#73429 - [PATCH 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes]

GNU bug report logs - #73429
[PATCH 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes]

Reported by: Ian Eure <ian <at> retrospec.tv>

Date: Sun, 22 Sep 2024 20:53:02 UTC

Severity: normal

Tags: patch

Done: Andrew Tropin <andrew <at> trop.in>

Bug is archived. No further changes may be made.

View this message in rfc822 format

From: Andrew Tropin <andrew <at> trop.in> To: Ian Eure <ian <at> retrospec.tv>, 73429 <at> debbugs.gnu.org Cc: André Batista <nandre <at> riseup.net>, mhw <at> netris.org, jonathan.brielmaier <at> web.de, Ian Eure <ian <at> retrospec.tv> Subject: [bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes] Date: Tue, 24 Sep 2024 12:17:50 +0400

[Message part 1 (text/plain, inline)]

On 2024-09-22 13:53, Ian Eure wrote: > This patch: > > - Updates LibreWolf to the latest version > - Removes the code which disabled encoding_rs.patch from upstream. It’s no > longer in the repo, so the code did nothing, and the underlying issue (Guix > being stuck with an old Rust version) has been fixed. > - Integrates changes from #72265 with some slight tweaks. This should allow > LibreWolf to use accelerated video decoding on supported hardware. > - Neuters the GenAI chat feature, which direcly integrates with non-free > services, by excluding it from the build and locking the preferences which > would enable it. > > Fixes: > CVE-2024-8385: WASM type confusion involving ArrayTypes > CVE-2024-8381: Type confusion when looking up a property name in a "with" block > CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts > CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran > CVE-2024-8383: Firefox did not ask before openings news: links in an external application > CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions > CVE-2024-8386: SelectElements could be shown over another site if popups are allowed > CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2 > CVE-2024-8389: Memory safety bugs fixed in Firefox 130 > > * gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1. > > Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a > --- > gnu/packages/librewolf.scm | 55 ++++++++++++++++++++------------------ > 1 file changed, 29 insertions(+), 26 deletions(-) > > diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm > index 21f73f799d..bade479656 100644 > --- a/gnu/packages/librewolf.scm > +++ b/gnu/packages/librewolf.scm > @@ -117,9 +117,11 @@ (define (librewolf-source-origin version hash) > (define computed-origin-method (@@ (guix packages) computed-origin-method)) > > (define librewolf-source > - (let* ((ff-src (firefox-source-origin "129.0.1" "0wy0fn0pavlhlkdybr59hhbn5ng0zn56mxa7gsknf8f2whiyipwx")) > - (version "129.0.1-1") > - (lw-src (librewolf-source-origin version "0pvv3v23q31hdjvqi1f3cqfyjrb8dbrrbfwxj2wacak1g0mzbxf4"))) > + (let* ((ff-src (firefox-source-origin "130.0" > + "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2")) > + (lw-src (librewolf-source-origin > + "130.0.1-1" > + "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))) > > (origin > (method computed-origin-method) > @@ -164,11 +166,6 @@ (define librewolf-source > (("^ff_source_tarball:=.*") > (string-append "ff_source_tarball:=" #+ff-src))) > > - ;; Remove encoding_rs patch, it doesn't build with Rust 1.75. > - (substitute* '("assets/patches.txt") > - (("patches/encoding_rs.patch\\\n$") > - "")) > - > ;; Stage locales. > (begin > (format #t "Staging locales...~%") > @@ -215,13 +212,17 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum. > ;; Update this id with every update to its release date. > ;; It's used for cache validation and therefore can lead to strange bugs. > ;; ex: date '+%Y%m%d%H%M%S' > -(define %librewolf-build-id "20240817075827") > +(define %librewolf-build-id "20240922110507") > > (define-public librewolf > (package > (name "librewolf") > - (version "129.0.1-1") > - (source librewolf-source) > + (version "130.0.1-1") > + (source > + (origin > + (inherit librewolf-source) > + (patches > + (search-patches "librewolf-add-paths-to-rdd-allowlist.patch")))) It seems I was too hasty, the patch adding /gnu/store and /run/current-system/profile/lib to whitelist is not in the guix repo yet. Will add it in a few minutes. > (build-system gnu-build-system) > (arguments > (list > @@ -318,6 +319,22 @@ (define (write-setting key value) > (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp" > (("libavcodec\\.so") > libavcodec))))) > + (add-after 'unpack 'neuter-genai > + (lambda* _ > + ;; Don't compile the code in. > + (substitute* "browser/components/moz.build" > + (("\"genai\",") "")) > + ;; Lock the preferences so they can't be enabled. > + (substitute* "lw/librewolf.cfg" > + (("defaultPref\\(\"browser\\.ml\\.") > + "lockPref(\"browser.ml.")) > + ;; Correct a preference typo > + ;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954 > + ;; Remove this in the next update. > + (substitute* "lw/librewolf.cfg" > + (("browser\\.ml\\.enabled") > + "browser.ml.enable")) > + )) > (add-after 'patch-source-shebangs 'patch-cargo-checksums > (lambda _ > (use-modules (guix build cargo-utils)) > @@ -575,26 +592,12 @@ (define (runpaths-of-input label) > ;; For U2F and WebAuthn > "eudev"))) > > - ;; VA-API is run in the RDD (Remote Data Decoder) sandbox > - ;; and must be explicitly given access to files it needs. > - ;; Rather than adding the whole store (as Nix had > - ;; upstream do, see > - ;; <https://github.com/NixOS/nixpkgs/pull/165964> and > - ;; linked upstream patches), we can just follow the > - ;; runpaths of the needed libraries to add everything to > - ;; LD_LIBRARY_PATH. These will then be accessible in the > - ;; RDD sandbox. > - (rdd-whitelist (map (cut string-append <> "/") > - (delete-duplicates (append-map > - runpaths-of-input > - '("mesa" > - "ffmpeg"))))) > (gtk-share (string-append (assoc-ref inputs > "gtk+") > "/share"))) > (wrap-program (car (find-files lib "^librewolf$")) > `("LD_LIBRARY_PATH" prefix > - (,@libs ,@rdd-whitelist)) > + ,libs) > `("XDG_DATA_DIRS" prefix > (,gtk-share)) > `("MOZ_LEGACY_PROFILES" = -- Best regards, Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 310 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #73429 [PATCH 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes]

GNU bug report logs - #73429
[PATCH 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes]