From patchwork Wed May 7 23:05:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Eure X-Patchwork-Id: 42377 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A4EB327BC4A; Thu, 8 May 2025 00:06:23 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 51C3627BC49 for ; Thu, 8 May 2025 00:06:21 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uCnq4-00015n-4t; Wed, 07 May 2025 19:06:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uCnq0-00014h-3Y for guix-patches@gnu.org; Wed, 07 May 2025 19:06:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uCnpz-000603-IS for guix-patches@gnu.org; Wed, 07 May 2025 19:06:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=PL7qGMFhx7TaLOzGkg4wtDDhMwiQ78YalWwbcbUZ1OTI686lifFu+x0Bsi0ZDNKX1f745EIEfRG0QQqH/lVTHHEWCq1ckcalFoLoUbKDfwv3IvOEKS0s6AA6J11X8Y5LX5/uc8msZX7I0mvaEiAWdnSz+Oj5p4Ys8/U/+PXoEiINDC1MHKFKGLzpzgyOkOvDSVT/5mWo6gOpaT4AjkXYnnOA7Vp48In3eR6y4eQuIRFAblrV5gS/XO4YW1Vv7thOYbAhfJpxNkxjFfec19lF8nv4B/ssgbQIyWc13TqGPBzop0WallptPsSConPcNKBTwPCjftYbU8Iv0DScQ88Zow==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uCnpz-0006B4-EQ for guix-patches@gnu.org; Wed, 07 May 2025 19:06:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78249] [PATCH v2 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Resent-From: Ian Eure Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 07 May 2025 23:06:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78249 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78249@debbugs.gnu.org Cc: Ian Eure Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174665913623630 (code B ref 78249); Wed, 07 May 2025 23:06:03 +0000 Received: (at 78249) by debbugs.gnu.org; 7 May 2025 23:05:36 +0000 Received: from localhost ([127.0.0.1]:49512 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uCnpY-000693-45 for submit@debbugs.gnu.org; Wed, 07 May 2025 19:05:36 -0400 Received: from fhigh-a1-smtp.messagingengine.com ([103.168.172.152]:47911) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uCnpQ-00067v-3G for 78249@debbugs.gnu.org; Wed, 07 May 2025 19:05:30 -0400 Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfhigh.phl.internal (Postfix) with ESMTP id B3FBA114014B; Wed, 7 May 2025 19:05:22 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Wed, 07 May 2025 19:05:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1746659122; x= 1746745522; bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=f +NOLY7smgy5pHa46APdvX4/Cy73beJBUR+bALzjygfa8tAK3PNZ/9l4gMrttdBal v8YVKPsZtyv3tpVf9BehzQbFLI4Nt2xgZQIkb2RBUDwjRqd6hqynasPFyEdKxhm6 Ue6Mqyryti+uOLVfyx217oPK8Q3yNQ+LOEj5dfEoJZbTaNjXbAr6+eIevPLfuLiN LdXgxa1CoAse1hc5hNsEGFlWdsmSiGLt74Y502Gj8uWsUi0TcJz6N9JcdQ90aYqw 1IrIS6z5f8gk5Vh+JmUPhuo98k4ZM+TXiO5pwE0SyEWmwQ2GP6rbqIdPCw993Pll tWyN3bva06nqVGjRudwPg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1746659122; x=1746745522; bh=D p7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=MqAu4+t5DYtOXsGit +neg1t8MFp66qW+AJmviNQ3GG6jIXlgee8trke4RX5SnLEQEkvHUbNrKpz1pFuP/ VqP6EjHILGI+BJYwTokSRWwF9DdbLCrOzGYieqiV9UG2ksa3FAOlG/nfA+Kz8mL+ jzzbMgjy2ke7PK2wVWNFuuT/Oz52W301ua2GK3QilEuITETYs4zn0xZ9CsbkpeYn vegftYWZAniMJgC0ZrwF7vFDMhltFxdNDYS3yr/YXMoiHd5GpvHWXjLKNoWCm5O1 GiNExstQsljk08+8DsGNLSfURpxZ6k9rYTUpkBGG93CSgnHhqxQWo6yQU134G86H W19rQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvkeekudefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepveevjeffuddvte eiueetgfeukedvfeeiuedvveelfeeghfduleeftedvgfefgeejnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhsphgvtg drthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthho peejkedvgeelseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgrnhesrh gvthhrohhsphgvtgdrthhv X-ME-Proxy: Feedback-ID: id9014242:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 7 May 2025 19:05:22 -0400 (EDT) From: Ian Eure Date: Wed, 7 May 2025 16:05:16 -0700 Message-ID: <20250507230516.3882-3-ian@retrospec.tv> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250507230516.3882-1-ian@retrospec.tv> References: <20250507230516.3882-1-ian@retrospec.tv> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2. * gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 12 ++++++------ .../patches/torbrowser-compare-paths.patch | 17 ++++------------- 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd1..8a8dbd05ad 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.1-2") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q" + #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch index 7d4d5fdb78..8e880bf390 100644 --- a/gnu/packages/patches/torbrowser-compare-paths.patch +++ b/gnu/packages/patches/torbrowser-compare-paths.patch @@ -5,20 +5,11 @@ name. --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs -@@ -3606,6 +3606,7 @@ +@@ -3753,6 +3753,7 @@ if ( newAddon || oldAddon.updateDate != xpiState.mtime || + oldAddon.path != xpiState.path || - (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) - ) { - newAddon = this.updateMetadata( -@@ -3614,8 +3615,6 @@ - xpiState, - newAddon - ); -- } else if (oldAddon.path != xpiState.path) { -- newAddon = this.updatePath(installLocation, oldAddon, xpiState); - } else if (aUpdateCompatibility || aSchemaChange) { - newAddon = this.updateCompatibility( - installLocation, + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing