From patchwork Tue Jul 16 23:42:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Andr=C3=A9_Batista?= X-Patchwork-Id: 66300 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4E04227BBEA; Wed, 17 Jul 2024 00:44:17 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3406627BBE2 for ; Wed, 17 Jul 2024 00:44:15 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sTrpx-0003JI-65; Tue, 16 Jul 2024 19:44:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sTrpv-0003Ij-Ik for guix-patches@gnu.org; Tue, 16 Jul 2024 19:43:59 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sTrpv-0002va-AP for guix-patches@gnu.org; Tue, 16 Jul 2024 19:43:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sTrpy-0007zi-3V for guix-patches@gnu.org; Tue, 16 Jul 2024 19:44:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#71782] [PATCHv3 3/4] gnu: torbrowser: Update to 13.5.1 [security fixes]. Resent-From: =?utf-8?b?QW5kcsOp?= Batista Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 Jul 2024 23:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71782 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71782@debbugs.gnu.org Cc: =?utf-8?b?QW5kcsOp?= Batista Received: via spool by 71782-submit@debbugs.gnu.org id=B71782.172117338930652 (code B ref 71782); Tue, 16 Jul 2024 23:44:02 +0000 Received: (at 71782) by debbugs.gnu.org; 16 Jul 2024 23:43:09 +0000 Received: from localhost ([127.0.0.1]:34617 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sTrp6-0007yJ-QL for submit@debbugs.gnu.org; Tue, 16 Jul 2024 19:43:09 -0400 Received: from mx1.riseup.net ([198.252.153.129]:50904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sTrp4-0007xf-PF for 71782@debbugs.gnu.org; Tue, 16 Jul 2024 19:43:08 -0400 Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4WNwc22tg0zDqBT for <71782@debbugs.gnu.org>; Tue, 16 Jul 2024 23:42:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1721173378; bh=V48yK5wys1Q5aQjL7dLlemA4YVt/ibRwFZctROyF+6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UKhKXJFPRe0A5kj4wWl2DLtsZV8GjIXJAxrwRfLS1o8P+0mdXHvzlKXjvmhiJfNsm hpfaZQGQsXEuTmlmX1QUFW/DrFV3wDvibKLWkv1AIN3WqYdQwo7fFRzj96FzSE/xMN TwvZthu6NzAFhP0AkLxmF7dqu5iBrwoOQm3azZlI= X-Riseup-User-ID: 7360CE18917DCAD77D504889CB2E74DE8A86F9E4D2005212A801133746CBEEF8 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4WNwc11x2DzJrkT; Tue, 16 Jul 2024 23:42:57 +0000 (UTC) From: =?utf-8?b?QW5kcsOp?= Batista Date: Tue, 16 Jul 2024 20:42:50 -0300 Message-ID: <20240716234251.4653-1-nandre@riseup.net> In-Reply-To: <20240626133817.21595-1-nandre@riseup.net> References: <20240626133817.21595-1-nandre@riseup.net> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Fixes CVEs 2024-6600, 2024-6601, 2024-6602, 2024-6603 and 2024-6604. See the Mozilla Foundation Security advisory for details. * gnu/packages/tor-browsers.scm (%torbrowser-build-date): Update to 20240708120000. (%torbrowser-version): Update to 13.5.1. (%torbrowser-firefox-version): Update to 115.13.0esr-13.5-1-build2. (%torbrowser-locales): Change it to be a plain list of supported locales. (firefox-locales): New