Pick commit mentioned in the NVD report.
(From OE-Core rev: a63bb2ccc8294c8a97f5957f1ca9f0a4880713ac)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in the NVD report.
(From OE-Core rev: 2f1d5b9ad1af6d2b28e9e7b46aadd879a67b8fc6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in the NVD report.
(From OE-Core rev: 4a2f47d9541d7a13da7a9ce16bd5088870c45ec4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Set CVE_STATUS as none of the issues apply against the versions
used in the recipes.
(From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The license of ghostscript has switched to Affero GPL since version 9.07
via commit:
* 3cc5318 Switch Ghostscript/GhostPDL to Affero GPL
https://github.com/ArtifexSoftware/ghostpdl/commit/3cc5318
Correct it with `AGPL-3.0-or-later`.
(From OE-Core rev: 7dec33a8026d9aa96177060b13bb63d74eeb4855)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libgs is eg. needed to build ghostscript support for gimp
also install the data target
(From OE-Core rev: cedd211d8b73076d1ef6f32af1c59e87a436d637)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable neon if the machine does not support it.
(From OE-Core rev: 22d40fcb984849bc8735bf03b306c3a3b11eb779)
Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ghostscript recipe isn't vulnerable to CVE-2023-38560, as this is an
issue in the GhostPCL release, whereas this recipe is the Ghostscript
release.
(From OE-Core rev: f82a13beabc784da1455f86064ce9f0f225b6e5a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE now has a version range, indicating that this Ghostscript
release isn't vulnerable.
(From OE-Core rev: da6d0763a7fb9c7a322bf5964f8abdf6bed7e219)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This started as a patch cleanup but escalated rapidly.
Remove unneeded patches:
- mkdir-p.patch isn't needed now the Makefiles appear to have the correct
dependencies.
- ghostscript-9.15-parallel-make.patch appears to be unneeded for the same
reason
- base-genht.c-add-a-preprocessor-define-to-allow-fope.patch isn't needed
- cups-no-gcrypt.patch isn't needed
- do-not-check-local-libpng-source.patch can be replaced by deleting
the libpng/ directory, as is already done for jpeg/
- ghostscript-9.21-native-fix-disable-system-libtiff.patch is not needed
when we stop doing native builds (see below)
Remove the need for ghostscript-native to build and install tools that
are needed at target build-time: ghostscript can do this itself. Remove
the BBCLASSEXTEND and all of the native overrides.
Inherit pkgconfig and explicitly tell configure to use the pkgconfig
binary: unless told otherwise this configure will refuse to use an
unprefixed pkgconfig in cross builds.
Review DEPENDS and add missing freetype and zlib dependencies.
Ghostcript will use the embedded copies of libraries over system
libraries, so extend the deletion of jpeg and libpng to include expat,
freetype, and cups as we want to link to our build of those. We can't
delete zlib as it is explicitly used when building the native tools.
Add PACKAGECONFIGs for optional libidn and libpaper dependencies.
Remove HAVE_SYS_TIME_H assignments, the upstream bug was fixed in 2011.
Clean up comments: there's no need to explain how to use PACKAGECONFIG,
and justify the use of autotools-brokensep.
(From OE-Core rev: b62e6d676ce2075a52eea729957f186cfb3bd42b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop the merged fix for CVE-2023-28879.
(From OE-Core rev: 659b0cf41db00420366d0eca103f16922c2c5d72)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport from tag ghostpdl-10.01.1-gse-10174 which is
after 10.01.1.
(From OE-Core rev: 8a70d6935afa38173dbf012b8e1c3d59228504df)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop --without-jbig2dec as it is now required by pdf support
and jbig2dec library is in ghostscript's source tree.
(From OE-Core rev: 761a17b7beab248056b69b9c3d84b1ddc4d2082d)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch has been added here
https://git.yoctoproject.org/poky/commit/?id=ca63a0158ae42010477080ad6bb776329f1230b0
and isn't necessary anymore, as cross compilation works fine
without it.
(From OE-Core rev: 37e521d8a5d1a89ba46d5058bc9c86cbe2195652)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jbig2dec seems no longer optional; the source for it
is bundle with ghostscript.
License-Update: removed patent references
(From OE-Core rev: 44a3bea7e8fedbc76b6e8f97e1f669def81e158a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
(From OE-Core rev: 8556d6a6722f21af5e6f97589bec3cbd31da206c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ghostscript-9.15-parallel-make.patch rebased; one of the
chunks removed upstream.
Remove bundled jpeg source, as that seems to be the only way
to get ghostscript to fall back to system jpeg library.
(From OE-Core rev: ad8c8ffc5a008872d40a36ea825da30accd6a11a)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This should have been removed in a previous change but was accidentally
left behind and points at an invalid directory.
(From OE-Core rev: 9d6ce24207189c711099f45265b240d0cdc0e686)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop all custom objarch.h files; ghostscript nowadays generates
that with autoconf.
Freetype can no longer be disabled.
Building out of source tree is broken.
(From OE-Core rev: bb699a99b2e99a868520430c614d55ea3004427c)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Due to recent changes to the tune, in order to match config.guess, the name
of the big-endian microblaze architecture was changes to 'microblaze'.
(From OE-Core rev: 6f6a6bbac684ead3fe6d070d61f17c2f611a2c87)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A flaw was found in all versions of ghostscript 9.x before 9.28,
where the `.charkeys` procedure, where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER` restrictions.
An attacker could abuse this flaw by creating a specially crafted
PostScript file that could escalate privileges within the Ghostscript
and access files outside of restricted areas or execute commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14869
Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904
(From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
OE does not provide libpaper recipe, and the configure check looks for
libpaper if not disabled, this causes problems especially when shared
state is built on a machine which has libpaper installed on host but the
consumer machine although running same OS, but does not have libpaper
installed, the artifact from sstate are re-used but then native binary
./obj/aux/packps fails to execute
./obj/aux/packps: error while loading shared libraries: libpaper.so.1: cannot open shared object file: No such file or directory
So either we need to provide libpaper in OE or we disable it, disabling
is best for now
(From OE-Core rev: 11e85220d97299be5f65d5208ec21d4ad215317a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdf_hook_DSC_Creator procedure where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdfexectoken and other procedures where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14811https://nvd.nist.gov/vuln/detail/CVE-2019-14817
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
(From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
