From patchwork Thu May 15 05:11:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Eure <ian@retrospec.tv>
X-Patchwork-Id: 42620
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 4D73227BC4B; Thu, 15 May 2025 06:12:48 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 8BABA27BC49
	for <patchwork@mira.cbaines.net>; Thu, 15 May 2025 06:12:47 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1uFQt5-0004t7-Fq; Thu, 15 May 2025 01:12:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uFQt1-0004oB-8Y
 for guix-patches@gnu.org; Thu, 15 May 2025 01:12:03 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uFQt0-0004LY-VY
 for guix-patches@gnu.org; Thu, 15 May 2025 01:12:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=uNZpeLIiKUKup4o08XEoA4RHUcRL+wp0x2RERJMcj5k=;
 b=jBxi+Uw72HPbruZqdarf+4uuaiCkali4MAysSukqvMOdOfS0gLmd8P3B3UT6szkagbxJ5+T70XJH4/wYSr5uw2yqxKh3Azh63QzzHyJf4aoyrb1jhKQaIwdZQvCGfgtY3m38VH+cHTRpWW5ELqhSE0U7xLBXC0bgv/LHwwvvkpgTJvrstat3nf+on0ItNwK8riK+uUmOLg50xwv30ftYh2IaOq+BqybSXuJ15w+/4niHT3SatAwMEZ3n5RuSGeJFMEuxZJSYcHe7R+GD2c/Mx+O3udxmZ6Du3AIwwu4CQvDcgB+v0YwOMkuT7sx7bbm46aavVcK8nB4MutFZq/CTqQ==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1uFQt0-0006Ze-Rn
 for guix-patches@gnu.org; Thu, 15 May 2025 01:12:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#78249] [PATCH v4 3/3] gnu: librewolf: Update to 138.0.3-1
 [security fixes].
Resent-From: Ian Eure <ian@retrospec.tv>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 15 May 2025 05:12:02 +0000
Resent-Message-ID: <handler.78249.B78249.174728590125135@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78249
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78249@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174728590125135
 (code B ref 78249); Thu, 15 May 2025 05:12:02 +0000
Received: (at 78249) by debbugs.gnu.org; 15 May 2025 05:11:41 +0000
Received: from localhost ([127.0.0.1]:49513 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1uFQsd-0006X8-Fq
 for submit@debbugs.gnu.org; Thu, 15 May 2025 01:11:40 -0400
Received: from fhigh-b6-smtp.messagingengine.com ([202.12.124.157]:44711)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ian@retrospec.tv>) id 1uFQsS-0006UZ-3F
 for 78249@debbugs.gnu.org; Thu, 15 May 2025 01:11:29 -0400
Received: from phl-compute-03.internal (phl-compute-03.phl.internal
 [10.202.2.43])
 by mailfhigh.stl.internal (Postfix) with ESMTP id A214725400BF;
 Thu, 15 May 2025 01:11:22 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
 by phl-compute-03.internal (MEProxy); Thu, 15 May 2025 01:11:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm2; t=1747285882; x=
 1747372282; bh=uNZpeLIiKUKup4o08XEoA4RHUcRL+wp0x2RERJMcj5k=; b=W
 ibTRcLK9o/FGxesLQ+QWzt/X8VbN8TNEow3JzIFb7NI89zkCBvGjrgUxCzM1IKXc
 HCB9ahqj9vUmbLdmZAepQgP3Ps1YsvtRX5UbLqEnNih/+4TF/oN4Sfya1X/KNA+3
 5LiikISjKW+mpdS4aAh24F8yBNtps5SjeklpwvhxqTohekJ0nrJhx/b1W+Z+Q4RL
 2/SwMP/5yu81sLcGRuA9hHMpL2LK1it4yq59+XqRjU297Y6cLOmoYPdLvpYqbvQ6
 Cn4Hrv6MMqVA+GJ9efSdrJYem5Ibn4qrVXNyVcEQhthQxLPAUvefsugtcIEpuCbZ
 hETI3rgckKCfvfguh0JuQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; t=1747285882; x=1747372282; bh=u
 NZpeLIiKUKup4o08XEoA4RHUcRL+wp0x2RERJMcj5k=; b=An/ZjsRdpwO65QaXT
 UpDGaFm290ZsAX+n1RHnDfPAB43de2v0oAS3DLkS4NzRwu9+AK3T2sCa7FZzHeOC
 WCZZah7npw2yj3Pka+rMymcClnbTpNUF0JkHWv019QPyqHBWpZIZPnISFNRYgyK/
 YnPXXo7jg0qC/CJcdS0gm6AxeE7rizbtNbmwBBiIU5nVnwpqkCTWIwVGqrEEzDss
 b8Q6QWLyRBLUuzVjDSWRiSIB9qEY4P/bIMdqNF2Mht8aO9d0usr6uIM7a6TyRDhR
 dHRPLS3ZMsYKOLlqLKw6R1dsptOVHnOw5d//x4mDn7X5W46e66qK0nDqJdaloTja
 kwGpg==
X-ME-Sender: <xms:enclaC9k5I2M03ILSGK1V9BL1jwynddMaNAoz6jyEuCIIFpZf5TZcA>
 <xme:enclaCv-igFJ7rwJfJJmi6FMDIFqq8CHCHcj73ow4I8BeaLdVYdsQjYodZS9EoN8O
 8147xOxPiJE7DukJw>
X-ME-Received: 
 <xmr:enclaIAyjRnzqnsOqmglyOVaL5B_UDJzLvuDVb2WBbQ72o5_HzVcUwPtlVZh0-xU6XmjCi3wjINiSOzrMJxqoCO-raFHTNfMCLhmyUvvMuGd>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdeftdekleelucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi
 rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepveevjeffuddvte
 eiueetgfeukedvfeeiuedvveelfeeghfduleeftedvgfefgeejnecuvehluhhsthgvrhfu
 ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhsphgvtg
 drthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthho
 peejkedvgeelseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgrnhesrh
 gvthhrohhsphgvtgdrthhv
X-ME-Proxy: <xmx:enclaKfsYI_Q36tbdWDt8mdm8pjhVW1vTeERd-NcLHfJDMdotd-seg>
 <xmx:enclaHORGlnpgytKOd5hJ1_tKDYBOvPdmj3wS4xC9w3J1OX63luV4w>
 <xmx:enclaEnc5x_g1vsbKmXCLet4EZZ3irXRRwh2HB1nA1KXogIrU9f3kw>
 <xmx:enclaJvyi7n2pO-5Ywoh2Z_yPB7FdrjdSQT_Tz2sYviXqUaLW2JPYA>
 <xmx:enclaLtACSVoEdDQUuDNTtNZde7Ltbs8tZGnzc6mdBd0fF7JxYjtCsmB>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 15 May 2025 01:11:21 -0400 (EDT)
From: Ian Eure <ian@retrospec.tv>
Date: Wed, 14 May 2025 22:11:13 -0700
Message-ID: <20250515051113.2978-3-ian@retrospec.tv>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250515051113.2978-1-ian@retrospec.tv>
References: <20250515051113.2978-1-ian@retrospec.tv>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                        | 14 +++++++-------
 .../patches/librewolf-compare-paths.patch         | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd15..063a89420fe 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -191,7 +191,7 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
                           #$output)))))
       (patches
        (search-patches
-        "torbrowser-compare-paths.patch"
+        "librewolf-compare-paths.patch"
         "librewolf-use-system-wide-dir.patch"
         "librewolf-add-store-to-rdd-allowlist.patch")))))
 
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.3-1")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2"
+      #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch
new file mode 100644
index 00000000000..8e880bf3908
--- /dev/null
+++ b/gnu/packages/patches/librewolf-compare-paths.patch
@@ -0,0 +1,15 @@
+See comment in gnu/build/icecat-extension.scm.
+This is only needed while icecat and torbrowser remain on
+different ESR versions as the patched file has changed its
+name.
+
+--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+@@ -3753,6 +3753,7 @@
+     if (
+       newAddon ||
+       oldAddon.updateDate != xpiState.mtime ||
++      oldAddon.path != xpiState.path ||
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing