This is the 2nd part of the fix for CVE-2018-16802. The first part is:
* ghostscript-9.24-001-retain-LockSafetyParams.patch, which has been
already included in the ZER0-DAY fixes.
Resolves: #1627960
According to upstream, this should deal with the issues reported here:
http://seclists.org/oss-sec/2018/q3/142
Although, it's possible some follow-up patches will be needed as well.
The specfile has been completely rewritten from the ground up, to
comply with Fedora Packaging Guidelines, and to incorporate comments
from upstream. The subpackage layout was also updated into more sane
and more granular scheme.
The changes are described more in detail below:
(Justifications for them can be found in the specfile's comments.)
* libijs -- the IJS library has been debundled and is now provided
as a separate package: https://src.fedoraproject.org/rpms/libijs
* libgs -- new separate package, created from Ghostscript's shared
library. It contains all necessary files for other software/packages
that are build upon Ghostscript's functionality.
* libgs-devel -- new separate subpackage, for development purposes or
Fedora's build process. The 'ghostscript-devel' is still provided
for now as a virtual subpackage.
* ghostscript -- is no longer a metapackage. It's a regular package
instead, and it contains Ghostscript's binaries as well as some
typical conversion scripts people are used to (and expect to have
installed together with Ghostscript by default).
* ghostscript-tools-fonts -- new subpackage that contains 3 scripts
that are useful only for people who are working with AFM, PFB or PFA
files (conversions usually).
* ghostscript-tools-printing -- new subpackage that contains only
utilities for formatting and printing text files using either
Ghostscript, or BubbleJet, DeskJet, DeskJet 500, & LaserJet printers.
* ghostscript-core -- has became an empty metapackage for upgrade
purposes. It will be removed once Fedora 28 is EOL, and all other
packages has updated their specfiles to require correct subpackages.
* LPR setup scripts are no longer being shipped. In case people still
need those, then 'ghostscript-tools-lpr' will be created for it.
* examples/ from 'ghostscript-doc' are no longer shipped.
* Support for /usr/share/ghostscript/conf.d/ folder was dropped to use
Ghostscript's default choice for rendering of CJK glyphs, which is
Google Droid Sans Fallback font. In case this proves insufficent,
the conf.d/ folder support will be re-established.
* Symbolic links for direct resources locations have been added to
speedup Ghostscript's startup time
* Ghostscript's search path was updated to include only fonts
locations, which will be used only as a backup (in case of broken
symbolic links).
* Documentation and resources paths no longer contain version string
inside of them.
* Ghostscript itself (as a whole) has been completely debundled (to a
point where it still makes sense). It newly requires these packages:
https://src.fedoraproject.org/rpms/adobe-mappings-cmaphttps://src.fedoraproject.org/rpms/adobe-mappings-pdfhttps://src.fedoraproject.org/rpms/libijshttps://src.fedoraproject.org/rpms/urw-base35-fonts
* As a result of debundling, 'poppler-data' is no longer a requirement
for Ghostscript, and it is no longer necessary to do a rebuild of
'poppler-data' when Ghostscript is rebased.