From patchwork Sun May  4 23:19:30 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Eure <ian@retrospec.tv>
X-Patchwork-Id: 42303
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 63D2127BC4B; Mon,  5 May 2025 00:20:16 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id BCBAA27BC49
	for <patchwork@mira.cbaines.net>; Mon,  5 May 2025 00:20:15 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1uBicz-0007jz-QZ; Sun, 04 May 2025 19:20:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBicv-0007ip-Jd
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:06 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBics-0004Y8-Fx
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=nuVsU1Tfvz2ogHhqXDLH3VIqkIInhRTA7dvEFOj0G/4=;
 b=i7t46fIOceeYWC3egsSoD6GWBuJ8wvFgYOIYfQzcJ0+z4jK3mhJrjVGwSW53MGSaBNlIAEy4g60ETznjyerPpIFgs5HJx+8F19NQThRoySEQOKsEyKWL5AXERKc4MGhzri46VyM89LAq08daIjM3rRJGkYiW2Q/CoY3vGJJ0QZZwyQv2k0wGzcbRthcDFL/wOpYWEpR82XEGuGxY2I2cW1l4siJdiFC1r5BvGf5sSYrGEoRocFikBhpE9cBsPedU92C2V3uSAvkc7RbheAW4NCppu1abGMmrmcgVSqP1JVFxVleF8aG6FLlH99KjP7T1+x0CAYhOb7GdPQJYUAl5sw==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1uBics-00085H-B9
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#78249] [PATCH] gnu: librewolf: Update to 137.0-1 [security
 fixes].
Resent-From: Ian Eure <ian@retrospec.tv>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 04 May 2025 23:20:02 +0000
Resent-Message-ID: <handler.78249.B78249.174640078631020@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78249
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78249@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174640078631020
 (code B ref 78249); Sun, 04 May 2025 23:20:02 +0000
Received: (at 78249) by debbugs.gnu.org; 4 May 2025 23:19:46 +0000
Received: from localhost ([127.0.0.1]:35030 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1uBicb-000846-Cx
 for submit@debbugs.gnu.org; Sun, 04 May 2025 19:19:46 -0400
Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152]:60525)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ian@retrospec.tv>) id 1uBicZ-00083b-60
 for 78249@debbugs.gnu.org; Sun, 04 May 2025 19:19:43 -0400
Received: from phl-compute-04.internal (phl-compute-04.phl.internal
 [10.202.2.44])
 by mailfhigh.stl.internal (Postfix) with ESMTP id C0563254022B;
 Sun,  4 May 2025 19:19:37 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
 by phl-compute-04.internal (MEProxy); Sun, 04 May 2025 19:19:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm2; t=1746400777; x=
 1746487177; bh=nuVsU1Tfvz2ogHhqXDLH3VIqkIInhRTA7dvEFOj0G/4=; b=o
 qgJD/kSZK0MNzf2vnKkpW24tjRvjkjwmqZ/hrMTQNEjjjn+uTa6dIDaLbw/S7wVB
 6L2VEchroqv4iC78Oxx0CfhZowl/x2nR1Dyo3mLE61oCeIf3j0SiDodZ+U5ChnVM
 EphudN8uKCE33sShO2xfDXUql0Dv1l7uSadK/MEh7mlbLIQaNibHSgV2Wd6JdzFs
 5f2bE9bvc4zQS8XpyH6r3wPBpGjc55fe/KWfIQRoByg4LXtvZU+sD+12GLwXW6Cs
 DY3OD1kUlc5HnAL4kdLI2TZyhh2acGrqMTbdw7mROfmFPsaj31J91DFg8g4LSNDM
 qNBFbqI8Nq9G0hhhUKBDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; t=1746400777; x=1746487177; bh=n
 uVsU1Tfvz2ogHhqXDLH3VIqkIInhRTA7dvEFOj0G/4=; b=dzfF3tuqgg74seTie
 c++9A6fHKxkKBYNCJhYP/wQ9f5gkRJeqze9QOrYBP+7oaix18Y0+yaGLuKFgRUk1
 DBagawqYiakVwOnKxk7kqQxk1dodHmcq4gYwj0cV4T8xtmK2NC2PQ3i1ycNP7XnI
 aybkCVgckpEqZa8g/JmX6l3k6/N+axMwhN4uPBpkYbxJmiXanNyXoKQDxBDRL+SL
 2hfKJT15K2aIxNYy0v7TBBHB5w8qQFUe5/xjtnr0jYJYdV1g/TpSZxTeYeTdlMqu
 GCBKsucY251yeXyu6XB+u7Ege5VOGltKsh6MT+aalxyjTOI/4zYGMdSL6pm7BaEd
 nb3tA==
X-ME-Sender: <xms:CfYXaHGLIUAzYGu5DL4ar2sw4qFgHzKOJDCobjXKiWxmQ0Kf4LDIog>
 <xme:CfYXaEUBskNjAO3WIsMlvN8nbN0mx6uRzCoEn79jAmJbB2zhfc7lJl5GI_G6XbwtC
 3Pi7yPyZB7kjkARxg>
X-ME-Received: 
 <xmr:CfYXaJLg6rjBOoW10FngoTS2gJkOJ5MwWQG8uz-xCYWYxFlxiYpLaj8q6DovBKJK_nXhXAU__5ReG3wdbNP8JyJIIdTnJYkf4k5tHLJsoqQm>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjeelheduucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi
 rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepudekudeuiefgue
 dtteelveekvefhhfdvudegteduleduledutedtledtvdejgffgnecuffhomhgrihhnpehg
 nhhurdhorhhgpdhmohiiihhllhgrrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc
 frrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhsphgvtgdrthhvpdhnsggp
 rhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeejkedvgeelse
 guvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgrnhesrhgvthhrohhsphgv
 tgdrthhv
X-ME-Proxy: <xmx:CfYXaFE2QKnmf6K0Kxtlsp3PxtJSHb2kg6rYh1KIU_MTv-NdA8MQBQ>
 <xmx:CfYXaNWqE04mCrZKOsTvh3u5vIqWpGRbAEpDI9TderdV17KTJ1gAxQ>
 <xmx:CfYXaAO3HZ2vLm_cR-zzP7-PiB5ydbVi4Pt-RpzQ2TCgZjuOfOkqlQ>
 <xmx:CfYXaM0vdVtu5kXpQNE4Ku9ISE-4pRDPbaGgbxD9RUTsBFQBeGVTmg>
 <xmx:CfYXaK1yHRw0CQS_96M3s5cNd6byBwrG6298kQCujJYcKZzXsp4EqSwD>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 4 May 2025 19:19:36 -0400 (EDT)
From: Ian Eure <ian@retrospec.tv>
Date: Sun,  4 May 2025 16:19:30 -0700
Message-ID: <20250504231932.20519-2-ian@retrospec.tv>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250504231932.20519-1-ian@retrospec.tv>
References: <20250504231932.20519-1-ian@retrospec.tv>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Contains fixes for:

CVE-2025-3028: Use-after-free triggered by XSLTProcessor
CVE-2025-3031: JIT optimization bug with different stack slot sizes
CVE-2025-3032: Leaking file descriptors from the fork server
CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
CVE-2025-3033: Opening local .url files could lead to another file
               being opened
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird
               137, Firefox ESR 128.9, and Thunderbird 128.9
CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird
               137

* gnu/packages/librewolf.scm (librewolf): Update to 137.0-1.

Change-Id: I23d8cbefc242e57c19b4e98660fd22bd1dda8d6a
---
 gnu/packages/librewolf.scm | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 1cb7084f23..ae4d64534c 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -206,17 +206,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250327215540")
+(define %librewolf-build-id "20250401171639")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "136.0.4-1")
+    (version "137.0-1")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "0hn2ywyacgg8n47qz1q2l8bf32mszj3vnpkl6kag3wmqqbhvja2a"
-      #:librewolf-hash "045il4xrji2zh1scx3aiy6hx6jv098232aycda6bhsh27szbsrfa"
+      #:firefox-hash "07d9rdxmp48gbk41y1c6gggzziv9aqdhjwgi6c0hrf6chcppxi0y"
+      #:librewolf-hash "164bvissxzhzlwjafp9pdyhhg8hhdxh8w61ifkak497qm4yf8af7"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -236,8 +236,6 @@ (define-public librewolf
                               "--with-system-ffi"
                               "--enable-system-pixman"
                               "--enable-jemalloc"
-
-                              ;; see https://bugs.gnu.org/32833
                               "--with-system-nspr"
                               "--with-system-nss"
 
@@ -312,7 +310,7 @@ (define (write-setting key value)
                      (libavcodec (string-append ffmpeg
                                                 "/lib/libavcodec.so")))
                 ;; Arrange to load libavcodec.so by its absolute file name.
