[bug#74070] gnu: librewolf: Update to 131.0.3-1 [security fixes].
Commit Message
New upstream bugfix version. This release switches to the
firefox-l10n repository, necessitating rework of locale handling.
Fixes CVE:
CVE-2024-9936: Undefined behavior in selection node cache
* gnu/packages/librewolf-pending.scm (librewolf): Update to 131.0.3-1.
Change-Id: I468d5995fb9c89b46fef06481f984648f9eeb1b2
---
gnu/packages/librewolf.scm | 67 +++++++------------
.../librewolf-neuter-locale-download.patch | 17 +++++
2 files changed, 41 insertions(+), 43 deletions(-)
create mode 100644 gnu/packages/patches/librewolf-neuter-locale-download.patch
Comments
user guix
usertag 74070 + reviewed-looks-good
thanks
Guix QA review form submission:
Thanks for the patch,
You have a trailing space in gnu/packages/patches/librewolf-neuter-locale-download.patch line 8.
The patch path is not found by guix, replace:
(patches (search-patches patches/librewolf-neuter-locale-download.patch))
With
(patches (search-patches librewolf-neuter-locale-download.patch))
Items marked as checked: Commit messages
Good evening,
Noé
Hi,
Ian Eure <ian@retrospec.tv> skribis:
> New patch for the new upstream version. vs. the previous patch, this series:
>
> - Updates nss to 3.105, the minimum version required by LibreWolf/Firefox
> 132.0. I attempted to update to 3.106, but there's a regression causing
> test failures[1].
> - Updates LibreWolf to 132.0-1. Simple version/hash update.
> - Removes the `patch/' prefix of the locale patch.
>
> [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1927096
>
> Ian Eure (2):
> gnu: nss-rapid: Update to 3.105.
> gnu: librewolf: Update to 132.0-1 [security fixes].
Applied after building locally.
It’s unfortunate that qa.guix hasn’t been able to pick it up in a timely
fashion—it’ll be several hours before substitutes are available. But I
thought we’d rather go ahead and apply these upgrades and security fixes
without waiting any longer.
Thanks,
Ludo’.
Hi Ludo’
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Ian Eure <ian@retrospec.tv> skribis:
>
>> New patch for the new upstream version. vs. the previous
>> patch, this series:
>>
>> - Updates nss to 3.105, the minimum version required by
>> LibreWolf/Firefox
>> 132.0. I attempted to update to 3.106, but there's a
>> regression causing
>> test failures[1].
>> - Updates LibreWolf to 132.0-1. Simple version/hash update.
>> - Removes the `patch/' prefix of the locale patch.
>>
>> [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1927096
>>
>> Ian Eure (2):
>> gnu: nss-rapid: Update to 3.105.
>> gnu: librewolf: Update to 132.0-1 [security fixes].
>
> Applied after building locally.
>
> It’s unfortunate that qa.guix hasn’t been able to pick it up in
> a timely
> fashion—it’ll be several hours before substitutes are available.
> But I
> thought we’d rather go ahead and apply these upgrades and
> security fixes
> without waiting any longer.
>
Makes sense, thank you for pushing this!
— Ian
@@ -111,10 +111,21 @@ (define (librewolf-source-origin version hash)
(commit version)
(recursive? #t)))
(file-name (git-file-name "librewolf-source" version))
+ (patches (search-patches "patches/librewolf-neuter-locale-download.patch"))
(sha256 (base32 hash))))
(define computed-origin-method (@@ (guix packages) computed-origin-method))
+(define firefox-l10n
+ (let ((commit "bdfd4e10606204450a3e88d219ecf2b252349c2b"))
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/mozilla-l10n/firefox-l10n.git")
+ (commit commit)))
+ (file-name (git-file-name "firefox-l10n" commit))
+ (sha256 (base32 "0i31b1024jck6467j9phcqvac32psl4nkyb0nm4h9zzyj8zw31xp")))))
+
(define* (make-librewolf-source #:key version firefox-hash librewolf-hash)
(let* ((ff-src (firefox-source-origin
(car (string-split version #\-))
@@ -168,34 +179,10 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash)
;; Stage locales.