variable. (torbrowser-translation-base): Update to 6ff73b6f7a6cec4849c2cd1e1ee1dc6fc8894169. (torbrowser-translation-specific): Update to 427819f80eaca95645bf0c1876d6a728d6ce7093. (lld-as-ld-wrapper-16): New variable. (make-torbrowser)[native-inputs]: Add lld-as-ld-wrapper-16. Use llvm-16 and clang-16. [inputs]: Add firefox-locales. [arguments] <#:phases>: Remove add-bridges. setenv, copy-firefox-locales: Update MOZ_CHROME_MULTILOCALE to the new %torbrowser-locales format. copy-basebrowser-locales, copy-torbrowser-locales: Likewise and ajust fluent file path. deploy-fonts: Ajust regex expression. autoconfig: Remove file-picker configuration workaround. See #71181. Change-Id: Ia1f84bc55beed42580b1eaabcbb685b1cc2a7d51 --- gnu/packages/tor-browsers.scm | 142 ++++++++++++++-------------------- 1 file changed, 60 insertions(+), 82 deletions(-) diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm index 3d01346c8c..8172083957 100644 --- a/gnu/packages/tor-browsers.scm +++ b/gnu/packages/tor-browsers.scm @@ -21,7 +21,7 @@ ;;; Copyright © 2021 Baptiste Strazzul ;;; Copyright © 2022 SeerLite ;;; Copyright © 2024 Aleksandr Vityazev -;;; Copyright © 2020, 2021 André Batista +;;; Copyright © 2020, 2021, 2024 André Batista ;;; ;;; This file is part of GNU Guix. ;;; @@ -104,63 +104,48 @@ (define-syntax-rule (mozilla-locales (hash-string changeset locale) ...) #~(list (cons #$locale #$(mozilla-locale locale changeset hash-string)) ...)) -;; See tor-browser-build/rbm.conf for the list. -;; See browser/locales/l10n-changesets.json for the changeset. -;; See update-mozilla-locales in gnuzilla.scm to automate updating changeset. -(define %torbrowser-locales - (mozilla-locales - ;; sha256 changeset locale - ;;--------------------------------------------------------------------------- - ("1218mldjxybhgzdi0myzkwjr2fgnysl71pl847kr7wyn1j8wk3a5" "c25d00080479" "ar") - ("11c96jhfzd3h46qhblhvn2acsn895ykynarai8r5pf0655nfjs0j" "2de60e3d6d0c" "ca") - ("0yhycgb3s3kydbzy6f2q7f7g2lp975spr092prf9xp8ha62ghby7" "609edd15f9a9" "cs") - ("1kzx94n36c5vv954j7w65djvb37c178zazy25b35l71q2rvhmlhj" "2197a99c9a08" "da") - ("13h7hk11bbd0yq8gqdv7ndbizkgwlm3ybz225l3x2b5cnyjxyg14" "b7a533e5edc9" "de") - ("13ay27vdrqfv2ysyi7c2jmz50lps7rff9rmnws1z7jkj0a5chwrn" "20baf15379d8" "el") - ("0mdr5b6pqxjmg9c8064x3hpf53h6w9j8ghl32655sx9jh4v3ykza" "beff1baac7c5" "es-ES") - ("1pnyg09j6r15w8m62lwj89x6rz4br877z60p8s1hlrb9hj2s3vdx" "ebe0b60b0b36" "fa") - ("067r505626cvlrsalnndf2ykz3nnkiy0b8yaxzf1rracpzmp0hni" "d5ae6a933d71" "fi") - ("0026zzjv2bqc8sg06yvyd0mhny6mwwvhpvzjrhv2fi5v4wkxapdj" "496c2eb73b82" "fr") - ("1dxcp26y8siap4k54zsw7mqa7k0l4f1505rdf4hnnxrzf9a643g5" "2fcccb5b19b3" "ga-IE") - ("14v6xnlyj65hzaz2rmzxcl4skjgm48426jgr9mwkwiqis587lp4a" "c53cea027f8f" "he") - ("04fdw2gzb64fb51bvs0bwsidzlvkdahmcy76vdg3gfcxslnlpi3y" "5a76dd3b5d5c" "hu") - ("0bpyxpclfy74bcsjrs1ajh2am4zv6j6j9q4gc4vz8pgvzy9354zp" "6e6de17dcac4" "id") - ("131ph8n235kr6nj1pszk0m00nh6kl360r4qvx4hjm8s22mw0k8qd" "536265635dfe" "is") - ("03fbp4vgkwyimfmbm4n8blx1m16yhms2wm8j4wlx2h3cpxp5r71k" "91951