| Message ID | 20210216191247.6715-2-vincent.legoll@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | ghostscript update | expand |
| Context | Check | Description |
|---|---|---|
| cbaines/comparison | success | View comparision |
| cbaines/git branch | success | View Git branch |
| cbaines/applying patch | fail | View Laminar job |
| cbaines/issue | success | View issue |
On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote: > * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file. > * gnu/local.mk (dist_patch_DATA): Adjust accordingly. > * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. > [source](patches): Remove it. > [native-inputs]: Add jbig2dec. Thanks! $ guix show jbig2dec | grep synopsis synopsis: Decoder of the JBIG2 image compression format It seems like it would be a run-time dependency, not just something used to build ghostscript. In that case it would be an 'input', not a 'native-input'. What do you think? Also, the idiomatic commit message would be like this: ------ gnu: ghostscript: Update to 9.53.3. * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'. [native-inputs]: Add jbig2dec. * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. ------
On Sat, Feb 20, 2021 at 7:25 PM Leo Famulari <leo@famulari.name> wrote: > On Tue, Feb 16, 2021 at 08:12:47PM +0100, Vincent Legoll wrote: > > * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Remove file. > > * gnu/local.mk (dist_patch_DATA): Adjust accordingly. > > * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. > > [source](patches): Remove it. > > [native-inputs]: Add jbig2dec. > > Thanks! > > $ guix show jbig2dec | grep synopsis > synopsis: Decoder of the JBIG2 image compression format > > It seems like it would be a run-time dependency, not just something used > to build ghostscript. In that case it would be an 'input', not a > 'native-input'. What do you think? > > Also, the idiomatic commit message would be like this: > > ------ > gnu: ghostscript: Update to 9.53.3. > > * gnu/packages/ghostscript.scm (ghostscript): Update to 9.53.3. > [source]: Remove obsolete patch 'ghostscript-CVE-2020-15900.patch'. > [native-inputs]: Add jbig2dec. > * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: Delete file. > * gnu/local.mk (dist_patch_DATA): Remove it. > ------ Thanks, I'll double check and update the patch & commitmsg.
OK, now that I've looked at it some more, the native-input addition was a mistake (jbig2dec was already in inputs, which is how I knew it needed to be updated for gs-9.5.53 in the first place). So sorry for that, the following has that fixed and your commit msg. Thanks
diff --git a/gnu/local.mk b/gnu/local.mk index b9757fe69e..3caa6c6fc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1061,7 +1061,6 @@ dist_patch_DATA = \ %D%/packages/patches/ghc-monad-par-fix-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-html-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-latex-test.patch \ - %D%/packages/patches/ghostscript-CVE-2020-15900.patch \ %D%/packages/patches/ghostscript-freetype-compat.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 19430d315a..53a631b095 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -160,7 +160,7 @@ printing, and psresize, for adjusting page sizes.") (define-public ghostscript (package (name "ghostscript") - (version "9.52") + (version "9.53.3") (source (origin (method url-fetch) @@ -170,9 +170,8 @@ printing, and psresize, for adjusting page sizes.") "/ghostscript-" version ".tar.xz")) (sha256 (base32 - "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p")) + "0d52w9ajv1rz533119ywgmkzkapp74riwny0d21v0zkcbg45p7ww")) (patches (search-patches "ghostscript-freetype-compat.patch" - "ghostscript-CVE-2020-15900.patch" "ghostscript-no-header-creationdate.patch" "ghostscript-no-header-id.patch" "ghostscript-no-header-uuid.patch")) @@ -271,6 +270,7 @@ printing, and psresize, for adjusting page sizes.") ("pkg-config" ,pkg-config) ;needed for freetype ("python" ,python-minimal-wrapper) ("tcl" ,tcl) + ("jbig2dec" ,jbig2dec) ;; When cross-compiling, some of the natively-built tools require all ;; these libraries. diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch deleted file mode 100644 index b6658d7c7f..0000000000 --- a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2020-15900. - -https://cve.circl.lu/cve/CVE-2020-15900 -https://artifex.com/security-advisories/CVE-2020-15900 - -Taken from upstream: -https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b - -diff --git a/psi/zstring.c b/psi/zstring.c ---- a/psi/zstring.c -+++ b/psi/zstring.c -@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) - return 0; - found: - op->tas.type_attrs = op1->tas.type_attrs; -- op->value.bytes = ptr; -- r_set_size(op, size); -+ op->value.bytes = ptr; /* match */ -+ op->tas.rsize = size; /* match */ - push(2); -- op[-1] = *op1; -- r_set_size(op - 1, ptr - op[-1].value.bytes); -- op1->value.bytes = ptr + size; -- r_set_size(op1, count + (!forward ? (size - 1) : 0)); -+ op[-1] = *op1; /* pre */ -+ op[-3].value.bytes = ptr + size; /* post */ -+ if (forward) { -+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ -+ op[-3].tas.rsize = count; /* post */ -+ } else { -+ op[-1].tas.rsize = count; /* pre */ -+ op[-3].tas.rsize -= count + size; /* post */ -+ } - make_true(op); - return 0; - }