Created attachment 250805 [details] Patch for ghostscript10 Adjust EXTRACT_AFTER_ARGS and remove + from CONFIGURE_ARGS Fixes a bunch of CVEs: CVE-2024-33869 CVE-2023-52722 CVE-2024-33870 CVE-2024-33871 CVE-2024-29510 Compile and tested on FreeBSD 14.0-RELEASE (amd64) (make, make check-plist) Poudriere testport OK 14.0-RELEASE (amd64) Poudriere testport OK 13.2-RELEASE (amd64) Tested with following consumers in Poudriere (13.2-RELEASE amd64): biology/vsearch comms/opencbm devel/aegis devel/doxygen devel/libexplain devel/srecord editors/texmacs graphics/ImageMagick6 graphics/ImageMagick7 graphics/eps2png graphics/graphviz graphics/ocaml-images graphics/pstoedit lang/clisp mail/claws-mail-pdf_viewer math/R math/asymptote math/linbox math/plplot print/auctex print/cups-filters print/flpsed print/foo2zjs print/foomatic-filters print/gspdf print/gv print/libspectre print/lilypond print/lilypond-devel print/magicfilter print/psdim print/texlive-base sysutils/LPRngTool textproc/latex2html textproc/pdftohtml textproc/sowing
I have a few questions regarding the patch: * What is the benefit for --exclude to have an absolute path? Isn't that the path inside he TAR file? * Why --no-same-owner --no-same-permissions? Do other ports do this? What is the problem this solves for this port? * You should be able to remove 90cabe08422afdd16bac5dd9217602679d943045.patch because it is upstream now, though one should double check the patched file.
The patch needs to stay because, for some reason, the issue isn't resolved in 10.03.1. Weird.
1. Safeguarding as patches anything (think *keyword*) which can result in unexcepted results 2. To be consistent with the framework, https://cgit.freebsd.org/ports/tree/Mk/bsd.port.mk#n703 3. Yep, it still needs to be in there ;-) Best regards, Daniel
(In reply to Daniel Engberg from comment #3) All reasonable, please go ahead and apply the patch. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a0c686ecd59adf69d2f01e354d87d9a30c8af84c commit a0c686ecd59adf69d2f01e354d87d9a30c8af84c Author: Daniel Engberg <diizzy@FreeBSD.org> AuthorDate: 2024-05-26 06:59:28 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2024-05-26 07:09:15 +0000 print/ghostscript10: Update to 10.03.1 Adjust EXTRACT_AFTER_ARGS and remove "+" from CONFIGURE_ARGS Changelog: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10031 PR: 279156 Reviewed by: michaelo (maintainer) print/ghostscript10/Makefile | 37 ++++++++++++++++++------------------- print/ghostscript10/distinfo | 6 +++--- 2 files changed, 21 insertions(+), 22 deletions(-)
Committed, thanks!
(In reply to Daniel Engberg from comment #6) This should also land on quarterly due to the CVEs, no?