Univention Bugzilla – Bug 48769
ghostscript: Multiple issues (4.2)
Last modified: 2019-02-27 14:06:46 CET
New Debian ghostscript 9.26a~dfsg-0+deb8u1 fixes: This update addresses the following issue: * subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116)
--- mirror/ftp/4.2/unmaintained/component/4.2-5-errata/source/ghostscript_9.06~dfsg-2+deb8u13.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/ghostscript_9.26a~dfsg-0+deb8u1.dsc @@ -1,63 +1,113 @@ -9.06~dfsg-2+deb8u13 [Thu, 27 Dec 2018 13:26:27 +0000] Lucas Kanashiro <kanashiro@debian.org>: - - * Non-maintainer upload by the Debian LTS team. - * Fix CVE-2018-19134: the setpattern operator did not properly validate certain - types. A specially crafted PostScript document could exploit this to crash - Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript - process. This is a type confusion issue because of failure to check whether the - Implementation of a pattern dictionary was a structure type. - * Fix CVE-2018-19478: Attempting to open a carefully crafted PDF file results in - long-running computation. - -9.06~dfsg-2+deb8u12 [Wed, 28 Nov 2018 14:41:28 +0100] Markus Koschany <apo@debian.org>: +9.26a~dfsg-0+deb8u1 [Tue, 29 Jan 2019 10:46:45 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: * Non-maintainer upload by the LTS team. - * Fix CVE-2018-19409, CVE-2018-19475, CVE-2018-19476 and CVE-2018-19477. - Several security vulnerabilities were discovered in Ghostscript, an - interpreter for the PostScript language, which could result in denial of - service, the creation of files or the execution of arbitrary code if a - malformed Postscript file is processed (despite the dSAFER sandbox being - enabled). - -9.06~dfsg-2+deb8u11 [Mon, 22 Oct 2018 12:50:48 +0200] Markus Koschany <apo@debian.org>: - - * Non-maintainer upload by the LTS team. - * Fix CVE-2018-17961, CVE-2018-18073 and CVE-2018-18284: - This is a follow-up update for the recently discovered -dSAFER issues - reported by Tavis Ormandy. - Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an - interpreter for the PostScript language, which could result in denial of - service, the creation of files or the execution of arbitrary code if a - malformed Postscript file is processed (despite the dSAFER sandbox being - enabled). - -9.06~dfsg-2+deb8u10 [Mon, 01 Oct 2018 12:20:22 +0200] Markus Koschany <apo@debian.org>: - - * Berkeley Roshan Churchill reported a regression caused by an incomplete fix - for CVE-2018-16543. The pdf2ps tool failed to produce any output and - aborted with /rangecheck in .installpagedevice error. (Closes: #909999) - -9.06~dfsg-2+deb8u9 [Wed, 26 Sep 2018 15:24:02 +0200] Markus Koschany <apo@debian.org>: - - * Fix CVE-2018-16543 and CVE-2018-17183: - This is a follow-up update for the recently discovered -dSAFER issues - reported by Tavis Ormandy. - Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an - interpreter for the PostScript language, which could result in denial of - service, the creation of files or the execution of arbitrary code if a - malformed Postscript file is processed (despite the dSAFER sandbox being - enabled). - -9.06~dfsg-2+deb8u8 [Thu, 13 Sep 2018 13:07:02 +0200] Markus Koschany <apo@debian.org>: - - * Non-maintainer upload by the LTS team. - * Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an - interpreter for the PostScript language, which could result in denial of - service, the creation of files or the execution of arbitrary code if a - malformed Postscript file is processed (despite the dSAFER sandbox being - enabled). - -9.06~dfsg-2+deb8u7 [Sun, 29 Apr 2018 11:58:34 +0200] Salvatore Bonaccorso <carnil@debian.org>: + * Backport ghostscript 9.26a to jessie. + * Use openjpeg2 rather than jasper as the latter is no longer supported. + +9.26a~dfsg-0+deb9u1 [Thu, 24 Jan 2019 22:49:29 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * New upstream version 9.26a~dfsg + + Includes fix for CVE-2019-6116 + * Temporarily split ABI at ~ (not a). + * Update symbols: 1 private added + +9.26~dfsg-0+deb9u2 [Sun, 23 Dec 2018 11:15:43 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Add patches cherry-picked upstream to fix segfault with certain PDFs with + -dLastPage=1. (Closes: #915832) + +9.26~dfsg-0+deb9u1 [Sat, 24 Nov 2018 23:32:54 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * New upstream version 9.26~dfsg + + Includes fixes for the following security vulnerabilities: + CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 + * Drop patches cherry-picked upstream now applied + * Unfuzz patch 2009. + * Update symbols: 12 private added. + +9.25~dfsg-0+deb9u1 [Thu, 08 Nov 2018 16:06:47 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * New upstream version 9.25~dfsg + + Fixes regression using ps2ascii after fix for CVE-2018-17183 + (Closes: #909076) + + status operator honour SAFER option (CVE-2018-11645) + * Drop patches applied upstream + * Rebase 2001_docdir_fix_for_debian.patch for 9.25 + * Rebase 2010_add_build_timestamp_setting.patch for 9.25 + * Add patches cherry-picked upstream to fix execution issues. + + Implement .currentoutputdevice operator + + Change "executeonly" to throw typecheck on gstatetype and + devicetype objects + + Undefine some additional internal operators. + + Fix handling of .needinput if used from interpreter + + Ensure all errors are included from initialization + + setundercolorremoval memory corruption + + copydevice fails after stack device copies invalidated + + add operand checking to .setnativefontmapbuilt + + add object type check for AES key + + Add parameter type checking on .bigstring + + zparse_dsc_comments can crash with invalid dsc_state + + Catch errors in setpagesize, .setpagesize and setpagedevice and + cleanup + + Catch errors and cleanup stack on statusdict page size definitions + + Add parameter checking in setresolution + + device subclass open_device call must return child code + + fix DSC comment parsing in pdfwrite + + Check all uses of dict_find* to ensure 0 return properly handled + + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + + Avoid overrunning non terminated string buffer. + + Prevent SEGV in gs_setdevice_no_erase. + + Fix uninitialised value for render_cond. + + Hide the .needinput operator + + filenameforall calls bad iodev with insufficent scratch + + Improve hiding of security critical custom operators (CVE-2018-17961) + (Closes: #911175) + + Prevent SEGV after calling gs_image_class_1_simple. + + don't push userdict in preparation for Type 1 fonts + + add control over hiding error handlers. (Closes: #909929) + + For hidden operators, pass a name object to error handler. + (CVE-2018-17961) (Closes: #911175) + + Explicitly exclude /unknownerror from the SAFERERRORLIST + + don't include operator arrays in execstack output (CVE-2018-18073) + (Closes: #910758) + + Make .forceput unavailable from '.policyprocs' helper dictionary + (CVE-2018-18284) (Closes: #911175) + + .loadfontloop must be an operator (CVE-2018-17961) (Closes: #911175) + + font parsing - prevent SEGV in .cffparse + * openjpeg allocator must return NULL if size too large + * debian/copyright: Refresh with version from 9.25~dfsg-5 + * debian/libgs9.symbols: Update (and sync from 9.25~dfsg-5) for new version. + Adjust version for errorexec_find@Base. + * Fix cups get/put_params LeadingEdge logic (cf. #912664) + * Avoid privacy breach linking documentation to jquery: + + Add patch 2009 to use local jquery. + + Add symlink from relative link to system-shared jquery library. + + Have ghostscript-doc depend on libjs-jquery. + * Avoid privacy breach linking documentation to font: + + Avoid linking to remote fonts in documentation. + * Avoid privacy breach linking documentation with Google: + + Strip googletagmanager code from documentation. + +9.20~dfsg-3.2+deb9u5 [Fri, 14 Sep 2018 22:53:46 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * Fixes for CVE-2018-16509 (fourth patch, rest were applied in deb9u4) + CVE-2018-16802 and one additional issue with a CVE ID (yet) + +9.20~dfsg-3.2+deb9u4 [Thu, 06 Sep 2018 00:02:35 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * Add additional patch for CVE-2018-16543 + * Fix a regression introduced in a054156d425b4dbdaaa9fda4b5f1182b27598c2b, + see https://github.com/apple/cups/issues/5392 + +9.20~dfsg-3.2+deb9u3 [Wed, 29 Aug 2018 21:17:15 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * Multiple security issues, see Security Tracker for details + +9.20~dfsg-3.2+deb9u2 [Sun, 29 Apr 2018 10:58:15 +0200] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload. * Segfault with fuzzing file in gxht_thresh_image_init @@ -66,7 +116,7 @@ * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) -9.06~dfsg-2+deb8u6 [Thu, 28 Sep 2017 21:55:37 +0200] Salvatore Bonaccorso <carnil@debian.org>: +9.20~dfsg-3.2+deb9u1 [Thu, 28 Sep 2017 21:47:33 +0200] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) @@ -79,36 +129,78 @@ * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) -9.06~dfsg-2+deb8u5 [Fri, 28 Apr 2017 10:32:58 +0200] Salvatore Bonaccorso <carnil@debian.org>: - - * Non-maintainer upload by the Security Team. - * Avoid divide by 0 in scan conversion code (CVE-2016-10219) (Closes: - #859666) +9.20~dfsg-3.2 [Sun, 21 May 2017 19:22:52 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * Fix regression introduced by CVE-2017-8291 fix. + When using the "DELAYBIND" feature, it turns out that .eqproc can be + called with parameters that are not both procedures. In this case, it + turns out, the expectation is for the operator to return 'false', rather + than throw an error. (Closes: #862779) + +9.20~dfsg-3.1 [Fri, 28 Apr 2017 06:50:05 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" + substring (CVE-2017-8291) (Closes: #861295) + * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696) * fix crash with bad data supplied to makeimagedevice (CVE-2016-10220) (Closes: #859694) - * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696) - * Ensure a device has raster memory, before trying to read it - (CVE-2017-7207) (Closes: #858350) - * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" - substring (CVE-2017-8291) (Closes: #861295) - -9.06~dfsg-2+deb8u4 [Thu, 27 Oct 2016 12:51:34 +0200] Salvatore Bonaccorso <carnil@debian.org>: - - * Non-maintainer upload by the Security Team. - * Add 840691-Fix-.locksafe.patch patch. - Fixes regression seen with zathura and evince. Fix .locksafe. We need to - .forceput the defintion of getenv into systemdict. - Thanks to Edgar Fuß <ef@math.uni-bonn.de> (Closes: #840691) - -9.06~dfsg-2+deb8u3 [Tue, 11 Oct 2016 19:35:21 +0200] Salvatore Bonaccorso <carnil@debian.org>: - - * Non-maintainer upload by the Security Team. - * CVE-2016-8602: check for sufficient params in .sethalftone5 and param - types (Closes: #840451) - -9.06~dfsg-2+deb8u2 [Sat, 08 Oct 2016 13:30:08 +0200] Salvatore Bonaccorso <carnil@debian.org>: - - * Non-maintainer upload by the Security Team. + * Avoid divide by 0 in scan conversion code (CVE-2016-10219) + (Closes: #859666) + * Dont create new ctx when pdf14 device reenabled (CVE-2016-10217) + (Closes: #859662) + +9.20~dfsg-3 [Tue, 21 Mar 2017 17:20:00 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Fix NULL pointer dereference in mem_get_bits_rectangle(). + Closes: Bug#697676 (CVE-2017-7207). Thanks to Salvatore Bonaccorso. + +9.20~dfsg-2 [Wed, 25 Jan 2017 05:26:10 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Add patch cherry-picked upstream to always print full PWG Raster + bitmap. + Closes: Bug#843095. Thanks to Brian Potkin. + * Modernize Vcs-Browser field: Use git subdir (not cgit). + * Stop override lintian for + package-needs-versioned-debhelper-build-depends: Fixed in lintian. + * Update watch file: Use github pattern from documentation. + * Update copyright info: Extend coverage of Debian packaging. + * Git-ignore quilt .pc subdir. + * Revert to not have git import-orig use merge-strategy replace. + +9.20~dfsg-1 [Tue, 29 Nov 2016 03:21:17 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Fix spelling error in chengelog entry for 9.19~dfsg-3.1. + * Adjust symbols (Fix version. Synv with experimental builds. + +9.20~dfsg-1~exp1 [Fri, 18 Nov 2016 16:07:47 +0100] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New release. + + [ Jonas Smedegaard ] + * Avoid non-DFSG embedded code copy of ConvertUTF: + + Avoid when repackaging. + + Stop track ConvertUTF files in copyright file. + + Add patches cherry-pricked upstream to improve Unicode handling in + PDF files. + Closes: Bug#823100. Thanks to Francesco Poli. + * Update copyright info: + + Tidy repackaging to only cover what is still shipped upstream. + + Add Files and License sections for new file licensed as ISC. + * Have git import-orig use merge-strategy replace. + * Update patches: + + Drop patches cherry-picked upstream and now applied. + + Consistently apply cherry-picked upstream patches first. + + Unfuzz patches. + * Stop build static library (seemingly no longer supported with + upstream makefiles). + * Update symbols file (92 missing). + +9.19~dfsg-3.1 [Thu, 27 Oct 2016 13:25:52 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. * CVE-2013-5653: Information disclosure through getenv, filenameforall (Closes: #839118) * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote @@ -119,12 +211,322 @@ remote code execution (Closes: #839845) * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution (Closes: #839846) - -9.06~dfsg-2+deb8u1 [Sun, 26 Jul 2015 14:03:18 +0200] Salvatore Bonaccorso <carnil@debian.org>: - - * Non-maintainer upload by the Security Team. - * Add CVE-2015-3228.patch patch. - CVE-2015-3228: Integer overflow in gs_heap_alloc_bytes() (Closes: #793489) + * CVE-2016-8602: check for sufficient params in .sethalftone5 and param + types (Closes: #840451) + * Add 840691-Fix-.locksafe.patch patch. + Fixes regression seen with zathura and evince. Fix .locksafe. We need to + .forceput the definition of getenv into systemdict. + Thanks to Edgar Fuß <ef@math.uni-bonn.de> + +9.19~dfsg-3 [Thu, 22 Sep 2016 12:08:56 +0200] Jonas Smedegaard <dr@jones.dk>: + + * Avoid merging same-licensed sections in copyright_hints. + * Fix typo in old changelog entry. + * Skip copyright-check of non-metadata-parseable binary files. + * Update copyright info: + + Fix licensing of a few drivers to be GPL-2+. + + Fix licensing of a base files to be FTL. + + Update source URL. + * Update watch file: + + Fix handle prereleases. + + Use Github URL (but not common pattern: default tarball is bogus). + + Mention gpb --uscan in usage comment. + * Modernize git-buildpackage config: Filter any .git* file. + * Have library and headers support multi-arch. + Closes: Bug#770266. Thanks to Andreas Beckmann, Till Kamppeter and + Matthias Klose. + +9.19~dfsg-2 [Thu, 11 Aug 2016 14:09:12 +0200] Jonas Smedegaard <dr@jones.dk>: + + * Modernize cdbs use. Tighten build-dependency on cdbs. + * Declare compliance with Debian Policy 3.9.8. + * Update watch file: Fix avoid use of uupdate (unneeded with gbp). + * Build-depend on licensecheck (not devscripts). + * Add patch 1001 to fix a FTBFS against libopenjp2-7 2.1.1 and newer. + Closes: Bug#832873. + Thanks to Didier 'OdyX' Raboud. + +9.19~dfsg-1 [Thu, 24 Mar 2016 18:19:43 +0100] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New release. + Highlights: + + New custom PJL (near) equivalents for pdfmark and + setdistillerparams. + + Metadata pdfmark implemented. + + Add experimental, rudimentary raster trapping implementation. + + Improved halftone threshold array generation tools. + Other changes relevant for Debian: + + copy_alpha now supports 8 bit depth (as well as 2 and 4). + + [ Jonas Smedegaard ] + * Update watch file: + + Bump file format to version 4. + + Update upstream source URL. + + Add repacksuffix hint. + + Use uversionmangle (not dversionmangle) to adjust prereleases. + * Drop CDBS get-orig-source target: Use "gbp