[bug#76671,3/3] gnu: librewolf: Update to 136.0-2 [security fixes].
Commit Message
CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931: Use-after-free in WebTransportChild
CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940: Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956: Passkey phishing within Bluetooth range
CVE-2025-1934: Unexpected GC during RegExp bailout processing
CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
136
* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.
Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
---
gnu/packages/librewolf.scm | 58 +++++++++++++++++++++++++++++++++-----
1 file changed, 51 insertions(+), 7 deletions(-)
@@ -200,23 +200,56 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
;;; but since in Guix only the latest packaged Rust is officially supported,
;;; it is a tradeoff worth making.
;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
-;; 135.0 wants 1.83, but it's not available in Guix yet.
+;; 136.0 wants 1.84, but it's not available in Guix yet.
(define rust-librewolf rust-1.82)
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250209210057")
+(define %librewolf-build-id "20250306064037")
+
+;; Temporary, until 76798 merges into core-packages-team, and that merges into
+;; master.
+(define libpng-apng-for-librewolf
+ (hidden-package
+ (package
+ (inherit libpng-apng)
+ (version "1.6.46")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
+ version "/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src"
+ "/libpng16/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
+ "/libpng16/libpng-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1cbwf20zlm4gcv8rpjivkngrjgl5366w21lr9qmbk2lr0dq8papk"))))
+ (inputs
+ (modify-inputs (package-inputs libpng-apng)
+ (replace "apng"
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://sourceforge/libpng-apng/libpng16/"
+ version "/libpng-" version "-apng.patch.gz"))
+ (sha256
+ (base32
+ "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
(define-public librewolf
(package
(name "librewolf")
- (version "135.0-1")
+ (version "136.0-2")
(source
(make-librewolf-source
#:version version
- #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
- #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
+ #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
+ #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
#:l10n firefox-l10n))
(build-system gnu-build-system)
(arguments
@@ -392,6 +425,17 @@ (define (write-setting key value)
(lambda _
(setenv "MOZ_BUILD_DATE"
#$%librewolf-build-id)))
+ ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
+ (add-before 'configure 'patch-icu-lookup
+ (lambda _
+ (let* ((file "js/moz.configure")
+ (old-content (call-with-input-file file get-string-all)))
+ (substitute* file
+ (("icu-i18n >= 76.1" all)
+ (string-append all ", icu-uc >= 76.1")))
+ (if (string=? old-content
+ (pk (call-with-input-file file get-string-all)))
+ (error "substitute did nothing, phase requires an update")))))
(replace 'configure
(lambda* (#:key inputs outputs configure-flags
#:allow-other-keys)
@@ -671,7 +715,7 @@ (define (runpaths-of-input label)
gtk+
gtk+-2
hunspell
- icu4c-75
+ icu4c-76
jemalloc
libcanberra
libevent
@@ -679,7 +723,7 @@ (define (runpaths-of-input label)
libgnome
libjpeg-turbo
libnotify
- libpng-apng
+ libpng-apng-for-librewolf
libva
libvpx
libwebp