-                (substitute* 
+                (substitute*
                     "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                   (("libavcodec\\.so")
                    libavcodec)))))
@@ -405,7 +403,7 @@ (define (write-setting key value)
                    (string-append all ", icu-uc >= 76.1")))
                 (if (string=? old-content
                               (pk (call-with-input-file file get-string-all)))
-                    (error 
+                    (error
                      "substitute did nothing, phase requires an update")))))
           (replace 'configure
             (lambda* (#:key inputs outputs configure-flags
@@ -478,7 +476,7 @@ (define write-flags
               (invoke "./mach" "configure")))
           (add-before 'build 'fix-addons-placeholder
             (lambda _
-              (substitute* 
+              (substitute*
                   "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl"
                 (("addons.mozilla.org")
                  "gnuzilla.gnu.org"))))

From patchwork Sun May  4 23:19:31 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Eure <ian@retrospec.tv>
X-Patchwork-Id: 42306
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 4698127BC49; Mon,  5 May 2025 00:20:48 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 603F927BC4B
	for <patchwork@mira.cbaines.net>; Mon,  5 May 2025 00:20:46 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1uBid3-0007nY-Ay; Sun, 04 May 2025 19:20:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBicz-0007k1-Ok
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:09 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBict-0004YA-43
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=tIzC2m8An8ToCGxELMUH4vlJ0uGGHcAVLwIelyymRfc=;
 b=pVageIAtAg3ByADXPXzisBSuAeCZOk/btUcaEtbds1jQABA930RN7lzOM6U7G2rrua3RyY4AAph/Fh7U1jOvY+L8u6ZvIErx1mCBOEe9QVPruTA/wtxjDAVkQy0nqr9rixYR7Kv67SPS1g6xEKQpH1Ic72L/wj0jT6zr46UgSDupQpd/kFfnGkguc3cHXjDCCYveGVqBFgDr0fFq6RXAbK6WXVKznJcrPJC/f/OMeB+eNfm+t9b55K06e/iYdK7tL8KU0gSKCIdUGX+ELdOdRw51SxHfdIIJwWKvurEVjVtGkxIU4RK0IV+xyb4nWsfXowaJtooC2riFms4XGHSTpg==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1uBics-00085O-Qg
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#78249] [PATCH 2/3] gnu: nss-rapid: Update to 3.110.
Resent-From: Ian Eure <ian@retrospec.tv>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 04 May 2025 23:20:02 +0000
Resent-Message-ID: <handler.78249.B78249.174640078831031@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78249
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78249@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174640078831031
 (code B ref 78249); Sun, 04 May 2025 23:20:02 +0000
Received: (at 78249) by debbugs.gnu.org; 4 May 2025 23:19:48 +0000
Received: from localhost ([127.0.0.1]:35032 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1uBice-00084P-7f
 for submit@debbugs.gnu.org; Sun, 04 May 2025 19:19:48 -0400
Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152]:47465)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ian@retrospec.tv>) id 1uBica-00083f-8w
 for 78249@debbugs.gnu.org; Sun, 04 May 2025 19:19:44 -0400
Received: from phl-compute-01.internal (phl-compute-01.phl.internal
 [10.202.2.41])
 by mailfhigh.stl.internal (Postfix) with ESMTP id D18E02540224;
 Sun,  4 May 2025 19:19:38 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
 by phl-compute-01.internal (MEProxy); Sun, 04 May 2025 19:19:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm2; t=1746400778; x=
 1746487178; bh=tIzC2m8An8ToCGxELMUH4vlJ0uGGHcAVLwIelyymRfc=; b=C
 cx5YVgR/H4FyGyhFguSQpFpbacda04rjpcQtyESkv+PfPdIVGacoAoTj+LRfoFJc
 4nC1ir0BGh2/+GYsmcLnJlVy+ROjIpw8Zt+xhnptDS6uRqCH56zsc1rra9Vv95qb
 k0gln+tZEhML8hf8jjc9oGqHT0Ju2KTNCXyiEZZoBRKY8l674T1WZef6eJjPP0W5
 A/z5OZIrC58vRbpiCyZqe3cSXB0HVWyNTzZzNUkqWbytvHGPD1NNwTaLAWp/0uxa
 1GoUZsFkQrcADlmlFkOSrPDUA8OnLokAASmxGd6MJ8SdG6J5fjgMopZndFsnzF1h
 DHxgU/7xzJ1tyLKXHKaXw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; t=1746400778; x=1746487178; bh=t
 IzC2m8An8ToCGxELMUH4vlJ0uGGHcAVLwIelyymRfc=; b=q7DEuHZQOlSMV0J6E
 sktCHuEUWSjtmcT/r17VTT5xHkDvV8sQwq3gUtGmKfjGZ1NzISR8y1L7o2spGn9P
 CE3zUhDEko/6D2Vx/bHkw8hAbcjwUeIWNzuqBceLCShwICb4k2Ckfw43x5lXkEYo
 51OipANNylpIMgdYLomujPUcAZxqNfTaaYW5wV7A8Pvr3xAZDA0mkwwrLAxZyma6
 0APqs+hSLxH+MQXt5Cs2x4D60FPqlPE9cd/DKlDJW/XEiND6ZVsZIzbnrPtD98Z0
 +JLZYB5n4zy7Fs5kuzJx72Eb9RsaP1W8aTeZjU+PUll4Ofc3SE5RwqSUWLe6I9xW
 HGPpA==
X-ME-Sender: <xms:CvYXaGFHVCIHLR1r4cNNI4dp3iwICb82v9A2FiAASA8SkQ3UVXE2KQ>
 <xme:CvYXaHWmZYkV3QXJAFUTv1UWvbIbPtMZ9DGaNUVjDh4ESe1nT50n1HJDnVg8lW0Of
 CfHt-30_nOx-vwySQ>
X-ME-Received: 
 <xmr:CvYXaAJWEbXwx93kipFb_FWhS0vT75MW4vy9snGuTNvjynXNwuu49mtiAkHSdN9QL3KY_LTeWjGLKG9sOzwUUTT295fZkWRMbqXzxS2kH9V8>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjeelheduucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi
 rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepvdfgveffvdekle
 dttdetjeektdevteegfefhvdefhfffffejudetkeduieekudelnecuffhomhgrihhnpegs
 rggushhslhdrtghomhdpmhhoiihilhhlrgdrohhrghenucevlhhushhtvghrufhiiigvpe
 dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehirghnsehrvghtrhhoshhpvggtrdhtvhdp
 nhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjeekvd
 egleesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehirghnsehrvghtrhho
 shhpvggtrdhtvh
X-ME-Proxy: <xmx:CvYXaAHXYvY_g5HSZi3qusGkrA-Mv8yb1_nIY0qNxilf-ImZ1SdkGQ>
 <xmx:CvYXaMU1cARkC6VqGk2UrMAwQQL7XvsS4E3TO1gCdL65hzL848B_fA>
 <xmx:CvYXaDN_mJxxAG58aXIkxDHf-NPKiTdGrhnGsfrz-Bq5RyibZJttuw>
 <xmx:CvYXaD2M155HTvjPX5ktpr6DAnpmp7RPrWznSJVIxxG2SF7zmnnHgQ>
 <xmx:CvYXaB1p-Kq5MqaRQvM0MT0fOZVo1jyu_jOM9d1Mm1Yx_HWkFRK_XhvQ>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 4 May 2025 19:19:37 -0400 (EDT)
From: Ian Eure <ian@retrospec.tv>
Date: Sun,  4 May 2025 16:19:31 -0700
Message-ID: <20250504231932.20519-3-ian@retrospec.tv>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250504231932.20519-1-ian@retrospec.tv>
References: <20250504231932.20519-1-ian@retrospec.tv>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

* gnu/packages/nss.scm (nss-rapid): Update to 3.110.

Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99
---
 gnu/packages/nss.scm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7a8c6b075d..24f4b60369 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -347,7 +347,7 @@ (define-public nss-rapid
   (package
    (inherit nss)
    (name "nss-rapid")
-   (version "3.109")
+   (version "3.110")
    (source (origin
              (inherit (package-source nss))
              (uri (let ((version-with-underscores
@@ -358,11 +358,19 @@ (define-public nss-rapid
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
        #~(modify-phases #$phases
+           (add-after 'unpack 'neutralize-network-test
+             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
+             ;; to no networking in the build environment.
+             ;; Behavior changed as of 3.110.
+             (lambda _
+               (substitute* "nss/tests/ssl/ssl.sh"
+                 ((" ssl_policy_pkix_ocsp" all)
+                  (string-append "#" all)))))
            (replace 'check
              (lambda* (#:key tests? #:allow-other-keys)
                (if tests?
@@ -390,8 +398,11 @@ (define-public nss-rapid
                      ;; leading to test failures:
                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
                      ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
+                     (invoke "faketime" "2025-03-28" "./nss/tests/all.sh"))
                    (format #t "test suite not run~%"))))))))
+   (propagated-inputs
+        (modify-inputs (package-propagated-inputs nss)
+          (replace "nspr" nspr-4.36)))
    (synopsis "Network Security Services (Rapid Release)")
    (description
     "Network Security Services (@dfn{NSS}) is a set of libraries designed to

From patchwork Sun May  4 23:19:32 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Eure <ian@retrospec.tv>
X-Patchwork-Id: 42304
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id D729E27BC4C; Mon,  5 May 2025 00:20:45 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 00DD927BC49
	for <patchwork@mira.cbaines.net>; Mon,  5 May 2025 00:20:44 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1uBid2-0007mf-Md; Sun, 04 May 2025 19:20:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBid0-0007lE-Ak
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:10 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uBict-0004cR-Ip
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=;
 b=Rj/ufgTr0zVikheqfOux6u9DRnH/IxWAZX4sxA6E836qit+0vKVxEGM8UAxi9As2SnghhZNdWwQhamPOZI0ygVpJAgq5O8nDziIqWyqub5U9IyLgrTfnfi15Jd2apjwEIbAp5pHd+btaH4PGCh5fTUv3IsKc4tJPuUxo6oCloq/Low9OtKLBIoAMYvIm99kBENcWeqYjsFdn9cVNwS+MBwi85VAY3LhmBtRTx5axV5mqA1E9TBjPj3gVNFkDNJjWdfc5vTXyfRjQw9m5Bv4KyR8AkgH3oEkomZYwRaow5s2A5IxJyMnPAac+xwiYUFxWJMPNYWmI8sHfyTFOBLsrKA==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1uBict-00085W-AQ
 for guix-patches@gnu.org; Sun, 04 May 2025 19:20:03 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#78249] [PATCH 3/3] gnu: librewolf: Update to 138.0.1-2 [security
 fixes].
Resent-From: Ian Eure <ian@retrospec.tv>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 04 May 2025 23:20:03 +0000
Resent-Message-ID: <handler.78249.B78249.174640078931039@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78249
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78249@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
Received: via spool by 78249-submit@debbugs.gnu.org id=B78249.174640078931039
 (code B ref 78249); Sun, 04 May 2025 23:20:03 +0000
Received: (at 78249) by debbugs.gnu.org; 4 May 2025 23:19:49 +0000
Received: from localhost ([127.0.0.1]:35034 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1uBice-00084X-OH
 for submit@debbugs.gnu.org; Sun, 04 May 2025 19:19:49 -0400
Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152]:60477)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ian@retrospec.tv>) id 1uBicb-00083h-9j
 for 78249@debbugs.gnu.org; Sun, 04 May 2025 19:19:45 -0400
Received: from phl-compute-01.internal (phl-compute-01.phl.internal
 [10.202.2.41])
 by mailfhigh.stl.internal (Postfix) with ESMTP id CD070254022E;
 Sun,  4 May 2025 19:19:39 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
 by phl-compute-01.internal (MEProxy); Sun, 04 May 2025 19:19:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm2; t=1746400779; x=
 1746487179; bh=Dp7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=J
 urFwoMdI8q9fyA4Z0u4UhWta3wjWZ3RHjh8+hq43uliwjnqemw93oe9g0XN/nos2
