://www.FreeBSD.org|g' < article.parsed.xml > article.parsed.print.xml
/usr/bin/sed -i '' -e 's|@@URL_RELPREFIX@@|../../../..|g' article.parsed.xml
tmpfile=$(mktemp /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps.XXXXXXXX);  groff -p -S -Wall -mtty-char -man /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.pic > $tmpfile && /bin/mv -f $tmpfile /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps
tmpfile=$(mktemp /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.eps.XXXXXXXX);  /usr/local/bin/gs -q -dNOPAUSE -dBATCH -dSAFER -dDELAYSAFER  -sPAPERSIZE=letter -r72 -sDEVICE=bbox  -sOutputFile=/dev/null  /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps > $tmpfile 2>&1;  /usr/bin/env outfile=$tmpfile /usr/local/bin/gs -q -dNOPAUSE -dSAFER -dDELAYSAFER  -sPAPERSIZE=letter -r72 -sDEVICE=bit  -sOutputFile=/dev/null  ps2epsi.ps < /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps 1>&2;  (echo "save countdictstack mark newpath /showpage {} def /setpagedevice {pop} def"; echo "%%EndProlog"; echo "%%Page: 1 1"; echo "%%BeginDocument: /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps"; ) >> $tmpfile;  /usr/bin/sed    -e '/^%%BeginPreview:/,/^%%EndPreview[^!-~]*$/d'  -e '/^%!PS-Adobe/d'  -e '/^%%[A-Za-z][A-Za-z]*[^!-~]*$/d' -e '/^%%[A-Za-z][A-Za-z]*: /d' < /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps >> $tmpfile;  (echo "%%EndDocument"; echo "%%Trailer"; echo "cleartomark countdictstack exch sub { end } repeat restore"; echo "%%EOF"; ) >> $tmpfile;  /bin/mv -f $tmpfile /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.eps
Error: /undefined in --setpagedevice--
Operand stack:
   false   false   --dict:1/1(L)--   --nostringval--   --dict:78/154(ro)(L)--   --dict:1/1(L)--   --dict:9/79(L)--   --dict:0/0(L)--   --dict:334/336(G)--   image8
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   2015   1   3   %oparray_pop   2014   1   3   %oparray_pop   1998   1   3   %oparray_pop   1884   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   2024   0   4   %oparray_pop   2022   0   4   %oparray_pop   --nostringval--   1977   2   4   %oparray_pop   --nostringval--   --nostringval--
Dictionary stack:
   --dict:985/1684(ro)(G)--   --dict:0/20(G)--   --dict:82/200(L)--   --dict:20/25(L)--
Current allocation mode is local
Current file position is 8580
GPL Ghostscript 9.24: Unrecoverable error, exit code 1
*** Error code 1

Stop.
make: stopped in /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products


Revert to ghostscript9-agpl-base-9.23_1 helps.
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-09-08 10:03:33 UTC 
A commit references this bug:

Author: tijl
Date: Sat Sep  8 10:02:24 UTC 2018
New revision: 479243
URL: https://svnweb.freebsd.org/changeset/ports/479243

Log:
  Add some upstream patches for regressions in 9.24.

  patch-010-bc3df07
  For ICC profile validation, have cups id iteself as DeviceN.

  patch-020-c8c01f8, patch-030-1341854
  Add the ICCProfilesDir to the PermitReading list.

  patch-040-9528102
  Fix ps2epsi /undefined in --setpagedevice--.

  PR:		231148

Changes:
  head/print/ghostscript9-agpl-base/Makefile
  head/print/ghostscript9-agpl-base/files/patch-010-bc3df07
  head/print/ghostscript9-agpl-base/files/patch-020-c8c01f8
  head/print/ghostscript9-agpl-base/files/patch-030-1341854
  head/print/ghostscript9-agpl-base/files/patch-040-9528102
  head/print/ghostscript9-agpl-base/files/patch-Resource_Init_gs_init.ps
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-09-11 07:24:28 UTC 
A commit references this bug:

Author: tijl
Date: Tue Sep 11 07:23:28 UTC 2018
New revision: 479506
URL: https://svnweb.freebsd.org/changeset/ports/479506

Log:
  MFH: r478951 r479032 r479243

  r478951:
  - Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to
    9.24.
  - Set USE_CSTD=gnu99 and eliminate a patch.
  - Add cpe string.
  - Patch configure to respect CFLAGS.

  r479032:
  Add a patch to give Ghostscript read permission on
  /usr/local/share/ghostscript/9.24/iccprofiles/* in -dSAFER mode.

  r479243:
  Add some upstream patches for regressions in 9.24.

  patch-010-bc3df07
  For ICC profile validation, have cups id iteself as DeviceN.

  patch-020-c8c01f8, patch-030-1341854
  Add the ICCProfilesDir to the PermitReading list.

  patch-040-9528102
  Fix ps2epsi /undefined in --setpagedevice--.

  PR:		231148
  Approved by:	ports-secteam (eadler)
  Security:	https://www.kb.cert.org/vuls/id/332928

Changes:
_U  branches/2018Q3/
  branches/2018Q3/print/ghostscript9-agpl-base/Makefile
  branches/2018Q3/print/ghostscript9-agpl-base/distinfo
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-010-bc3df07
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-020-c8c01f8
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-030-1341854
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-040-9528102
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-base-stdpre.h
  branches/2018Q3/print/ghostscript9-agpl-base/files/patch-configure
  branches/2018Q3/print/ghostscript9-agpl-base/pkg-plist
  branches/2018Q3/print/ghostscript9-agpl-x11/Makefile
  branches/2018Q3/print/ghostscript9-agpl-x11/distinfo
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2018-09-21 02:16:33 UTC 
Assign to committer that resolved