Created attachment 196848 [details] patch - Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to 9.24. - Set USE_CSTD=gnu99 and eliminate a patch. - Add cpe string. - Patch configure to respect CFLAGS. This release contains fixes for severe security problems so please fast-track this. https://www.kb.cert.org/vuls/id/332928 CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911
Approved, please commit it. Marc with doceng hat.
A commit references this bug: Author: tijl Date: Tue Sep 4 12:28:46 UTC 2018 New revision: 478951 URL: https://svnweb.freebsd.org/changeset/ports/478951 Log: - Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to 9.24. - Set USE_CSTD=gnu99 and eliminate a patch. - Add cpe string. - Patch configure to respect CFLAGS. PR: 231148 Approved by: doceng (blackend) Security: https://www.kb.cert.org/vuls/id/332928 Changes: head/print/ghostscript9-agpl-base/Makefile head/print/ghostscript9-agpl-base/distinfo head/print/ghostscript9-agpl-base/files/patch-base-stdpre.h head/print/ghostscript9-agpl-base/files/patch-configure head/print/ghostscript9-agpl-base/pkg-plist head/print/ghostscript9-agpl-x11/Makefile head/print/ghostscript9-agpl-x11/distinfo
A commit references this bug: Author: tijl Date: Tue Sep 4 12:47:09 UTC 2018 New revision: 478953 URL: https://svnweb.freebsd.org/changeset/ports/478953 Log: Document Ghostscript -dSAFER sandbox bypass vulnerabilities. PR: 231148 Security: https://www.kb.cert.org/vuls/id/332928 Changes: head/security/vuxml/vuln.xml
It seems that this update breaks doc build: lwhsu@:~/freebsd-doc/en_US.ISO8859-1/articles/building-products > make install /usr/home/lwhsu/freebsd-doc/share/xml/catalog-cwd.xml /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/catalog-cwd.xml echo '<!ENTITY base "..">' >> /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/autogen.ent env XML_CATALOG_FILES="file:///usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/catalog-cwd.xml file:///usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/share/xml/catalog.xml file:///usr/home/lwhsu/freebsd-doc/share/xml/catalog.xml file:///usr/local/share/xml/catalog" /usr/local/bin/xmllint --nonet --noent --valid --dropdtd --xinclude /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/article.xml > article.parsed.xml.tmp /bin/mv article.parsed.xml.tmp article.parsed.xml /usr/bin/sed 's|@@URL_RELPREFIX@@|https://www.FreeBSD.org|g' < article.parsed.xml > article.parsed.print.xml /usr/bin/sed -i '' -e 's|@@URL_RELPREFIX@@|../../../..|g' article.parsed.xml tmpfile=$(mktemp /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps.XXXXXXXX); groff -p -S -Wall -mtty-char -man /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.pic > $tmpfile && /bin/mv -f $tmpfile /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps tmpfile=$(mktemp /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.eps.XXXXXXXX); /usr/local/bin/gs -q -dNOPAUSE -dBATCH -dSAFER -dDELAYSAFER -sPAPERSIZE=letter -r72 -sDEVICE=bbox -sOutputFile=/dev/null /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps > $tmpfile 2>&1; /usr/bin/env outfile=$tmpfile /usr/local/bin/gs -q -dNOPAUSE -dSAFER -dDELAYSAFER -sPAPERSIZE=letter -r72 -sDEVICE=bit -sOutputFile=/dev/null ps2epsi.ps < /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps 1>&2; (echo "save countdictstack mark newpath /showpage {} def /setpagedevice {pop} def"; echo "%%EndProlog"; echo "%%Page: 1 1"; echo "%%BeginDocument: /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps"; ) >> $tmpfile; /usr/bin/sed -e '/^%%BeginPreview:/,/^%%EndPreview[^!-~]*$/d' -e '/^%!PS-Adobe/d' -e '/^%%[A-Za-z][A-Za-z]*[^!-~]*$/d' -e '/^%%[A-Za-z][A-Za-z]*: /d' < /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.ps >> $tmpfile; (echo "%%EndDocument"; echo "%%Trailer"; echo "cleartomark countdictstack exch sub { end } repeat restore"; echo "%%EOF"; ) >> $tmpfile; /bin/mv -f $tmpfile /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products/../../../share/images/articles/building-products/freebsd-branches.eps Error: /undefined in --setpagedevice-- Operand stack: false false --dict:1/1(L)-- --nostringval-- --dict:78/154(ro)(L)-- --dict:1/1(L)-- --dict:9/79(L)-- --dict:0/0(L)-- --dict:334/336(G)-- image8 Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 2015 1 3 %oparray_pop 2014 1 3 %oparray_pop 1998 1 3 %oparray_pop 1884 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- 2024 0 4 %oparray_pop 2022 0 4 %oparray_pop --nostringval-- 1977 2 4 %oparray_pop --nostringval-- --nostringval-- Dictionary stack: --dict:985/1684(ro)(G)-- --dict:0/20(G)-- --dict:82/200(L)-- --dict:20/25(L)-- Current allocation mode is local Current file position is 8580 GPL Ghostscript 9.24: Unrecoverable error, exit code 1 *** Error code 1 Stop. make: stopped in /usr/home/lwhsu/freebsd-doc/en_US.ISO8859-1/articles/building-products Revert to ghostscript9-agpl-base-9.23_1 helps.
A commit references this bug: Author: tijl Date: Sat Sep 8 10:02:24 UTC 2018 New revision: 479243 URL: https://svnweb.freebsd.org/changeset/ports/479243 Log: Add some upstream patches for regressions in 9.24. patch-010-bc3df07 For ICC profile validation, have cups id iteself as DeviceN. patch-020-c8c01f8, patch-030-1341854 Add the ICCProfilesDir to the PermitReading list. patch-040-9528102 Fix ps2epsi /undefined in --setpagedevice--. PR: 231148 Changes: head/print/ghostscript9-agpl-base/Makefile head/print/ghostscript9-agpl-base/files/patch-010-bc3df07 head/print/ghostscript9-agpl-base/files/patch-020-c8c01f8 head/print/ghostscript9-agpl-base/files/patch-030-1341854 head/print/ghostscript9-agpl-base/files/patch-040-9528102 head/print/ghostscript9-agpl-base/files/patch-Resource_Init_gs_init.ps
A commit references this bug: Author: tijl Date: Tue Sep 11 07:23:28 UTC 2018 New revision: 479506 URL: https://svnweb.freebsd.org/changeset/ports/479506 Log: MFH: r478951 r479032 r479243 r478951: - Update print/ghostscript9-agpl-base and print/ghostscript9-agpl-x11 to 9.24. - Set USE_CSTD=gnu99 and eliminate a patch. - Add cpe string. - Patch configure to respect CFLAGS. r479032: Add a patch to give Ghostscript read permission on /usr/local/share/ghostscript/9.24/iccprofiles/* in -dSAFER mode. r479243: Add some upstream patches for regressions in 9.24. patch-010-bc3df07 For ICC profile validation, have cups id iteself as DeviceN. patch-020-c8c01f8, patch-030-1341854 Add the ICCProfilesDir to the PermitReading list. patch-040-9528102 Fix ps2epsi /undefined in --setpagedevice--. PR: 231148 Approved by: ports-secteam (eadler) Security: https://www.kb.cert.org/vuls/id/332928 Changes: _U branches/2018Q3/ branches/2018Q3/print/ghostscript9-agpl-base/Makefile branches/2018Q3/print/ghostscript9-agpl-base/distinfo branches/2018Q3/print/ghostscript9-agpl-base/files/patch-010-bc3df07 branches/2018Q3/print/ghostscript9-agpl-base/files/patch-020-c8c01f8 branches/2018Q3/print/ghostscript9-agpl-base/files/patch-030-1341854 branches/2018Q3/print/ghostscript9-agpl-base/files/patch-040-9528102 branches/2018Q3/print/ghostscript9-agpl-base/files/patch-base-stdpre.h branches/2018Q3/print/ghostscript9-agpl-base/files/patch-configure branches/2018Q3/print/ghostscript9-agpl-base/pkg-plist branches/2018Q3/print/ghostscript9-agpl-x11/Makefile branches/2018Q3/print/ghostscript9-agpl-x11/distinfo
Assign to committer that resolved