diff mbox series

[bug#71782,PATCHv3,3/4] gnu: torbrowser: Update to 13.5.1 [security fixes].

Message ID 20240716234251.4653-1-nandre@riseup.net
State New
Headers show
Series None | expand

Commit Message

André Batista July 16, 2024, 11:42 p.m. UTC 
Fixes CVEs 2024-6600, 2024-6601, 2024-6602, 2024-6603 and 2024-6604.
See the Mozilla Foundation Security advisory
<https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/>
for details.

* gnu/packages/tor-browsers.scm (%torbrowser-build-date): Update to
20240708120000.
(%torbrowser-version): Update to 13.5.1.
(%torbrowser-firefox-version): Update to 115.13.0esr-13.5-1-build2.
(%torbrowser-locales): Change it to be a plain list of supported locales.
(firefox-locales): New variable.
(torbrowser-translation-base): Update to
6ff73b6f7a6cec4849c2cd1e1ee1dc6fc8894169.
(torbrowser-translation-specific): Update to
427819f80eaca95645bf0c1876d6a728d6ce7093.
(lld-as-ld-wrapper-16): New variable.
(make-torbrowser)[native-inputs]: Add lld-as-ld-wrapper-16. Use
llvm-16 and clang-16.
  [inputs]: Add firefox-locales.
  [arguments] <#:phases>:  Remove add-bridges.
    setenv, copy-firefox-locales: Update MOZ_CHROME_MULTILOCALE to the
     new %torbrowser-locales format.
    copy-basebrowser-locales, copy-torbrowser-locales: Likewise and ajust
     fluent file path.
    deploy-fonts: Ajust regex expression.
    autoconfig: Remove file-picker configuration workaround. See #71181.

Change-Id: Ia1f84bc55beed42580b1eaabcbb685b1cc2a7d51

---
 gnu/packages/tor-browsers.scm | 142 ++++++++++++++--------------------
 1 file changed, 60 insertions(+), 82 deletions(-)
diff mbox series

Patch

diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm
index 3d01346c8c..8172083957 100644
--- a/gnu/packages/tor-browsers.scm
+++ b/gnu/packages/tor-browsers.scm
@@ -21,7 +21,7 @@ 
 ;;; Copyright © 2021 Baptiste Strazzul <bstrazzull@hotmail.fr>
 ;;; Copyright © 2022 SeerLite <seerlite@disroot.org>
 ;;; Copyright © 2024 Aleksandr Vityazev <avityazew@gmail.com>
-;;; Copyright © 2020, 2021 André Batista <nandre@riseup.net>
+;;; Copyright © 2020, 2021, 2024 André Batista <nandre@riseup.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -104,63 +104,48 @@  (define-syntax-rule (mozilla-locales (hash-string changeset locale) ...)
   #~(list (cons #$locale #$(mozilla-locale locale changeset hash-string))
           ...))
 
-;; See tor-browser-build/rbm.conf for the list.
-;; See browser/locales/l10n-changesets.json for the changeset.
-;; See update-mozilla-locales in gnuzilla.scm to automate updating changeset.
-(define %torbrowser-locales
-  (mozilla-locales
-   ;;                      sha256                            changeset    locale
-   ;;---------------------------------------------------------------------------
-   ("1218mldjxybhgzdi0myzkwjr2fgnysl71pl847kr7wyn1j8wk3a5" "c25d00080479" "ar")
-   ("11c96jhfzd3h46qhblhvn2acsn895ykynarai8r5pf0655nfjs0j" "2de60e3d6d0c" "ca")
-   ("0yhycgb3s3kydbzy6f2q7f7g2lp975spr092prf9xp8ha62ghby7" "609edd15f9a9" "cs")
-   ("1kzx94n36c5vv954j7w65djvb37c178zazy25b35l71q2rvhmlhj" "2197a99c9a08" "da")
-   ("13h7hk11bbd0yq8gqdv7ndbizkgwlm3ybz225l3x2b5cnyjxyg14" "b7a533e5edc9" "de")
-   ("13ay27vdrqfv2ysyi7c2jmz50lps7rff9rmnws1z7jkj0a5chwrn" "20baf15379d8" "el")
-   ("0mdr5b6pqxjmg9c8064x3hpf53h6w9j8ghl32655sx9jh4v3ykza" "beff1baac7c5" "es-ES")
-   ("1pnyg09j6r15w8m62lwj89x6rz4br877z60p8s1hlrb9hj2s3vdx" "ebe0b60b0b36" "fa")
-   ("067r505626cvlrsalnndf2ykz3nnkiy0b8yaxzf1rracpzmp0hni" "d5ae6a933d71" "fi")
-   ("0026zzjv2bqc8sg06yvyd0mhny6mwwvhpvzjrhv2fi5v4wkxapdj" "496c2eb73b82" "fr")
-   ("1dxcp26y8siap4k54zsw7mqa7k0l4f1505rdf4hnnxrzf9a643g5" "2fcccb5b19b3" "ga-IE")
-   ("14v6xnlyj65hzaz2rmzxcl4skjgm48426jgr9mwkwiqis587lp4a" "c53cea027f8f" "he")
-   ("04fdw2gzb64fb51bvs0bwsidzlvkdahmcy76vdg3gfcxslnlpi3y" "5a76dd3b5d5c" "hu")
-   ("0bpyxpclfy74bcsjrs1ajh2am4zv6j6j9q4gc4vz8pgvzy9354zp" "6e6de17dcac4" "id")
-   ("131ph8n235kr6nj1pszk0m00nh6kl360r4qvx4hjm8s22mw0k8qd" "536265635dfe" "is")
-   ("03fbp4vgkwyimfmbm4n8blx1m16yhms2wm8j4wlx2h3cpxp5r71k" "91951e37e2b8" "it")
-   ("0ncm531d7ih7phcn9d83zwq0dfphvmzg3gmhqmrrkkbydi1g3pbb" "895dcf8bb524" "ja")
-   ("1x3110v730ak522zfm8j3r3v1x5lq3ig82kcgyxkc49xywajy0ni" "d0819a64fc40" "ka")
-   ("14rc9mr4ngxdzwpjagzhz47jazgp1a6vwb0vbwj31yxv9iwkrgzi" "6ef881aff44b" "ko")
-   ("1gl85z550amhbaxp39zdj6yyvashj9xd4ampfhm9jdpbf6n5j2l8" "afcbc29a15e5" "lt")
-   ("1hz5g3iprfkbd88ncppyksbhlws73lhs75nf62hangw8l73wdn69" "84f3d6c7e2da" "mk")
-   ("14aq37ngnav5m2kcb4wavxwhp28ad4jzdkzc7i64h0qvvxq5n3hf" "c9ec27a5db3d" "ms")
-   ("0h7dlnawm5mbcx4qdlz5c7n4axz2dpa677v13ljdgm2b5w76msmq" "5c1480ccc040" "my")
-   ("1b12azc1n8j1i2l20v66r74q79zqjvc5sf9pd8rmj3xd0fkxzdp2" "fc1896a0a24d" "nb-NO")
-   ("1fh4dhlb6hynlpb2997gssv9v8zk5b7qrw0sclggczb5pcpjk6wc" "7e6da4f01bdb" "nl")
-   ("1w8x3jjrd28f6g6ywwxldizpiipfkr63dzqd74kjpg24s2lqzp80" "e86a451a9cb5" "pl")
-   ("1v3v4n82sn7a4h2d9n653fmgc31mikacf59lvdj6gbwvzpjb5yfa" "94c3dbb67a5d" "pt-BR")
-   ("061a4z0lffgks3wlr6yh5z7x9arcn804mjwvffcmibs106vzamyq" "470b13b5805b" "ro")
-   ("1fxgh7nfxpg2zknvfff8igq9q1vm5n4q033v7lm2c0xn3dbl8m28" "402b2ecbf04d" "ru")
-   ("1i119g6dnhzxmpaz5r2jr9yzm1v24v2q6m3z6bfz2yihj0w7m133" "f637484e72b6" "sq")
-   ("1nllh3ax323sxwhj7xvwvbfnh4179332pcmpfyybw1vaid3nr39k" "bb2d5d96d69e" "sv-SE")
-   ("136m68fd0641k3qqmsw6zp016cvvd0sipsyv6rx2b9nli56agz57" "0e6c56bf2ac9" "th")
-   ("0q8p8bwq8an65yfdwzm4dhl6km68r83bv5i17kay2gak8msxxhsb" "91e611ae3f19" "tr")
-   ("1f2g7rnxpr2gjzngfsv19g11vk9zqpyrv01pz07mw2z3ffbkxf0j" "99d5ffa0b81e" "uk")
-   ("1rizwsfgr7vxm31bin3i7bwhcqa67wcylak3xa387dvgf1y9057i" "5fd44724e22d" "vi")
-   ("02ifa94jfii5f166rwdvv8si3bazm4bcf4qhi59c8f1hxbavb52h" "081aeb1aa308" "zh-CN")
-   ("0qx9sh56pqc2x5qrh386cp1fi1gidhcmxxpvqkg9nh2jbizahznr" "9015a180602e" "zh-TW")))
-
 ;; We copy the official build id, which is defined at
 ;; tor-browser-build/rbm.conf (browser_release_date).
-(define %torbrowser-build-date "20240510190000")
+(define %torbrowser-build-date "20240708120000")
 
 ;; To find the last version, look at https://www.torproject.org/download/.
-(define %torbrowser-version "13.0.16")
+(define %torbrowser-version "13.5.1")
 
 ;; To find the last Firefox version, browse
 ;; https://archive.torproject.org/tor-package-archive/torbrowser/<%torbrowser-version>
 ;; There should be only one archive that starts with
 ;; "src-firefox-tor-browser-".
-(define %torbrowser-firefox-version "115.12.0esr-13.0-1-build1")
+(define %torbrowser-firefox-version "115.13.0esr-13.5-1-build2")
+
+;; See tor-browser-build/rbm.conf for the list.
+(define %torbrowser-locales (list "ar" "ca" "cs" "da" "de" "el" "es-ES" "fa" "fi" "fr"
+                                  "ga-IE" "he" "hu" "id" "is" "it" "ja" "ka" "ko" "lt"
+                                  "mk" "ms" "my" "nb-NO" "nl" "pl" "pt-BR" "ro" "ru"
+                                  "sq" "sv-SE" "th" "tr" "uk" "vi" "zh-CN" "zh-TW"))
+
+;; See browser/locales/l10n-changesets.json for the commit.
+(define firefox-locales
+  (let ((commit "15d15edddfbd4611b4922fa1976e753c5be548ca")
+        (revision "0"))
+    (package
+      (name "firefox-locales")
+      (version (git-version "0.0.0" revision commit))
+      (source
+        (origin
+          (method git-fetch)
+          (uri (git-reference
+                (url "https://github.com/mozilla-l10n/firefox-l10n")
+                (commit commit)))
+          (file-name (git-file-name name version))
+          (sha256
+           (base32
+            "1rxck15vyhlwzjzn4l5zn7slbhjjj1ncm22b5mjhdb056sqhna17"))))
+      (build-system copy-build-system)
+      (home-page "https://github.com/mozilla-l10n/firefox-l10n")
+      (synopsis "Firefox Locales")
+      (description "This package contains localized messages for all
+Firefox locales.")
+      (license license:mpl2.0))))
 
 ;; See tor-browser-build/projects/translation/config.
 (define torbrowser-translation-base
@@ -168,11 +153,11 @@  (define torbrowser-translation-base
     (method git-fetch)
     (uri (git-reference
           (url "https://gitlab.torproject.org/tpo/translation.git")
-          (commit "f28525699864f4e3d764c354130bd898ce5b20aa")))
+          (commit "6ff73b6f7a6cec4849c2cd1e1ee1dc6fc8894169")))
     (file-name "translation-base-browser")
     (sha256
      (base32
-      "1vf6nl7fdmlmg2gskf3w1xlsgcm0pxi54z2daz5nwr6q9gyi0lkf"))))
+      "11s4px6izzvja11qrr7g8whbmcn6yrvk2yc0k7jx628562hjwi3d"))))
 
 ;; See tor-browser-build/projects/translation/config.
 (define torbrowser-translation-specific
@@ -180,11 +165,11 @@  (define torbrowser-translation-specific
     (method git-fetch)
     (uri (git-reference
           (url "https://gitlab.torproject.org/tpo/translation.git")
-          (commit "b5d79336411e5a59c4861341ef9aa7353e0bcad9")))
+          (commit "427819f80eaca95645bf0c1876d6a728d6ce7093")))
     (file-name "translation-tor-browser")
     (sha256
      (base32
-      "0ahz69pxhgik7ynmdkbnx7v5l2v392i6dswjz057g4hwnd7d34fb"))))
+      "1yq1aqdzwyiqvj918i9q7x27i37rm7090bjnimh2ai8ss3xc8jpf"))))
 
 (define torbrowser-assets
   ;; This is a prebuilt Torbrowser from which we take the assets we need.
@@ -200,7 +185,7 @@  (define torbrowser-assets
          version "/tor-browser-linux-x86_64-" version ".tar.xz"))
        (sha256
         (base32
-         "1kffam66bsaahzx212hw9lb03jwfr24hivzg067iyzilsldpc9c1"))))
+         "12na110krw60d067x1dbwfnsk6vbx9l4vai0qvaasxydd0np2g6m"))))
     (arguments
      (list
       #:install-plan
@@ -215,6 +200,10 @@  (define torbrowser-assets
 Browser.")
     (license license:silofl1.1)))
 
+;;; A LLD wrapper that can be used as a (near) drop-in replacement to GNU ld.
+(define lld-as-ld-wrapper-16
+  (make-lld-wrapper lld-16 #:lld-as-ld? #t))
+
 (define* (make-torbrowser #:key
                           moz-app-name
                           moz-app-remotingname
@@ -238,10 +227,11 @@  (define* (make-torbrowser #:key
          ".tar.xz"))
        (sha256
         (base32
-         "1b70zyjyai6kk4y1kkl8jvrs56gg7z31kkad6bmdpd8jw4n71grx"))))
+         "1p83mmv5gq1nvpqs5w6151b7b8s3pbp9nn7jcrhbgwr7a9ffypi8"))))
     (build-system mozilla-build-system)
     (inputs
      (list go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
+           firefox-locales
            tor-client
            alsa-lib
            bash-minimal                 ;for wrap-program
@@ -293,8 +283,9 @@  (define* (make-torbrowser #:key
       rust
       `(,rust "cargo")
       rust-cbindgen
-      llvm-15
-      clang-15
+      lld-as-ld-wrapper-16  ; for cargo rustc
+      llvm-16
+      clang-16
       perl
       node-lts
       python-wrapper
@@ -540,8 +531,7 @@  (define (runpaths-of-input label)
               ;; $HOME/.mozbuild).
               (setenv "MOZBUILD_STATE_PATH"
                       (in-vicinity (getcwd) ".mozbuild"))
-              (setenv "MOZ_CHROME_MULTILOCALE"
-                      (string-join (map car #$locales)))
+              (setenv "MOZ_CHROME_MULTILOCALE" (string-join (list #$@locales)))
               ;; Make build reproducible.
               (setenv "MOZ_BUILD_DATE" #$build-date)))
           (add-before 'configure 'mozconfig
@@ -555,14 +545,14 @@  (define (runpaths-of-input label)
           ;; See tor-browser-build/projects/firefox/build.
           (add-before 'configure 'copy-firefox-locales
             (lambda _
-              (let ((l10ncentral ".mozbuild/l10n-central"))
+              (let ((l10ncentral ".mozbuild/l10n-central")
+                    (ff-locales #$(this-package-input "firefox-locales")))
                 (mkdir-p l10ncentral)
                 (for-each
                  (lambda (lang)
-                   (copy-recursively (cdr lang)
-                                     (in-vicinity l10ncentral
-                                                  (car lang))))
-                 #$locales))))
+                   (copy-recursively (string-append ff-locales "/" lang)
+                                     (in-vicinity l10ncentral lang)))
+                 (list #$@locales)))))
           (add-after 'copy-firefox-locales 'copy-basebrowser-locales
             (lambda _
               (let ((l10ncentral ".mozbuild/l10n-central"))
@@ -577,7 +567,7 @@  (define (runpaths-of-input label)
                      #f (string-join
                          '("mv"
                            "translation-base-browser/~a/base-browser.ftl"
-                           "~a/~a/browser/browser/"))
+                           "~a/~a/toolkit/toolkit/global/"))
                      lang l10ncentral lang))
                    (system
                     (format
@@ -586,7 +576,7 @@  (define (runpaths-of-input label)
                            "translation-base-browser/~a/*"
                            "~a/~a/browser/chrome/browser/"))
                      lang l10ncentral lang)))
-                 (map car #$locales)))))
+                 (list #$@locales)))))
           (add-after 'copy-basebrowser-locales 'copy-torbrowser-locales
             (lambda _
               (let ((l10ncentral ".mozbuild/l10n-central"))
@@ -601,7 +591,7 @@  (define (runpaths-of-input label)
                      #f (string-join
                          '("mv"
                            "translation-tor-browser/~a/tor-browser.ftl"
-                           "~a/~a/browser/browser/"))
+                           "~a/~a/toolkit/toolkit/global/"))
                      lang l10ncentral lang))
                    (system
                     (format
@@ -623,7 +613,7 @@  (define (runpaths-of-input label)
                      (format port "  locale/~a/ (chrome/locale/~a/*)~%"
                              lang lang)
                      (close port)))
-                 (map car #$locales)))))
+                 (list #$@locales)))))
           (replace 'configure
             (lambda _
               (invoke "./mach" "configure")))
@@ -632,14 +622,6 @@  (define (runpaths-of-input label)
               (substitute*
                   "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl"
                 (("addons.mozilla.org") "gnuzilla.gnu.org"))))
-          (add-before 'build 'add-bridges ;see deploy.sh
-            (lambda _
-              (let ((port (open-file
-                           "browser/app/profile/000-tor-browser.js" "a")))
-                (display
-                 "#include ../../../tools/torbrowser/bridges.js" port)
-                (newline port)
-                (close port))))
           (replace 'build
             (lambda* (#:key (make-flags '()) (parallel-build? #t)
                       #:allow-other-keys)
@@ -739,7 +721,7 @@  (define (runpaths-of-input label)
                 (copy-recursively (in-vicinity #$assets "fontconfig")
                                   (in-vicinity lib "fontconfig"))
                 (substitute* (in-vicinity lib "fontconfig/fonts.conf")
-                  (("<dir>fonts</dir>")
+                  (("<dir prefix=\"cwd\">fonts</dir>")
                    (format #f "<dir>~a</dir>" (in-vicinity lib "fonts"))))
                 (delete-file-recursively (in-vicinity lib "fonts"))
                 (copy-recursively (in-vicinity #$assets "fonts")
@@ -805,11 +787,7 @@  (define (runpaths-of-input label)
                             "https://gnuzilla.gnu.org/mozzarella")
                     (format #t "pref(~s, ~s);~%"
                             "lightweightThemes.getMoreURL"
-                            "https://gnuzilla.gnu.org/mozzarella")
-                    ;; FIXME: https://github.com/NixOS/nixpkgs/issues/307095
-                    (format #t "pref(~s, ~a);~%"
-                            "widget.use-xdg-desktop-portal.file-picker"
-                            "1"))))))
+                            "https://gnuzilla.gnu.org/mozzarella"))))))
           (add-after 'autoconfig 'autoconfig-tor
             (lambda* (#:key inputs #:allow-other-keys)
               (let ((lib (in-vicinity #$output "lib/torbrowser"))