[bug#73742] gnu: librewolf: Update to 131.0.2-1 [security fixes].
Commit Message
Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
---
gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
1 file changed, 13 insertions(+), 22 deletions(-)
Comments
user guix
usertag 73742 + reviewed-looks-good
thanks
Applies and builds fine, works fine. This is probably quite critical
as there is a vulnerability that is reported to be exploited
in the wild by Mozilla regarding animations.
See https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
Apart from the security fixes this seems to also fix sound
problems for me that I had with previous version. Or maybe
some dependency update caused this, not sure.
Regards,
Rutherther
Hi Ian,
Thanks for the patch, I'll make two minor changes (see details below) when
pushing it.
On Fri, 11 Oct 2024 12:42:18 +0800,
Ian Eure wrote:
>
> Updates the package and changes how the .desktop file is generated. The
> .desktop file the package had been using was removed upstream.
>
> Fixes:
>
> CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
> for Android
> CVE-2024-9392: Compromised content process can bypass site isolation
> CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
> CVE-2024-9394: Cross-origin access to JSON contents through multipart
> responses
> CVE-2024-9395: Specially crafted filename could be used to obscure download
> type
> CVE-2024-9396: Potential memory corruption may occur when cloning certain
> objects
> CVE-2024-9397: Potential directory upload bypass via clickjacking
> CVE-2024-9398: External protocol handlers could be enumerated via popups
> CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
> service
> CVE-2024-9400: Potential memory corruption during JIT compilation
> CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
> Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
> Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
> CVE-2024-9680: Use-after-free in Animation timeline
>
> * gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
>
> Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
> ---
> gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
> 1 file changed, 13 insertions(+), 22 deletions(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 31de7a7171..4b91132d9b 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20241005085731")
> +(define %librewolf-build-id "20241010143544")
>
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "130.0.1-1")
> + (version "131.0.2-1")
> (source
> (origin
> (inherit (make-librewolf-source
> #:version version
> - #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
> - #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
> + #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
> + #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
> (build-system gnu-build-system)
> (arguments
> (list
> @@ -619,33 +619,24 @@ (define (runpaths-of-input label)
> (add-after 'wrap-program 'install-desktop-entry
> (lambda* (#:key outputs #:allow-other-keys)
> (let* ((desktop-file
> - "taskcluster/docker/firefox-snap/firefox.desktop")
> + "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
> (applications (string-append #$output
> "/share/applications")))
> (substitute* desktop-file
> - (("^Exec=firefox")
> + (("^Exec=@MOZ_APP_NAME@")
> (string-append "Exec="
> #$output "/bin/librewolf"))
1. Add a %u[1] after "/bin/librewolf".
[1]: https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html
> - ;; "Firefox" -> "LibreWolf" everywhere
> - (("Firefox")
> + (("@MOZ_APP_DISPLAYNAME@")
> "LibreWolf")
> - ;; Remove non-Latin translations.
> - (("^Name\\[(ar|bn)\\].*$")
> - "")
> - (("^Icon=.*")
> + (("@MOZ_APP_REMOTINGNAME@")
> + "LibreWolf")
> + (("^Icon=@MOZ_APP_NAME@")
> (string-append "Icon="
> #$output
> - "/share/icons/hicolor/128x128/apps/librewolf.png
> -"))
> - ;; These commands were changed.
> - (("-NewWindow")
> - "-new-window")
> - (("-NewPrivateWindow")
> - "-new-private-window")
> - (("StartupNotify=true")
> - "StartupNotify=true\nStartupWMClass=LibreWolf"))
> + "/share/icons/hicolor/128x128/apps/librewolf.png")))
> +
> (copy-file desktop-file "librewolf.desktop")
> - (install-file "librewolf.desktop" applications))))
> + (install-file "librewolf.desktop" (string-append applications)))))
2. Remove this string-append.
> (add-after 'install-desktop-entry 'install-icons
> (lambda* (#:key outputs #:allow-other-keys)
> (let ((icon-source-dir (string-append #$output
> --
> 2.46.0
>
>
>
>
Hi Ian, and Rutherther, thank you for the review.
Applied as cdb262e993a2ffdf49f7995cc12fa523d4578c05 with changes mentioned in my
previous mail.
Thanks
@@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241005085731")
+(define %librewolf-build-id "20241010143544")
(define-public librewolf
(package
(name "librewolf")
- (version "130.0.1-1")
+ (version "131.0.2-1")
(source
(origin
(inherit (make-librewolf-source
#:version version
- #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
- #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
+ #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
+ #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
(build-system gnu-build-system)
(arguments
(list
@@ -619,33 +619,24 @@ (define (runpaths-of-input label)
(add-after 'wrap-program 'install-desktop-entry
(lambda* (#:key outputs #:allow-other-keys)
(let* ((desktop-file
- "taskcluster/docker/firefox-snap/firefox.desktop")
+ "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
(applications (string-append #$output
"/share/applications")))
(substitute* desktop-file
- (("^Exec=firefox")
+ (("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
#$output "/bin/librewolf"))
- ;; "Firefox" -> "LibreWolf" everywhere
- (("Firefox")
+ (("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
- ;; Remove non-Latin translations.
- (("^Name\\[(ar|bn)\\].*$")
- "")
- (("^Icon=.*")
+ (("@MOZ_APP_REMOTINGNAME@")
+ "LibreWolf")
+ (("^Icon=@MOZ_APP_NAME@")
(string-append "Icon="
#$output
- "/share/icons/hicolor/128x128/apps/librewolf.png
-"))
- ;; These commands were changed.
- (("-NewWindow")
- "-new-window")
- (("-NewPrivateWindow")
- "-new-private-window")
- (("StartupNotify=true")
- "StartupNotify=true\nStartupWMClass=LibreWolf"))
+ "/share/icons/hicolor/128x128/apps/librewolf.png")))
+
(copy-file desktop-file "librewolf.desktop")
- (install-file "librewolf.desktop" applications))))
+ (install-file "librewolf.desktop" (string-append applications)))))
(add-after 'install-desktop-entry 'install-icons
(lambda* (#:key outputs #:allow-other-keys)
(let ((icon-source-dir (string-append #$output