From patchwork Sun May 4 23:19:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Eure X-Patchwork-Id: 42304 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D729E27BC4C; Mon, 5 May 2025 00:20:45 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 00DD927BC49 for ; Mon, 5 May 2025 00:20:44 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uBid2-0007mf-Md; Sun, 04 May 2025 19:20:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBid0-0007lE-Ak for guix-patches@gnu.org; Sun, 04 May 2025 19:20:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uBict-0004cR-Ip for guix-patches@gnu.org; Sun, 04 May 2025 19:20:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=Rj/ufgTr0zVikheqfOux6u9DRnH/IxWAZX4sxA6E836qit+0vKVxEGM8UAxi9As2SnghhZNdWwQhamPOZI0ygVpJAgq5O8nDziIqWyqub5U9IyLgrTfnfi15Jd2apjwEIbAp5pHd+btaH4PGCh5fTUv3IsKc4tJPuUxo6oCloq/Low9OtKLBIoAMYvIm99kBENcWeqYjsFdn9cVNwS+MBwi85VAY3LhmBtRTx5axV5mqA1E9TBjPj3gVNFkDNJjWdfc5vTXyfRjQw9m5Bv4KyR8AkgH3oEkomZYwRaow5s2A5IxJyMnPAac+xwiYUFxWJMPNYWmI8sHfyTFOBLsrKA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uBict-00085W-AQ for guix-patches@gnu.org; Sun, 04 May 2025 19:20:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78249] [PATCH 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Resent-From: Ian Eure Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 04 May 2025 23:20:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78249 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78249@debbugs.gnu.org Cc: Ian Eure Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174640078931039 (code B ref 78249); Sun, 04 May 2025 23:20:03 +0000 Received: (at 78249) by debbugs.gnu.org; 4 May 2025 23:19:49 +0000 Received: from localhost ([127.0.0.1]:35034 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBice-00084X-OH for submit@debbugs.gnu.org; Sun, 04 May 2025 19:19:49 -0400 Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152]:60477) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBicb-00083h-9j for 78249@debbugs.gnu.org; Sun, 04 May 2025 19:19:45 -0400 Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.stl.internal (Postfix) with ESMTP id CD070254022E; Sun, 4 May 2025 19:19:39 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-01.internal (MEProxy); Sun, 04 May 2025 19:19:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1746400779; x= 1746487179; bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=J urFwoMdI8q9fyA4Z0u4UhWta3wjWZ3RHjh8+hq43uliwjnqemw93oe9g0XN/nos2 Mq2tzTA6hSOH0VL4n3zeLtIrOHAfh1Ouqvy8pqmfrUFMkjxybcufqhsed6xahAOs Rp8c5/WQVjuBFI5wZ3he3oOLEnvoGeo7mFVr8N1b8+JEcPkuyuZDIEupo/PiqUnw u8BF7/pR+8MLft8wHhtp3X7CKKzkG8p/hIGw8rL8GpmJo7OYfIPVn5dbwoviPoHQ zyH/0+c4mITo0MHVWLjnNB8YEkM/QVvfQ8m/iKk/PWUjY8+wEEi8AsloOlfhw+/p 4MZCkyHkVZ3yykhrPdYMg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1746400779; x=1746487179; bh=D p7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=ksceVhPgqS25mCQJH rDvQpN7qv5aHz6ZFwP6O8Dzy/2pRKFNaZ2BCkTTpNOBWGzE46tYeZ/BXbuc4cOBU voYvmiOa9fSwNThnBCAoFfAkXBKcbXmYRu7IOZaAP9pLeEKbR65CY+FEuYYzW7R2 WqTRmGUdYxjBWYQexH2BCgvmSndStJIJbWkDs36DAIgKKHlQs7YkACnydz2/7gHx GeIXpDFVoZ+38AGq7yh8CRWoHWK4D2df9MJWRsIINbxsXEFwxZuFsHzDPyI5bRvd /TTgqueZ+BlUqgNP7dGa2SRu0CbnqpbuOONuKaK+ApTs1zexWsBuKYCnzdCqeGmH i4gxw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjeelheduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepveevjeffuddvte eiueetgfeukedvfeeiuedvveelfeeghfduleeftedvgfefgeejnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhsphgvtg drthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthho peejkedvgeelseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgrnhesrh gvthhrohhsphgvtgdrthhv X-ME-Proxy: Feedback-ID: id9014242:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 4 May 2025 19:19:39 -0400 (EDT) From: Ian Eure Date: Sun, 4 May 2025 16:19:32 -0700 Message-ID: <20250504231932.20519-4-ian@retrospec.tv> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250504231932.20519-1-ian@retrospec.tv> References: <20250504231932.20519-1-ian@retrospec.tv> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2. * gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 12 ++++++------ .../patches/torbrowser-compare-paths.patch | 17 ++++------------- 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd1..8a8dbd05ad 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.1-2") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q" + #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch index 7d4d5fdb78..8e880bf390 100644 --- a/gnu/packages/patches/torbrowser-compare-paths.patch +++ b/gnu/packages/patches/torbrowser-compare-paths.patch @@ -5,20 +5,11 @@ name. --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs -@@ -3606,6 +3606,7 @@ +@@ -3753,6 +3753,7 @@ if ( newAddon || oldAddon.updateDate != xpiState.mtime || + oldAddon.path != xpiState.path || - (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) - ) { - newAddon = this.updateMetadata( -@@ -3614,8 +3615,6 @@ - xpiState, - newAddon - ); -- } else if (oldAddon.path != xpiState.path) { -- newAddon = this.updatePath(installLocation, oldAddon, xpiState); - } else if (aUpdateCompatibility || aSchemaChange) { - newAddon = this.updateCompatibility( - installLocation, + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing