-
ghostscript (9.26a~dfsg-0+deb9u6) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* remove .forceput from /.charkeys (CVE-2019-14869)
-- Salvatore Bonaccorso <email address hidden> Wed, 13 Nov 2019 21:01:12 +0100
-
ghostscript (9.26a~dfsg-0+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* protect use of .forceput with executeonly (CVE-2019-10216)
-- Salvatore Bonaccorso <email address hidden> Thu, 08 Aug 2019 07:10:18 +0200
-
ghostscript (9.26a~dfsg-0+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Have gs_cet.ps run from gs_init.ps
* Undef /odef in gs_init.ps
* Restrict superexec and remove it from internals and gs_cet.ps
(CVE-2019-3835) (Closes: #925256)
* Obliterate "superexec". We don't need it, nor do any known apps
(CVE-2019-3835) (Closes: #925256)
* Make a transient proc executeonly (in DefineResource) (CVE-2019-3838)
(Closes: #925257)
* an extra transient proc needs executeonly'ed (CVE-2019-3838)
(Closes: #925257)
-- Salvatore Bonaccorso <email address hidden> Sat, 13 Apr 2019 16:40:43 +0200
-
ghostscript (9.26a~dfsg-0+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* New upstream version 9.26a~dfsg
+ Includes fix for CVE-2019-6116
* Temporarily split ABI at ~ (not a).
* Update symbols: 1 private added
-- Salvatore Bonaccorso <email address hidden> Thu, 24 Jan 2019 22:49:29 +0100
-
ghostscript (9.20~dfsg-3.2+deb9u5) stretch-security; urgency=medium
* Fixes for CVE-2018-16509 (fourth patch, rest were applied in deb9u4)
CVE-2018-16802 and one additional issue with a CVE ID (yet)
-- Moritz Mühlenhoff <email address hidden> Fri, 14 Sep 2018 22:53:46 +0200
-
ghostscript (9.20~dfsg-3.2+deb9u2) stretch; urgency=medium
* Non-maintainer upload.
* Segfault with fuzzing file in gxht_thresh_image_init
* Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
(Closes: #860869)
* pdfwrite - Guard against trying to output an infinite number
(CVE-2018-10194) (Closes: #896069)
-- Salvatore Bonaccorso <email address hidden> Sun, 29 Apr 2018 10:58:15 +0200
-
ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Bounds check the array allocations methods (CVE-2017-9835)
(Closes: #869907)
* Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917)
* Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916)
* Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915)
* Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727)
(Closes: #869913)
* Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910)
* Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977)
-- Salvatore Bonaccorso <email address hidden> Thu, 28 Sep 2017 21:47:33 +0200
-
ghostscript (9.20~dfsg-3.2) unstable; urgency=medium
* Non-maintainer upload.
* Fix regression introduced by CVE-2017-8291 fix.
When using the "DELAYBIND" feature, it turns out that .eqproc can be
called with parameters that are not both procedures. In this case, it
turns out, the expectation is for the operator to return 'false', rather
than throw an error. (Closes: #862779)
-- Salvatore Bonaccorso <email address hidden> Sun, 21 May 2017 19:22:52 +0200
-
ghostscript (9.20~dfsg-3.1) unstable; urgency=high
* Non-maintainer upload.
* -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%"
substring (CVE-2017-8291) (Closes: #861295)
* use the correct param list enumerator (CVE-2017-5951) (Closes: #859696)
* fix crash with bad data supplied to makeimagedevice (CVE-2016-10220)
(Closes: #859694)
* Avoid divide by 0 in scan conversion code (CVE-2016-10219)
(Closes: #859666)
* Dont create new ctx when pdf14 device reenabled (CVE-2016-10217)
(Closes: #859662)
-- Salvatore Bonaccorso <email address hidden> Fri, 28 Apr 2017 06:50:05 +0200
-
ghostscript (9.20~dfsg-3) unstable; urgency=medium
* Fix NULL pointer dereference in mem_get_bits_rectangle().
Closes: Bug#697676 (CVE-2017-7207). Thanks to Salvatore Bonaccorso.
-- Jonas Smedegaard <email address hidden> Tue, 21 Mar 2017 17:20:00 +0100
-
ghostscript (9.20~dfsg-2) unstable; urgency=medium
* Add patch cherry-picked upstream to always print full PWG Raster
bitmap.
Closes: Bug#843095. Thanks to Brian Potkin.
* Modernize Vcs-Browser field: Use git subdir (not cgit).
* Stop override lintian for
package-needs-versioned-debhelper-build-depends: Fixed in lintian.
* Update watch file: Use github pattern from documentation.
* Update copyright info: Extend coverage of Debian packaging.
* Git-ignore quilt .pc subdir.
* Revert to not have git import-orig use merge-strategy replace.
-- Jonas Smedegaard <email address hidden> Wed, 25 Jan 2017 05:26:10 +0100
-
ghostscript (9.20~dfsg-1) unstable; urgency=medium
* Fix spelling error in chengelog entry for 9.19~dfsg-3.1.
* Adjust symbols (Fix version. Synv with experimental builds.
-- Jonas Smedegaard <email address hidden> Tue, 29 Nov 2016 03:21:17 +0100
-
ghostscript (9.19~dfsg-3.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
(Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
Fixes regression seen with zathura and evince. Fix .locksafe. We need to
.forceput the defintion of getenv into systemdict.
Thanks to Edgar Fuß <email address hidden>
-- Salvatore Bonaccorso <email address hidden> Thu, 27 Oct 2016 13:25:52 +0200
-
ghostscript (9.19~dfsg-3) unstable; urgency=medium
* Avoid merging same-licensed sections in copyright_hints.
* Fix typo in old changelog entry.
* Skip copyright-check of non-metadata-parseable binary files.
* Update copyright info:
+ Fix licensing of a few drivers to be GPL-2+.
+ Fix licensing of a base files to be FTL.
+ Update source URL.
* Update watch file:
+ Fix handle prereleases.
+ Use Github URL (but not common pattern: default tarball is bogus).
+ Mention gpb --uscan in usage comment.
* Modernize git-buildpackage config: Filter any .git* file.
* Have library and headers support multi-arch.
Closes: Bug#770266. Thanks to Andreas Beckmann, Till Kamppeter and
Matthias Klose.
-- Jonas Smedegaard <email address hidden> Thu, 22 Sep 2016 12:08:56 +0200
-
ghostscript (9.19~dfsg-2) unstable; urgency=medium
* Modernize cdbs use. Tighten build-dependency on cdbs.
* Declare compliance with Debian Policy 3.9.8.
* Update watch file: Fix avoid use of uupdate (unneeded with gbp).
* Build-depend on licensecheck (not devscripts).
* Add patch 1001 to fix a FTBFS against libopenjp2-7 2.1.1 and newer.
Closes: Bug#832873.
Thanks to Didier 'OdyX' Raboud.
-- Jonas Smedegaard <email address hidden> Thu, 11 Aug 2016 14:09:12 +0200
-
ghostscript (9.19~dfsg-1) unstable; urgency=medium
[ upstream ]
* New release.
Highlights:
+ New custom PJL (near) equivalents for pdfmark and
setdistillerparams.
+ Metadata pdfmark implemented.
+ Add experimental, rudimentary raster trapping implementation.
+ Improved halftone threshold array generation tools.
Other changes relevant for Debian:
+ copy_alpha now supports 8 bit depth (as well as 2 and 4).
[ Jonas Smedegaard ]
* Update watch file:
+ Bump file format to version 4.
+ Update upstream source URL.
+ Add repacksuffix hint.
+ Use uversionmangle (not dversionmangle) to adjust prereleases.
* Drop CDBS get-orig-source target: Use "gbp import-orig --uscan"
instead.
* Update copyright info:
+ Update source URL.
+ Expand reasons for repackaging.
* Add patch cherry-picked upstream to have configure support
--without-pcl and --without-xps.
* Configure --without-pcl (instead of moving aside pcl dir during
build).
-- Jonas Smedegaard <email address hidden> Thu, 24 Mar 2016 18:19:43 +0100
-
ghostscript (9.18~dfsg-4) unstable; urgency=medium
* Really mark leaked png symbol as optional (not simply remove it, as
it may then silently reappear as happened with 2.18~dfsg release).
Closes: bug#809939. Thanks to Tobias Frost.
* Add patch cherry-picked upstream to fix xpswrite/gprf builds with
shared zlib (replacing patch 1002).
* Add patch cherry-picked upstream to fix add gserrors.h to the
installed files for the so-install target.
Closes: Bug#814882. Thanks to Jean-Luc Coulon.
* Recommend fonts-droid-fallback (not fonts-droid now dropped).
Closes: Bug#804684. Thanks to Daniel Serpell.
-- Jonas Smedegaard <email address hidden> Tue, 16 Feb 2016 20:59:55 +0100
-
ghostscript (9.16~dfsg-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Remove leaked png_push_fill_buffer symbol from symbol files
to build with libpng1.6 (Closes: #809939)
-- Tobias Frost <email address hidden> Wed, 27 Jan 2016 19:39:05 +0100
-
ghostscript (9.16~dfsg-2) unstable; urgency=medium
* Fix lintian overrides.
* Bump debhelper compatibility level to 9.
* Suppress lintian warning about build-depending unversioned on
debhelper.
* Enable support for parallel building.
-- Jonas Smedegaard <email address hidden> Sat, 01 Aug 2015 19:05:30 +0200
-
ghostscript (9.15~dfsg-1) unstable; urgency=medium
[ upstream ]
* New release 9.07.
Highlights:
+ Licensing changed to GNU Affero General Public License (AGPL).
+ Ghostscript now has the option to be built as thread safe.
+ The pdfwrite devices now supports linearized (or optimized for
fast web view) output directly.
+ Supports Postscript string and array objects with >64k entries.
+ Supports file sizes >4Gb - in particular reading and writing PDF
files, and as side effect supports 64 bit Postscript integer
objects.
+ All CMYK devices supports simulated overprint of spot colors.
+ Support for use of DeviceN ICC color profiles as the output
profile with the tiffsep and psdcmyk devices.
+ Support for customized named color handling with DeviceN colors.
+ Support for black point compensation.
+ Support for K preservation in CMYK to CMYK conversions.
+ Support for DeviceLink profiles for graphic, image and text
objects.
+ Support for custom color replacement.
+ Increased control in specifying color conversions as a function of
object type.
+ Provide BigTIFF output option, when linked against recent libtiff.
+ LittleCMS updated to 2.4 [Debian instead links to shared lib].
Closes: bug#531624. Thanks to Moritz Muehlenhoff and Bastien
Roucaries.
* New releases 9.09 and 9.10.
Highlights:
+ New Background printing (BGPrint) feature to speedup processing of
certain classes of files.
+ New GrayDetection feature to detect and convert nearly-grey color
input to grayscale for some drivers.
+ Misc. improvements for Windows environments.
+ Updated URW Postscript font set, fixing compatibility problems
with the Adobe fonts [Debian uses separately packaged fonts].
* New release 9.14.
Highlights:
+ pdfwrite now uses same color management as for rendering devices.
+ New device 'eps2write' to create EPS files using ps2write.
+ Support customisation of output for specific devices.
+ Reduced memory usage processing PDF with transparency to either
display device or high level vector non-transparency devices like
ps2write or pdfwrite when 'flattening' to PDF 1.3 or earlier.
+ New --saved-page option to spool and render in arbitrary order.
+ Improved performance by more extensive use of multiple threads.
+ New device 'pwgraster' to render for PWG Raster output.
+ CUPS device improved support for PPD-less printing.
* New release 9.15.
Highlights:
+ Support for PDF security handler revision 6.
+ New -dNoOutputFonts for pdfwrite and ps2write (and related).
+ New PostScript pageneutralcolor state to resolve color/grayscale.
+ pdfwrite device supports Link annotations.
+ pdfwrite device supports BMC/BDC/EMC pdfmarks.
+ New LCMS2-based color management also applies to PDF/A-1 output.
[ Jonas Smedegaard ]
* Update copyright info:
+ Extend coverage a few places to include recent years.
+ Change main license to "AGPL-3+~Artifex".
+ Update main fonts to author "(URW)++" and license
"AGPL-3+~Artifex with font exception".
+ Extend coverage for packaging, and relicense as GPL-3+.
+ Drop Files section for documentation files not shipped since 9.05.
+ Fix include verbatim exceptions in license section (not comment).
+ Only comment on (not formally declare) unused AFPL license.
+ Merge bogus dual-licensing of (two wording of) LGPL-2.1+.
+ Drop Files sections for excluded autotools files.
+ Fix stop bogusly list as specially licensed the files
examples/waterfal.ps contrib/japanese/doc/gdevdmpr.txt
toolbin/localcluster/dashboard.html.
+ Use License-Grant and License-Reference fields.
Thanks to Ben Finney.
+ Use license short-name public-domain.
* Update repackaging:
+ Strip convenience library trio from upstream source.
+ Strip DFSG-nonfree ETS halftone code from upstream source.
+ Strip example code lacking license.
+ Strip contributed documentation possibly lacking license.
+ Strip from repackaged upstream tarball ramfs code lacking license
according to <http://www.ghostscript.com/irclogs/2014/05/05.html>.
+ Stop strip jasper project: not shipped since 9.07.
+ Reflect files moved from base/ to devices/.
+ Stop documenting CUPS filters dropped since 9.09.
* Update patches:
+ Drop cherry-picked patches now included with upstream release.
+ Add patch cherry-picked upstream to sanity check for memory
allocation.
Closes: Bug#793489 (CVE-2015-3228). Thanks to Raphael Hertzog.
+ Add patch 2009 to not link against stripped ramfs code.
+ Unfuzz all patches.
* Update package relations:
+ Build-depend on recent libopenjpeg-dev (not libjasper-dev):
Support for JasPer has been dropped upstream.
+ Tighten build-dependency on liblcms2-dev: We need threads support.
+ Build-depend on libtrio-dev.
+ Tighten to build-depend on d-shlibs handling libtrio quirk.
+ Relax to build-depend unversioned on libopenjpeg-dev: Needed
version satisified even in oldstable.
+ Relax to depend unversioned on poppler-data, and drop
fallback-dependency on gs-cjk-resource: Needed version satisified
even in oldstable.
+ Drop bogus/ancient fallback-build-dependency on libglut-dev.
* Add d-shlibmove override for libtrio.
* Add news entry about licensing change to AGPL.
Thanks to Jonathan Nieder.
* Update symbols file (208 new, 70 dropped).
* Temporarily adjust source URLs for upstream pre-release.
* Have license-check skip main HTML documentation.
* Add lintian overrides regarding license in License-Reference field.
See bug#786450.
* Declare compliance with Debian Policy 3.9.6.
-- Jonas Smedegaard <email address hidden> Sun, 26 Jul 2015 17:34:11 +0200
-
ghostscript (9.06~dfsg-2) unstable; urgency=medium
* Add patch cherry-picked from Ghostscript 9.14 (AGPL) to fix /typecheck error in
/findfont. Mention the explicit agreement to include that patch in a GPL
Ghostscript in the patch description from the original author.
(Closes: #732440)
* Ack NMU, thanks!
-- Didier Raboud <email address hidden> Fri, 09 Jan 2015 15:49:21 +0100