(begin
- (format #t "Staging locales...~%")
- (force-output)
- (mkdir "l10n-staging")
- (with-directory-excursion "l10n-staging"
- (for-each
- (lambda (locale-dir)
- (let ((locale
- (string-drop
- (basename locale-dir)
- (+ 32 ; length of hash
- (string-length "-mozilla-locale-")))))
- (format #t " ~a~%" locale)
- (force-output)
- (copy-recursively locale-dir locale
- #:log (%make-void-port "w"))
- (for-each make-file-writable (find-files locale))
- (with-directory-excursion locale
- (when (file-exists? ".hgtags")
- (delete-file ".hgtags")))))
- '#+all-mozilla-locales)))
-
- ;; Patch build script to use staged locales.
- (begin
- (substitute* '("scripts/generate-locales.sh")
- (("wget") "# wget")
- (("unzip") "# unzip")
- (("mv browser/locales/l10n/\\$1-\\*/")
- "mv ../l10n-staging/$1/")))
+ (substitute* "scripts/librewolf-patches.py"
+ (("l10n_dir = Path(\"..\", \"l10n\")")
+ (string-append
+ "l10n_dir = \"" #+firefox-l10n "\""))))
;; Run the build script
(invoke "make" "all")
@@ -212,18 +199,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241010143544")
+(define %librewolf-build-id "20241019075849")
(define-public librewolf
(package
(name "librewolf")
- (version "131.0.2-1")
+ (version "131.0.3-1")
(source
(origin
- (inherit (make-librewolf-source
- #:version version
- #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
- #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
+ (inherit (make-librewolf-source
+ #:version version
+ #:firefox-hash "1l30y1pf2kkhnnnazj2x7j1hy3sxz6x9vjj3lbx3wi9pfzwz6zbs"
+ #:librewolf-hash "0ayl43nq3h9a3b4nl7sfmil43v0k3x1bmxl7c7ws8710dj2674rc"))))
(build-system gnu-build-system)
(arguments
(list
@@ -325,14 +312,7 @@ (define (write-setting key value)
;; Lock the preferences so they can't be enabled.
(substitute* "lw/librewolf.cfg"
(("defaultPref\\(\"browser\\.ml\\.")
- "lockPref(\"browser.ml."))
- ;; Correct a preference typo
- ;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954
- ;; Remove this in the next update.
- (substitute* "lw/librewolf.cfg"
- (("browser\\.ml\\.enabled")
- "browser.ml.enable"))
- ))
+ "lockPref(\"browser.ml."))))
(add-after 'patch-source-shebangs 'patch-cargo-checksums
(lambda _
(use-modules (guix build cargo-utils))
@@ -417,6 +397,7 @@ (define (write-setting key value)
(which "bash"))
(setenv "MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE"
"system")
+ (setenv "LANG" "en_US.utf8")
;; This should use the host info probably (does it
;; build on non-x86_64 though?)
(setenv "GUIX_PYTHONPATH"
@@ -625,7 +606,7 @@ (define (runpaths-of-input label)
(substitute* desktop-file
(("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
- #$output "/bin/librewolf %u"))
+ #$output "/bin/librewolf"))
(("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
(("@MOZ_APP_REMOTINGNAME@")
new file mode 100644
@@ -0,0 +1,17 @@
+diff --git a/scripts/librewolf-patches.py b/scripts/librewolf-patches.py
+index 48dc6bc..01a6c58 100755
+--- a/scripts/librewolf-patches.py
++++ b/scripts/librewolf-patches.py
+@@ -147,12 +147,6 @@ def librewolf_patches():
+ with open(file, "w") as f:
+ f.write("{}-{}".format(version,release))
+
+- print("-> Downloading locales from https://github.com/mozilla-l10n/firefox-l10n")
+- with TemporaryDirectory() as tmpdir:
+- exec(f"wget -qO {tmpdir}/l10n.zip 'https://codeload.github.com/mozilla-l10n/firefox-l10n/zip/refs/heads/main'")
+- exec(f"unzip -qo {tmpdir}/l10n.zip -d {tmpdir}/l10n")
+- exec(f"mv {tmpdir}/l10n/firefox-l10n-main lw/l10n")
+-
+ print("-> Patching appstrings.properties")
+ # Why is "Firefox" hardcoded there???
+ exec("find . -path '*/appstrings.properties' -exec sed -i s/Firefox/LibreWolf/ {} \;")