[bug#78249,3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].
Commit Message
Contains fixes for:
CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
in cross-origin frames
CVE-2025-4085: Potential information leakage and privilege escalation
in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
138
* gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2.
* gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version.
Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
gnu/packages/librewolf.scm | 12 ++++++------
.../patches/torbrowser-compare-paths.patch | 17 ++++-------------
2 files changed, 10 insertions(+), 19 deletions(-)
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
(define-public librewolf
(package
(name "librewolf")
- (version "137.0.2-1")
+ (version "138.0.1-2")
(source
(make-librewolf-source
#:version version
- #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
- #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+ #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q"
+ #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z"
#:l10n firefox-l10n))
(build-system gnu-build-system)
(arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
libxt
mesa
mit-krb5
- nspr
+ nspr-4.36
nss-rapid
pango
pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
pkg-config
python
rust-librewolf
- rust-cbindgen-0.26
+ rust-cbindgen-0.28
which
yasm))
(native-search-paths
@@ -5,20 +5,11 @@ name.
--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3606,6 +3606,7 @@
+@@ -3753,6 +3753,7 @@
if (
newAddon ||
oldAddon.updateDate != xpiState.mtime ||
+ oldAddon.path != xpiState.path ||
- (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
- ) {
- newAddon = this.updateMetadata(
-@@ -3614,8 +3615,6 @@
- xpiState,
- newAddon
- );
-- } else if (oldAddon.path != xpiState.path) {
-- newAddon = this.updatePath(installLocation, oldAddon, xpiState);
- } else if (aUpdateCompatibility || aSchemaChange) {
- newAddon = this.updateCompatibility(
- installLocation,
+ (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+ // update addon metadata if the addon in bundled into
+ // the omni jar and version or the resource URI pointing