From patchwork Sat Mar 8 17:40:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Eure X-Patchwork-Id: 39942 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B14FF27BBE2; Sat, 8 Mar 2025 17:41:22 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CE2C027BBE9 for ; Sat, 8 Mar 2025 17:41:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tqyAe-0002Fp-0V; Sat, 08 Mar 2025 12:41:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tqyAb-0002BX-Aj for guix-patches@gnu.org; Sat, 08 Mar 2025 12:41:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tqyAa-0001qs-0E for guix-patches@gnu.org; Sat, 08 Mar 2025 12:41:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gor+TGpcrIaOShOgPYWi/kdtxwPvWgxZl1J2CZGYZBI=; b=O/snM1I/AaUq0we0ACGcbr4aspwilU66veK3LNuk2yRecaH9gnQhzj+TYIZ08lUiehRVDQqAQvN08xNG4txKVTNIR2+i6WLo+IK+XX92dVewq/bFQ5JWivsR5bNzuvr+Vu+lVF03XjJoyT+ZAH+FHNcdwK3yeu5f5rTnc+GcNsMN20lFLFFdjhGrez1CMZNpCdx7hAvqJPAiicr5njwoMiHIle7Bjlpc7HViNwG0yBmc2xasRCeO3/GYiGZ0i4i87EQwlnS0QVh7EdECKVK7/C4UUSQjgG4QfSzIp8XSRUdPx8bX3nMvTD7z18cUCROxI9/pc5/5yn8pSxzJq74Clg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tqyAZ-0003FX-RP for guix-patches@gnu.org; Sat, 08 Mar 2025 12:41:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#76869] [PATCH 3/3] gnu: librewolf: Update to 136.0-2 [security fixes]. Resent-From: Ian Eure Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 08 Mar 2025 17:41:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 76869 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 76869@debbugs.gnu.org Cc: Ian Eure Received: via spool by 76869-submit@debbugs.gnu.org id=B76869.174145563012394 (code B ref 76869); Sat, 08 Mar 2025 17:41:03 +0000 Received: (at 76869) by debbugs.gnu.org; 8 Mar 2025 17:40:30 +0000 Received: from localhost ([127.0.0.1]:56676 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tqyA1-0003Dq-JE for submit@debbugs.gnu.org; Sat, 08 Mar 2025 12:40:30 -0500 Received: from fout-a8-smtp.messagingengine.com ([103.168.172.151]:39503) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tqy9t-0003D3-QP for 76869@debbugs.gnu.org; Sat, 08 Mar 2025 12:40:22 -0500 Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48]) by mailfout.phl.internal (Postfix) with ESMTP id 9FCFE138114B; Sat, 8 Mar 2025 12:40:16 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-08.internal (MEProxy); Sat, 08 Mar 2025 12:40:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1741455616; x= 1741542016; bh=gor+TGpcrIaOShOgPYWi/kdtxwPvWgxZl1J2CZGYZBI=; b=I pZPeux5seX47sZBfqKESakpjbSgRcZvEc45GgTSSeFTsk2puqGMDMqxv+42WidVx J2cOxna7NOtNlzdKOxcMsdEHLw5ejVTWgFbzw7x9Ow2Z5DHsjUg8be/ht1HfYeu/ i6K3kTCoZKugY7i7Jn/LjJhI0RhZJ/8tkMLbQezTaV0a/Lt/J0ggBQhagouCQ866 uHFPX0+d4XMjwvbXbUgfP0+MqIGwH3pZVrCpxT8aQ6x0QINRpysoW1wbcwkSPWLq 9cEmC19qNqnxRAh4/YoIuMb0ZGFvNPhxsZulEX+Rm3pNmBwEd9C2my9dsJmbwe5u eizffyJyZ2vITgDes4Ayw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1741455616; x=1741542016; bh=g or+TGpcrIaOShOgPYWi/kdtxwPvWgxZl1J2CZGYZBI=; b=LUUrwJikU8V3efmu5 bi+RyRJcFGbtOkQi5/VHfvoLeAH0G5T/B3nksYlJHU7H519ICsTaTjJ3f5LN0xJR u7ANCJqwDDfieoZhGjjEUodq7nJNEXafBC1ec05IPfKhkwjkTyUHBvpSqwYcumkM aax03UM9cdgLXkdncnKJ2eA9IYDsoaWPkZQGiO4YZOrftLkeVb175kjCbVe3ImXl F3CIphzCjOrhM2VhIawOcRqZ30LSTUutGifRNRr2Y1TkMkL6TkwEapqUfmFa/pch Sn5QoOCOMyeOLBcTOeI8RoBzHnAG/cJAr2Rs3wrYMf13EdIfVv5hDOpvlneUBiaa BQBqg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduudegudekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepgeehieeivdefgf ffvdektedthfejtdeguedvvddtfeevfeelvdffvdefjefgtddunecuffhomhgrihhnpehm ohiiihhllhgrrdhorhhgpdhsihhmphhlvghshihsthgvmhhsrdhorhhgnecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhs phgvtgdrthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph htthhopeejieekieelseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgr nhesrhgvthhrohhsphgvtgdrthhv X-ME-Proxy: Feedback-ID: id9014242:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 8 Mar 2025 12:40:15 -0500 (EST) From: Ian Eure Date: Sat, 8 Mar 2025 09:40:10 -0800 Message-ID: <20250308174010.21764-3-ian@retrospec.tv> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250308174010.21764-1-ian@retrospec.tv> References: <20250308174010.21764-1-ian@retrospec.tv> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the Browser process CVE-2025-1939: Tapjacking in Android Custom Tabs using transition animations CVE-2025-1931: Use-after-free in WebTransportChild CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds access CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs CVE-2025-1940: Android Intent confirmation prompt tapjacking using Select options CVE-2024-9956: Passkey phishing within Bluetooth range CVE-2025-1934: Unexpected GC during RegExp bailout processing CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase() causes string to get longer CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8 CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8 CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird 136 * gnu/packages/librewolf.scm (librewolf): Update to 136.0-2. Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf --- gnu/packages/librewolf.scm | 58 +++++++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 7 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index 7a356b6d91..f65e8bc69f 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -200,23 +200,56 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n) ;;; but since in Guix only the latest packaged Rust is officially supported, ;;; it is a tradeoff worth making. ;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html -;; 135.0 wants 1.83, but it's not available in Guix yet. +;; 136.0 wants 1.84, but it's not available in Guix yet. (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250209210057") +(define %librewolf-build-id "20250306064037") + +;; Temporary, until 76798 merges into core-packages-team, and that merges into +;; master. +(define libpng-apng-for-librewolf + (hidden-package + (package + (inherit libpng-apng) + (version "1.6.46") + (source + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/libpng/libpng16/" + version "/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src" + "/libpng16/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src/history" + "/libpng16/libpng-" version ".tar.xz"))) + (sha256 + (base32 + "1cbwf20zlm4gcv8rpjivkngrjgl5366w21lr9qmbk2lr0dq8papk")))) + (inputs + (modify-inputs (package-inputs libpng-apng) + (replace "apng" + (origin + (method url-fetch) + (uri + (string-append "mirror://sourceforge/libpng-apng/libpng16/" + version "/libpng-" version "-apng.patch.gz")) + (sha256 + (base32 + "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9"))))))))) (define-public librewolf (package (name "librewolf") - (version "135.0-1") + (version "136.0-2") (source (make-librewolf-source #:version version - #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2" - #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk" + #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv" + #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -392,6 +425,17 @@ (define (write-setting key value) (lambda _ (setenv "MOZ_BUILD_DATE" #$%librewolf-build-id))) + ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380 + (add-before 'configure 'patch-icu-lookup + (lambda _ + (let* ((file "js/moz.configure") + (old-content (call-with-input-file file get-string-all))) + (substitute* file + (("icu-i18n >= 76.1" all) + (string-append all ", icu-uc >= 76.1"))) + (if (string=? old-content + (pk (call-with-input-file file get-string-all))) + (error "substitute did nothing, phase requires an update"))))) (replace 'configure (lambda* (#:key inputs outputs configure-flags #:allow-other-keys) @@ -671,7 +715,7 @@ (define (runpaths-of-input label) gtk+ gtk+-2 hunspell - icu4c-75 + icu4c-76 jemalloc libcanberra libevent @@ -679,7 +723,7 @@ (define (runpaths-of-input label) libgnome libjpeg-turbo libnotify - libpng-apng + libpng-apng-for-librewolf libva libvpx libwebp