import-orig --uscan" + instead. + * Update copyright info: + + Update source URL. + + Expand reasons for repackaging. + * Add patch cherry-picked upstream to have configure support + --without-pcl and --without-xps. + * Configure --without-pcl (instead of moving aside pcl dir during + build). + +9.19~~rc1~dfsg-1 [Mon, 14 Mar 2016 22:55:30 +0100] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New pre-release. + + [ Jonas Smedegaard ] + * Update upstream tarball repackaging: + + Stop strip ramfs code: Licensing issue resolved. + Drop related patch 2009. + + Stop strip ETS halftone code: Patent-encumbered yet believed to be + DFSG-free. + + Improve comments. + + Strip non-DFSG fonts. + + Strip convenience code copies cmpi Acrobat2Tiff. + + Strip non-free PCL/PX3/XPS data files. + * Switch to track GhostPDL (the larger project of which Ghostscript is + a subset). + Avoid building PCL writer for now: Fails with system-shared libjpeg. + * Ignore tiger.xps and XLS files from copyright check. + * Imported Upstream version 9.19rc1~dfsg + * Update upstream-tarball hints for current upstream source. + * Drop patches now applied upstream. + * Unfuzz patches 2007 2010. + * Update copyright info: + + Update License-Grant of main Files section. + Add comment on its non-default location. + + Extend coverage for main upstream author. + * Use CDBS to put aside cruft during build. + Tighten to build-depend versioned on cdbs. + * Update symbols file (9 missing). + +9.18~dfsg-4 [Tue, 16 Feb 2016 20:59:55 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Really mark leaked png symbol as optional (not simply remove it, as + it may then silently reappear as happened with 2.18~dfsg release). + Closes: bug#809939. Thanks to Tobias Frost. + * Add patch cherry-picked upstream to fix xpswrite/gprf builds with + shared zlib (replacing patch 1002). + * Add patch cherry-picked upstream to fix add gserrors.h to the + installed files for the so-install target. + Closes: Bug#814882. Thanks to Jean-Luc Coulon. + * Recommend fonts-droid-fallback (not fonts-droid now dropped). + Closes: Bug#804684. Thanks to Daniel Serpell. + +9.18~dfsg-3 [Mon, 15 Feb 2016 16:53:25 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Fix use space (not comma) as arch delimiter in symbols file. + Thanks to John Paul Adrian Glaubitz + +9.18~dfsg-2 [Mon, 15 Feb 2016 15:46:02 +0100] Jonas Smedegaard <dr@jones.dk>: + + * Update symbols file: + + Drop hdr_id for sparc and sparc64 since 2.16~dfsg. + Closes: Bug#814702. Thanks to John Paul Adrian Glaubitz. + + Update list of confirmed archs. + * Release for unstable, despite symbols changes: None of the dropped + symbols are mentioned in any Debian code except ghostscript itself + (according to codesearch.debian.net). + +9.18~dfsg-1 [Sat, 13 Feb 2016 10:17:32 +0100] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New release 9.18, + Highlights: + + Integrate GhostPDL build routines into Ghsotscript. + + New technique of "device subclassing". Consistent -dFirstPage and + -dLastPage filters implemented using that technique. + + Digitally signed binaries for Windows. + Other changes relevant for Debian: + + Reintroduces tiffscaled* devices. + Closes: bug#786967. Thanks to Marc Lehmann. + + [ Jonas Smedegaard ] + * Update watch file to mangle release candidates. + * Update copyright info: + + Extend coverage of Debian packaging. + + Add Files section for a few Apache-licensed files. + + Adjust for a few renamed files. + + Clarify reasons for source tarball repackaging. + * Drop uptream cherry-picked patch since applied. + * Unfuzz all patches. + * Add patches cherry-picked upstream to fix handle IJS and X11 as + subclassed devices. + Thanks to Till Kamppeter. + * Update patch 2009. + * Extend patch 1002 to fix shared zlib linkage for gprf (not only + xps). + * Add patches cherry-picked upstream to fix makefiles and to implement + -dTIFFDateTime=false option. + Thanks to Damian Dimmich. + * Declare compliance with Debian Policy 3.9.7. + * Mark libgs9-common as multi-arch foreign. + Closes:Bug#794527. Thanks to Helmuth Grohne. + * Acknowledge release 9.16~dfsg-2.1. + Thanks to Tobias Frost. + * Add patch 1003 to fix document ps2pdf -dCompatibilityLevel option. + Closes: bug#799836. Thanks to Trent W. Buck. + * Update package relations: + + Build-depend on libopenjp2-7-dev (not libopenjpeg-dev). + + Relax to recommend (not depend on) gsfonts. + Closes: bug#812088. Thanks to IOhannes m zmölnig. + * Modernize Vcs-* fields: Use https protocol and cgit. + * Track symbols in one single file. + * Update symbols file for amd64 architecture. + * Add patch 1001 to fix openjpeg linkage. + +9.16~dfsg-2.1 [Wed, 27 Jan 2016 19:39:05 +0100] Tobias Frost <tobi@debian.org>: + + * Non-maintainer upload. + * Remove leaked png_push_fill_buffer symbol from symbol files + to build with libpng1.6 (Closes: #809939) + +9.16~dfsg-2 [Sat, 01 Aug 2015 19:05:30 +0200] Jonas Smedegaard <dr@jones.dk>: + + * Fix lintian overrides. + * Bump debhelper compatibility level to 9. + * Suppress lintian warning about build-depending unversioned on + debhelper. + * Enable support for parallel building. + +9.16~dfsg-1 [Fri, 31 Jul 2015 23:00:24 +0200] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New release 9.07. + Highlights: + + Add -dLockColorants option for tiffsep and psdcmyk devices. + + Improved high level devices handling of Forms. + + Update URW+ Nimbus* fonts, adding Greek and Cyrillic glyphs. + + [ Jonas Smedegaard ] + * Add patch 2010 to allow the build timestamp to be externally set. + Closes: Bug#794004. Thanks to Peter De Wachter and Eduard Sanou. + * Update copyright info: + + Extend coverage for main upstream authors to include current year. + * Add patch 1002 to fix have devxps link against shared zlib. + * Unfuzz patches. + * Update symbols file (30 new). + +9.15~dfsg-1 [Sun, 26 Jul 2015 17:34:11 +0200] Jonas Smedegaard <dr@jones.dk>: + + [ upstream ] + * New release 9.07. + Highlights: + + Licensing changed to GNU Affero General Public License (AGPL). + + Ghostscript now has the option to be built as thread safe. + + The pdfwrite devices now supports linearized (or optimized for + fast web view) output directly. + + Supports Postscript string and array objects with >64k entries. + + Supports file sizes >4Gb - in particular reading and writing PDF + files, and as side effect supports 64 bit Postscript integer + objects. + + All CMYK devices supports simulated overprint of spot colors. + + Support for use of DeviceN ICC color profiles as the output + profile with the tiffsep and psdcmyk devices. + + Support for customized named color handling with DeviceN colors. + + Support for black point compensation. + + Support for K preservation in CMYK to CMYK conversions. + + Support for DeviceLink profiles for graphic, image and text + objects. + + Support for custom color replacement. + + Increased control in specifying color conversions as a function of + object type. + + Provide BigTIFF output option, when linked against recent libtiff. + + LittleCMS updated to 2.4 [Debian instead links to shared lib]. + Closes: bug#531624. Thanks to Moritz Muehlenhoff and Bastien + Roucaries. + * New releases 9.09 and 9.10. + Highlights: + + New Background printing (BGPrint) feature to speedup processing of + certain classes of files. + + New GrayDetection feature to detect and convert nearly-grey color + input to grayscale for some drivers. + + Misc. improvements for Windows environments. + + Updated URW Postscript font set, fixing compatibility problems + with the Adobe fonts [Debian uses separately packaged fonts]. + * New release 9.14. + Highlights: + + pdfwrite now uses same color management as for rendering devices. + + New device 'eps2write' to create EPS files using ps2write. + + Support customisation of output for specific devices. + + Reduced memory usage processing PDF with transparency to either + display device or high level vector non-transparency devices like + ps2write or pdfwrite when 'flattening' to PDF 1.3 or earlier. + + New --saved-page option to spool and render in arbitrary order. + + Improved performance by more extensive use of multiple threads. + + New device 'pwgraster' to render for PWG Raster output. + + CUPS device improved support for PPD-less printing. + * New release 9.15. + Highlights: + + Support for PDF security handler revision 6. + + New -dNoOutputFonts for pdfwrite and ps2write (and related). + + New PostScript pageneutralcolor state to resolve color/grayscale. + + pdfwrite device supports Link annotations. + + pdfwrite device supports BMC/BDC/EMC pdfmarks. + + New LCMS2-based color management also applies to PDF/A-1 output. + + [ Jonas Smedegaard ] + * Update copyright info: + + Extend coverage a few places to include recent years. + + Change main license to "AGPL-3+~Artifex". + + Update main fonts to author "(URW)++" and license + "AGPL-3+~Artifex with font exception". + + Extend coverage for packaging, and relicense as GPL-3+. + + Drop Files section for documentation files not shipped since 9.05. + + Fix include verbatim exceptions in license section (not comment). + + Only comment on (not formally declare) unused AFPL license. + + Merge bogus dual-licensing of (two wording of) LGPL-2.1+. + + Drop Files sections for excluded autotools files. + + Fix stop bogusly list as specially licensed the files + examples/waterfal.ps contrib/japanese/doc/gdevdmpr.txt + toolbin/localcluster/dashboard.html. + + Use License-Grant and License-Reference fields. + Thanks to Ben Finney. + + Use license short-name public-domain. + * Update repackaging: + + Strip convenience library trio from upstream source. + + Strip DFSG-nonfree ETS halftone code from upstream source. + + Strip example code lacking license. + + Strip contributed documentation possibly lacking license. + + Strip from repackaged upstream tarball ramfs code lacking license + according to <http://www.ghostscript.com/irclogs/2014/05/05.html>. + + Stop strip jasper project: not shipped since 9.07. + + Reflect files moved from base/ to devices/. + + Stop documenting CUPS filters dropped since 9.09. + * Update patches: + + Drop cherry-picked patches now included with upstream release. + + Add patch cherry-picked upstream to sanity check for memory + allocation. + Closes: Bug#793489 (CVE-2015-3228). Thanks to Raphael Hertzog. + + Add patch 2009 to not link against stripped ramfs code. + + Unfuzz all patches. + * Update package relations: + + Build-depend on recent libopenjpeg-dev (not libjasper-dev): + Support for JasPer has been dropped upstream. + + Tighten build-dependency on liblcms2-dev: We need threads support. + + Build-depend on libtrio-dev. + + Tighten to build-depend on d-shlibs handling libtrio quirk. + + Relax to build-depend unversioned on libopenjpeg-dev: Needed + version satisified even in oldstable. + + Relax to depend unversioned on poppler-data, and drop + fallback-dependency on gs-cjk-resource: Needed version satisified + even in oldstable. + + Drop bogus/ancient fallback-build-dependency on libglut-dev. + * Add d-shlibmove override for libtrio. + * Add news entry about licensing change to AGPL. + Thanks to Jonathan Nieder. + * Update symbols file (208 new, 70 dropped). + * Temporarily adjust source URLs for upstream pre-release. + * Have license-check skip main HTML documentation. + * Add lintian overrides regarding license in License-Reference field. + See bug#786450. + * Declare compliance with Debian Policy 3.9.6. 9.06~dfsg-2 [Fri, 09 Jan 2015 15:49:21 +0100] Didier Raboud <odyx@debian.org>: <http://10.200.17.11/4.2-5/#4671324506904436908>
<http://10.200.17.11/4.2-5/#6991960503524224997>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] 7e5af1bc58 Bug #48769: ghostscript 9.26a~dfsg-0+deb8u1 doc/errata/staging/ghostscript.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<http://errata.software-univention.de/ucs/4.2/608.html> <http://errata.software-univention.de/ucs/4.2/609.html>