e37e2b8" "it") - ("0ncm531d7ih7phcn9d83zwq0dfphvmzg3gmhqmrrkkbydi1g3pbb" "895dcf8bb524" "ja") - ("1x3110v730ak522zfm8j3r3v1x5lq3ig82kcgyxkc49xywajy0ni" "d0819a64fc40" "ka") - ("14rc9mr4ngxdzwpjagzhz47jazgp1a6vwb0vbwj31yxv9iwkrgzi" "6ef881aff44b" "ko") - ("1gl85z550amhbaxp39zdj6yyvashj9xd4ampfhm9jdpbf6n5j2l8" "afcbc29a15e5" "lt") - ("1hz5g3iprfkbd88ncppyksbhlws73lhs75nf62hangw8l73wdn69" "84f3d6c7e2da" "mk") - ("14aq37ngnav5m2kcb4wavxwhp28ad4jzdkzc7i64h0qvvxq5n3hf" "c9ec27a5db3d" "ms") - ("0h7dlnawm5mbcx4qdlz5c7n4axz2dpa677v13ljdgm2b5w76msmq" "5c1480ccc040" "my") - ("1b12azc1n8j1i2l20v66r74q79zqjvc5sf9pd8rmj3xd0fkxzdp2" "fc1896a0a24d" "nb-NO") - ("1fh4dhlb6hynlpb2997gssv9v8zk5b7qrw0sclggczb5pcpjk6wc" "7e6da4f01bdb" "nl") - ("1w8x3jjrd28f6g6ywwxldizpiipfkr63dzqd74kjpg24s2lqzp80" "e86a451a9cb5" "pl") - ("1v3v4n82sn7a4h2d9n653fmgc31mikacf59lvdj6gbwvzpjb5yfa" "94c3dbb67a5d" "pt-BR") - ("061a4z0lffgks3wlr6yh5z7x9arcn804mjwvffcmibs106vzamyq" "470b13b5805b" "ro") - ("1fxgh7nfxpg2zknvfff8igq9q1vm5n4q033v7lm2c0xn3dbl8m28" "402b2ecbf04d" "ru") - ("1i119g6dnhzxmpaz5r2jr9yzm1v24v2q6m3z6bfz2yihj0w7m133" "f637484e72b6" "sq") - ("1nllh3ax323sxwhj7xvwvbfnh4179332pcmpfyybw1vaid3nr39k" "bb2d5d96d69e" "sv-SE") - ("136m68fd0641k3qqmsw6zp016cvvd0sipsyv6rx2b9nli56agz57" "0e6c56bf2ac9" "th") - ("0q8p8bwq8an65yfdwzm4dhl6km68r83bv5i17kay2gak8msxxhsb" "91e611ae3f19" "tr") - ("1f2g7rnxpr2gjzngfsv19g11vk9zqpyrv01pz07mw2z3ffbkxf0j" "99d5ffa0b81e" "uk") - ("1rizwsfgr7vxm31bin3i7bwhcqa67wcylak3xa387dvgf1y9057i" "5fd44724e22d" "vi") - ("02ifa94jfii5f166rwdvv8si3bazm4bcf4qhi59c8f1hxbavb52h" "081aeb1aa308" "zh-CN") - ("0qx9sh56pqc2x5qrh386cp1fi1gidhcmxxpvqkg9nh2jbizahznr" "9015a180602e" "zh-TW"))) - ;; We copy the official build id, which is defined at ;; tor-browser-build/rbm.conf (browser_release_date). -(define %torbrowser-build-date "20240510190000") +(define %torbrowser-build-date "20240708120000") ;; To find the last version, look at https://www.torproject.org/download/. -(define %torbrowser-version "13.0.16") +(define %torbrowser-version "13.5.1") ;; To find the last Firefox version, browse ;; https://archive.torproject.org/tor-package-archive/torbrowser/<%torbrowser-version> ;; There should be only one archive that starts with ;; "src-firefox-tor-browser-". -(define %torbrowser-firefox-version "115.12.0esr-13.0-1-build1") +(define %torbrowser-firefox-version "115.13.0esr-13.5-1-build2") + +;; See tor-browser-build/rbm.conf for the list. +(define %torbrowser-locales (list "ar" "ca" "cs" "da" "de" "el" "es-ES" "fa" "fi" "fr" + "ga-IE" "he" "hu" "id" "is" "it" "ja" "ka" "ko" "lt" + "mk" "ms" "my" "nb-NO" "nl" "pl" "pt-BR" "ro" "ru" + "sq" "sv-SE" "th" "tr" "uk" "vi" "zh-CN" "zh-TW")) + +;; See browser/locales/l10n-changesets.json for the commit. +(define firefox-locales + (let ((commit "15d15edddfbd4611b4922fa1976e753c5be548ca") + (revision "0")) + (package + (name "firefox-locales") + (version (git-version "0.0.0" revision commit)) + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/mozilla-l10n/firefox-l10n") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1rxck15vyhlwzjzn4l5zn7slbhjjj1ncm22b5mjhdb056sqhna17")))) + (build-system copy-build-system) + (home-page "https://github.com/mozilla-l10n/firefox-l10n") + (synopsis "Firefox Locales") + (description "This package contains localized messages for all +Firefox locales.") + (license license:mpl2.0)))) ;; See tor-browser-build/projects/translation/config. (define torbrowser-translation-base @@ -168,11 +153,11 @@ (define torbrowser-translation-base (method git-fetch) (uri (git-reference (url "https://gitlab.torproject.org/tpo/translation.git") - (commit "f28525699864f4e3d764c354130bd898ce5b20aa"))) + (commit "6ff73b6f7a6cec4849c2cd1e1ee1dc6fc8894169"))) (file-name "translation-base-browser") (sha256 (base32 - "1vf6nl7fdmlmg2gskf3w1xlsgcm0pxi54z2daz5nwr6q9gyi0lkf")))) + "11s4px6izzvja11qrr7g8whbmcn6yrvk2yc0k7jx628562hjwi3d")))) ;; See tor-browser-build/projects/translation/config. (define torbrowser-translation-specific @@ -180,11 +165,11 @@ (define torbrowser-translation-specific (method git-fetch) (uri (git-reference (url "https://gitlab.torproject.org/tpo/translation.git") - (commit "b5d79336411e5a59c4861341ef9aa7353e0bcad9"))) + (commit "427819f80eaca95645bf0c1876d6a728d6ce7093"))) (file-name "translation-tor-browser") (sha256 (base32 - "0ahz69pxhgik7ynmdkbnx7v5l2v392i6dswjz057g4hwnd7d34fb")))) + "1yq1aqdzwyiqvj918i9q7x27i37rm7090bjnimh2ai8ss3xc8jpf")))) (define torbrowser-assets ;; This is a prebuilt Torbrowser from which we take the assets we need. @@ -200,7 +185,7 @@ (define torbrowser-assets version "/tor-browser-linux-x86_64-" version ".tar.xz")) (sha256 (base32 - "1kffam66bsaahzx212hw9lb03jwfr24hivzg067iyzilsldpc9c1")))) + "12na110krw60d067x1dbwfnsk6vbx9l4vai0qvaasxydd0np2g6m")))) (arguments (list #:install-plan @@ -215,6 +200,10 @@ (define torbrowser-assets Browser.") (license license:silofl1.1))) +;;; A LLD wrapper that can be used as a (near) drop-in replacement to GNU ld. +(define lld-as-ld-wrapper-16 + (make-lld-wrapper lld-16 #:lld-as-ld? #t)) + (define* (make-torbrowser #:key moz-app-name moz-app-remotingname @@ -238,10 +227,11 @@ (define* (make-torbrowser #:key ".tar.xz")) (sha256 (base32 - "1b70zyjyai6kk4y1kkl8jvrs56gg7z31kkad6bmdpd8jw4n71grx")))) + "1p83mmv5gq1nvpqs5w6151b7b8s3pbp9nn7jcrhbgwr7a9ffypi8")))) (build-system mozilla-build-system) (inputs (list go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird + firefox-locales tor-client alsa-lib bash-minimal ;for wrap-program @@ -293,8 +283,9 @@ (define* (make-torbrowser #:key rust `(,rust "cargo") rust-cbindgen - llvm-15 - clang-15 + lld-as-ld-wrapper-16 ; for cargo rustc + llvm-16 + clang-16 perl node-lts python-wrapper @@ -540,8 +531,7 @@ (define (runpaths-of-input label) ;; $HOME/.mozbuild). (setenv "MOZBUILD_STATE_PATH" (in-vicinity (getcwd) ".mozbuild")) - (setenv "MOZ_CHROME_MULTILOCALE" - (string-join (map car #$locales))) + (setenv "MOZ_CHROME_MULTILOCALE" (string-join (list #$@locales))) ;; Make build reproducible. (setenv "MOZ_BUILD_DATE" #$build-date))) (add-before 'configure 'mozconfig @@ -555,14 +545,14 @@ (define (runpaths-of-input label) ;; See tor-browser-build/projects/firefox/build. (add-before 'configure 'copy-firefox-locales (lambda _ - (let ((l10ncentral ".mozbuild/l10n-central")) + (let ((l10ncentral ".mozbuild/l10n-central") + (ff-locales #$(this-package-input "firefox-locales"))) (mkdir-p l10ncentral) (for-each (lambda (lang) - (copy-recursively (cdr lang) - (in-vicinity l10ncentral - (car lang)))) - #$locales)))) + (copy-recursively (string-append ff-locales "/" lang) + (in-vicinity l10ncentral lang))) + (list #$@locales))))) (add-after 'copy-firefox-locales 'copy-basebrowser-locales (lambda _ (let ((l10ncentral ".mozbuild/l10n-central")) @@ -577,7 +567,7 @@ (define (runpaths-of-input label) #f (string-join '("mv" "translation-base-browser/~a/base-browser.ftl" - "~a/~a/browser/browser/")) + "~a/~a/toolkit/toolkit/global/")) lang l10ncentral lang)) (system (format @@ -586,7 +576,7 @@ (define (runpaths-of-input label) "translation-base-browser/~a/*" "~a/~a/browser/chrome/browser/")) lang l10ncentral lang))) - (map car #$locales))))) + (list #$@locales))))) (add-after 'copy-basebrowser-locales 'copy-torbrowser-locales (lambda _ (let ((l10ncentral ".mozbuild/l10n-central")) @@ -601,7 +591,7 @@ (define (runpaths-of-input label) #f (string-join '("mv" "translation-tor-browser/~a/tor-browser.ftl" - "~a/~a/browser/browser/")) + "~a/~a/toolkit/toolkit/global/")) lang l10ncentral lang)) (system (format @@ -623,7 +613,7 @@ (define (runpaths-of-input label) (format port " locale/~a/ (chrome/locale/~a/*)~%" lang lang) (close port))) - (map car #$locales))))) + (list #$@locales))))) (replace 'configure (lambda _ (invoke "./mach" "configure"))) @@ -632,14 +622,6 @@ (define (runpaths-of-input label) (substitute* "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl" (("addons.mozilla.org") "gnuzilla.gnu.org")))) - (add-before 'build 'add-bridges ;see deploy.sh - (lambda _ - (let ((port (open-file - "browser/app/profile/000-tor-browser.js" "a"))) - (display - "#include ../../../tools/torbrowser/bridges.js" port) - (newline port) - (close port)))) (replace 'build (lambda* (#:key (make-flags '()) (parallel-build? #t) #:allow-other-keys) @@ -739,7 +721,7 @@ (define (runpaths-of-input label) (copy-recursively (in-vicinity #$assets "fontconfig") (in-vicinity lib "fontconfig")) (substitute* (in-vicinity lib "fontconfig/fonts.conf") - (("fonts") + (("fonts") (format #f "~a" (in-vicinity lib "fonts")))) (delete-file-recursively (in-vicinity lib "fonts")) (copy-recursively (in-vicinity #$assets "fonts") @@ -805,11 +787,7 @@ (define (runpaths-of-input label) "https://gnuzilla.gnu.org/mozzarella") (format #t "pref(~s, ~s);~%" "lightweightThemes.getMoreURL" - "https://gnuzilla.gnu.org/mozzarella") - ;; FIXME: https://github.com/NixOS/nixpkgs/issues/307095 - (format #t "pref(~s, ~a);~%" - "widget.use-xdg-desktop-portal.file-picker" - "1")))))) + "https://gnuzilla.gnu.org/mozzarella")))))) (add-after 'autoconfig 'autoconfig-tor (lambda* (#:key inputs #:allow-other-keys) (let ((lib (in-vicinity #$output "lib/torbrowser"))