 Mq2tzTA6hSOH0VL4n3zeLtIrOHAfh1Ouqvy8pqmfrUFMkjxybcufqhsed6xahAOs
 Rp8c5/WQVjuBFI5wZ3he3oOLEnvoGeo7mFVr8N1b8+JEcPkuyuZDIEupo/PiqUnw
 u8BF7/pR+8MLft8wHhtp3X7CKKzkG8p/hIGw8rL8GpmJo7OYfIPVn5dbwoviPoHQ
 zyH/0+c4mITo0MHVWLjnNB8YEkM/QVvfQ8m/iKk/PWUjY8+wEEi8AsloOlfhw+/p
 4MZCkyHkVZ3yykhrPdYMg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; t=1746400779; x=1746487179; bh=D
 p7zaMQWt6URMcPb3tC9Ds+ZCAzjo2greSPd7frV1U8=; b=ksceVhPgqS25mCQJH
 rDvQpN7qv5aHz6ZFwP6O8Dzy/2pRKFNaZ2BCkTTpNOBWGzE46tYeZ/BXbuc4cOBU
 voYvmiOa9fSwNThnBCAoFfAkXBKcbXmYRu7IOZaAP9pLeEKbR65CY+FEuYYzW7R2
 WqTRmGUdYxjBWYQexH2BCgvmSndStJIJbWkDs36DAIgKKHlQs7YkACnydz2/7gHx
 GeIXpDFVoZ+38AGq7yh8CRWoHWK4D2df9MJWRsIINbxsXEFwxZuFsHzDPyI5bRvd
 /TTgqueZ+BlUqgNP7dGa2SRu0CbnqpbuOONuKaK+ApTs1zexWsBuKYCnzdCqeGmH
 i4gxw==
X-ME-Sender: <xms:C_YXaG2PM1TU7IgdYyUyV24ssjU_Sbwa8uhbPAp5yIlrByGPhKZn4g>
 <xme:C_YXaJEbQjMlEwBznSQNT8a8ZjaF3rGpmhXDAlcvRRuBQKD6B20_iMp9Rw_XdeVgR
 4IXw8vfEk07eDLVLg>
X-ME-Received: 
 <xmr:C_YXaO5a9lYMsezzIkvGfbWZMfD2cSBpe9WGYv20yWPEWEFXf4BW3PuG-lfRZdTihPpVswv-NVYATmWO9KAFf8USLDhPuD6W0T-_JJnnzLfa>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjeelheduucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehi
 rghnsehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepveevjeffuddvte
 eiueetgfeukedvfeeiuedvveelfeeghfduleeftedvgfefgeejnecuvehluhhsthgvrhfu
 ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgvthhrohhsphgvtg
 drthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthho
 peejkedvgeelseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepihgrnhesrh
 gvthhrohhsphgvtgdrthhv
X-ME-Proxy: <xmx:C_YXaH334dhkSh0RM2HNB7Qx-xjEVfJhy7uEr5E6fNAN-Q8rucIu8g>
 <xmx:C_YXaJFyECbIHqS3v9Ounu-xo7DPGQdqN8Ck3EXFNu3l5U1HndiKyQ>
 <xmx:C_YXaA-qgdi16Kqx9lhYHI4YYEvmOGA0JHEulLAs0kRNLPVrsTZoZg>
 <xmx:C_YXaOlzcOgWSWWgwTgS8dUXgeCBT7x7z_Y6qQu1lRPu3-Youubiqw>
 <xmx:C_YXaEm9LECw8Feo-DUgRWtcWkw7dWz8TfKhokyizM_jSN_Kders2X_4>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 4 May 2025 19:19:39 -0400 (EDT)
From: Ian Eure <ian@retrospec.tv>
Date: Sun,  4 May 2025 16:19:32 -0700
Message-ID: <20250504231932.20519-4-ian@retrospec.tv>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250504231932.20519-1-ian@retrospec.tv>
References: <20250504231932.20519-1-ian@retrospec.tv>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2.
* gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                      | 12 ++++++------
 .../patches/torbrowser-compare-paths.patch      | 17 ++++-------------
 2 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd1..8a8dbd05ad 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.1-2")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q"
+      #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch
index 7d4d5fdb78..8e880bf390 100644
--- a/gnu/packages/patches/torbrowser-compare-paths.patch
+++ b/gnu/packages/patches/torbrowser-compare-paths.patch
@@ -5,20 +5,11 @@ name.
 
 --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
 +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3606,6 +3606,7 @@
+@@ -3753,6 +3753,7 @@
      if (
        newAddon ||
        oldAddon.updateDate != xpiState.mtime ||
 +      oldAddon.path != xpiState.path ||
-       (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
-     ) {
-       newAddon = this.updateMetadata(
-@@ -3614,8 +3615,6 @@
-         xpiState,
-         newAddon
-       );
--    } else if (oldAddon.path != xpiState.path) {
--      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
-     } else if (aUpdateCompatibility || aSchemaChange) {
-       newAddon = this.updateCompatibility(
-         installLocation,
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing