* [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors
@ 2019-08-18 10:14 Bernd Kuhls
2019-08-18 10:14 ` [Buildroot] [PATCH 2/2] package/ghostscript: add upstream security fix for CVE-2019-10216 Bernd Kuhls
2019-08-19 12:50 ` [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Thomas Petazzoni
0 siblings, 2 replies; 4+ messages in thread
From: Bernd Kuhls @ 2019-08-18 10:14 UTC (permalink / raw)
To: buildroot
Patch 0003 fixes a bug which occured with pkgconfig enabled.
Patch 0004 fixes the linking error with libidn.
Fixes:
http://autobuild.buildroot.net/results/45a/45a94a494eb2b719ac338d2e734753b11a4a0144/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
v2: added BUILD_PKGCONFIG=/bin/false (Thomas)
fixed fontconfig/freetype linking error caused by using pkgconfig
updated libidn detection (Thomas)
.../ghostscript/0003-pkgconf-libs-only.patch | 28 ++++++++++
.../ghostscript/0004-pkgconfig-libidn.patch | 53 +++++++++++++++++++
package/ghostscript/ghostscript.mk | 3 ++
3 files changed, 84 insertions(+)
create mode 100644 package/ghostscript/0003-pkgconf-libs-only.patch
create mode 100644 package/ghostscript/0004-pkgconfig-libidn.patch
diff --git a/package/ghostscript/0003-pkgconf-libs-only.patch b/package/ghostscript/0003-pkgconf-libs-only.patch
new file mode 100644
index 0000000000..8518c3b1f1
--- /dev/null
+++ b/package/ghostscript/0003-pkgconf-libs-only.patch
@@ -0,0 +1,28 @@
+fix build with pkg-config enabled
+
+Patch sent upstream:
+https://bugs.ghostscript.com/show_bug.cgi?id=701440
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+diff -uNr ghostscript-9.27.old/configure.ac ghostscript-9.27/configure.ac
+--- ghostscript-9.27.old/configure.ac 2019-04-04 09:43:14.000000000 +0200
++++ ghostscript-9.27/configure.ac 2019-08-18 11:32:50.163910476 +0200
+@@ -853,7 +853,7 @@
+ if $PKGCONFIG --exists fontconfig; then
+ AC_MSG_RESULT(yes)
+ FONTCONFIG_CFLAGS="$CFLAGS `$PKGCONFIG --cflags fontconfig`"
+- FONTCONFIG_LIBS="`$PKGCONFIG --libs fontconfig`"
++ FONTCONFIG_LIBS="`$PKGCONFIG --libs-only-l fontconfig`"
+ HAVE_FONTCONFIG=-DHAVE_FONTCONFIG
+ else
+ AC_MSG_RESULT(no)
+@@ -996,7 +996,7 @@
+ if $PKGCONFIG --atleast-version=12.0.6 freetype2; then
+ AC_MSG_RESULT(yes)
+ FT_CFLAGS="$CFLAGS `$PKGCONFIG --cflags freetype2`"
+- FT_LIBS="`$PKGCONFIG --libs freetype2`"
++ FT_LIBS="`$PKGCONFIG --libs-only-l freetype2`"
+ FT_BRIDGE=1
+ SHARE_FT=1
+ else
diff --git a/package/ghostscript/0004-pkgconfig-libidn.patch b/package/ghostscript/0004-pkgconfig-libidn.patch
new file mode 100644
index 0000000000..6fcef0f3e5
--- /dev/null
+++ b/package/ghostscript/0004-pkgconfig-libidn.patch
@@ -0,0 +1,53 @@
+fix static build with libidn
+
+Patch sent upstream:
+https://bugs.ghostscript.com/show_bug.cgi?id=701439
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+diff -uNr ghostscript-9.27.old/configure.ac ghostscript-9.27/configure.ac
+--- ghostscript-9.27.old/configure.ac 2019-04-04 09:43:14.000000000 +0200
++++ ghostscript-9.27/configure.ac 2019-08-18 12:01:38.779728836 +0200
+@@ -790,22 +790,31 @@
+ [Do not use libidn to support Unicode passwords])],,
+ [with_libidn=maybe])
+ if test x$with_libidn != xno; then
+- AC_CHECK_LIB(idn, stringprep, [
+- with_libidn=no
+- AC_CHECK_HEADER([stringprep.h], [with_libidn=yes])
+- ], [
+- if test x$with_libidn != xmaybe; then
+- AC_MSG_ERROR([libidn not found])
++ if test "x$PKGCONFIG" != x; then
++ AC_MSG_CHECKING(for libidn with pkg-config)
++ if $PKGCONFIG --exists libidn; then
++ AC_MSG_RESULT(yes)
++ LIBS="$LIBS `$PKGCONFIG --libs libidn`"
++ HAVE_LIBIDN=-DHAVE_LIBIDN
++ else
++ AC_MSG_RESULT(no)
++ fi
++ fi
++ if test -z "$HAVE_LIBIDN"; then
++ AC_CHECK_LIB(idn, stringprep, [
++ with_libidn=no
++ AC_CHECK_HEADER([stringprep.h], [with_libidn=yes])
++ ], [
++ if test x$with_libidn != xmaybe; then
++ AC_MSG_ERROR([libidn not found])
++ fi
++ with_libidn=no
++ ])
+ fi
+- with_libidn=no
+- ])
+ fi
+ HAVE_LIBIDN=''
+ UTF8DEVS=''
+ if test x$with_libidn != xno; then
+- HAVE_LIBIDN=-DHAVE_LIBIDN
+- LIBS="$LIBS -lidn"
+-
+ if test x$found_iconv != xno; then
+ UTF8DEVS='$(PSD)utf8.dev'
+ fi
diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
index fefac2aee3..42af344878 100644
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@@ -10,6 +10,8 @@ GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
GHOSTSCRIPT_LICENSE = AGPL-3.0
GHOSTSCRIPT_LICENSE_FILES = LICENSE
# 0001-Fix-cross-compilation-issue.patch
+# 0003-pkgconf-libs-only.patch
+# 0004-pkgconfig-libidn.patch
GHOSTSCRIPT_AUTORECONF = YES
GHOSTSCRIPT_DEPENDENCIES = \
host-lcms2 \
@@ -33,6 +35,7 @@ endef
GHOSTSCRIPT_POST_PATCH_HOOKS += GHOSTSCRIPT_REMOVE_LIBS
GHOSTSCRIPT_CONF_ENV = \
+ BUILD_PKGCONFIG=/bin/false \
CCAUX="$(HOSTCC)" \
CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)"
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] package/ghostscript: add upstream security fix for CVE-2019-10216
2019-08-18 10:14 [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Bernd Kuhls
@ 2019-08-18 10:14 ` Bernd Kuhls
2019-08-19 12:50 ` [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Thomas Petazzoni
1 sibling, 0 replies; 4+ messages in thread
From: Bernd Kuhls @ 2019-08-18 10:14 UTC (permalink / raw)
To: buildroot
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
package/ghostscript/0005-CVE-2019-10216.patch | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 package/ghostscript/0005-CVE-2019-10216.patch
diff --git a/package/ghostscript/0005-CVE-2019-10216.patch b/package/ghostscript/0005-CVE-2019-10216.patch
new file mode 100644
index 0000000000..2d624cd17b
--- /dev/null
+++ b/package/ghostscript/0005-CVE-2019-10216.patch
@@ -0,0 +1,49 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 14:18:26 +0000 (+0100)
+Subject: Bug 701394: protect use of .forceput with executeonly
+X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=5b85ddd19a8420a1bd2d5529325be35d78e94234
+
+Bug 701394: protect use of .forceput with executeonly
+
+Fixes CVE-2019-10216
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735b..a039cce 100644
+--- a/Resource/Init/gs_type1.ps
++++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+ ( to be the same as glyph: ) print 1 index //== exec } if
+ 3 index exch 3 index .forceput
+ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+- }
++ }executeonly
+ {pop} ifelse
+- } forall
++ } executeonly forall
+ pop pop
+- }
++ } executeonly
+ {
+ pop pop pop
+ } ifelse
+- }
++ } executeonly
+ {
+ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+ pop pop
+ } ifelse
+- } forall
++ } executeonly forall
+ 3 1 roll pop pop
+- } if
++ } executeonly if
+ pop
+ dup /.AGLprocessed~GS //true .forceput
+- } if
++ } executeonly if
+
+ %% We need to excute the C .buildfont1 in a stopped context so that, if there
+ %% are errors we can put the stack back sanely and exit. Otherwise callers won't
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors
2019-08-18 10:14 [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Bernd Kuhls
2019-08-18 10:14 ` [Buildroot] [PATCH 2/2] package/ghostscript: add upstream security fix for CVE-2019-10216 Bernd Kuhls
@ 2019-08-19 12:50 ` Thomas Petazzoni
2019-08-21 16:05 ` Bernd Kuhls
1 sibling, 1 reply; 4+ messages in thread
From: Thomas Petazzoni @ 2019-08-19 12:50 UTC (permalink / raw)
To: buildroot
Hello Bernd,
Thanks for coming up with this new version. See for some questions
below.
On Sun, 18 Aug 2019 12:14:05 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:
> diff --git a/package/ghostscript/0003-pkgconf-libs-only.patch b/package/ghostscript/0003-pkgconf-libs-only.patch
> new file mode 100644
> index 0000000000..8518c3b1f1
> --- /dev/null
> +++ b/package/ghostscript/0003-pkgconf-libs-only.patch
> @@ -0,0 +1,28 @@
> +fix build with pkg-config enabled
This commit description is too short. What is happening exactly ?
> +
> +Patch sent upstream:
> +https://bugs.ghostscript.com/show_bug.cgi?id=701440
> +
> +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> +
> +diff -uNr ghostscript-9.27.old/configure.ac ghostscript-9.27/configure.ac
> +--- ghostscript-9.27.old/configure.ac 2019-04-04 09:43:14.000000000 +0200
> ++++ ghostscript-9.27/configure.ac 2019-08-18 11:32:50.163910476 +0200
> +@@ -853,7 +853,7 @@
> + if $PKGCONFIG --exists fontconfig; then
> + AC_MSG_RESULT(yes)
> + FONTCONFIG_CFLAGS="$CFLAGS `$PKGCONFIG --cflags fontconfig`"
> +- FONTCONFIG_LIBS="`$PKGCONFIG --libs fontconfig`"
> ++ FONTCONFIG_LIBS="`$PKGCONFIG --libs-only-l fontconfig`"
There are plenty of other places besides those two fontconfig/freetype
cases where PKGCONFIG --libs gets used. Why aren't these other places
also a problem ? What is the actual problem ?
Using --libs-only-l is potentially wrong, as it could be missing some
important flags needed at link time.
> GHOSTSCRIPT_CONF_ENV = \
> + BUILD_PKGCONFIG=/bin/false \
A comment here above this would be useful, as it's kind of tricky to
understand why we're passing /bin/false here.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors
2019-08-19 12:50 ` [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Thomas Petazzoni
@ 2019-08-21 16:05 ` Bernd Kuhls
0 siblings, 0 replies; 4+ messages in thread
From: Bernd Kuhls @ 2019-08-21 16:05 UTC (permalink / raw)
To: buildroot
Am Mon, 19 Aug 2019 14:50:08 +0200 schrieb Thomas Petazzoni:
> There are plenty of other places besides those two fontconfig/freetype
> cases where PKGCONFIG --libs gets used. Why aren't these other places
> also a problem ? What is the actual problem ?
Hi,
upstream responded to my patch and will need more time to investigate:
https://bugs.ghostscript.com/show_bug.cgi?id=701439#c2
I think the genconf binary, built for the host, has problems dealing with
the output of PKGCONFIG --libs, using --libs-only-l was just a hack to
demonstrate that the problem is with genconf and not with configure/make.
For someone like me unfamiliar with the internals of the ghostscript
build system I prefer to wait for upstream fixing the bug so marking
http://patchwork.ozlabs.org/patch/1148830/ with "Changes requested" is ok.
But I reopened http://patchwork.ozlabs.org/patch/1148831/ because this
patch fixes a CVE unrelated to the build problem.
Regards, Bernd
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-21 16:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-18 10:14 [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Bernd Kuhls
2019-08-18 10:14 ` [Buildroot] [PATCH 2/2] package/ghostscript: add upstream security fix for CVE-2019-10216 Bernd Kuhls
2019-08-19 12:50 ` [Buildroot] [PATCH v2 1/2] package/ghostscript: fix static build errors Thomas Petazzoni
2019-08-21 16:05 ` Bernd Kuhls
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.