GNU bug report logs -
#73742
[PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].
Previous Next
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Fri, 11 Oct 2024 04:46:01 UTC
Severity: normal
Tags: patch
Done: Hilton Chain <hako <at> ultrarare.space>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73742 in the body.
You can then email your comments to 73742 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#73742; Package
guix-patches.
(Fri, 11 Oct 2024 04:46:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ian Eure <ian <at> retrospec.tv>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 11 Oct 2024 04:46:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
---
gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
1 file changed, 13 insertions(+), 22 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 31de7a7171..4b91132d9b 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241005085731")
+(define %librewolf-build-id "20241010143544")
(define-public librewolf
(package
(name "librewolf")
- (version "130.0.1-1")
+ (version "131.0.2-1")
(source
(origin
(inherit (make-librewolf-source
#:version version
- #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
- #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
+ #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
+ #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
(build-system gnu-build-system)
(arguments
(list
@@ -619,33 +619,24 @@ (define (runpaths-of-input label)
(add-after 'wrap-program 'install-desktop-entry
(lambda* (#:key outputs #:allow-other-keys)
(let* ((desktop-file
- "taskcluster/docker/firefox-snap/firefox.desktop")
+ "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
(applications (string-append #$output
"/share/applications")))
(substitute* desktop-file
- (("^Exec=firefox")
+ (("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
#$output "/bin/librewolf"))
- ;; "Firefox" -> "LibreWolf" everywhere
- (("Firefox")
+ (("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
- ;; Remove non-Latin translations.
- (("^Name\\[(ar|bn)\\].*$")
- "")
- (("^Icon=.*")
+ (("@MOZ_APP_REMOTINGNAME@")
+ "LibreWolf")
+ (("^Icon=@MOZ_APP_NAME@")
(string-append "Icon="
#$output
- "/share/icons/hicolor/128x128/apps/librewolf.png
-"))
- ;; These commands were changed.
- (("-NewWindow")
- "-new-window")
- (("-NewPrivateWindow")
- "-new-private-window")
- (("StartupNotify=true")
- "StartupNotify=true\nStartupWMClass=LibreWolf"))
+ "/share/icons/hicolor/128x128/apps/librewolf.png")))
+
(copy-file desktop-file "librewolf.desktop")
- (install-file "librewolf.desktop" applications))))
+ (install-file "librewolf.desktop" (string-append applications)))))
(add-after 'install-desktop-entry 'install-icons
(lambda* (#:key outputs #:allow-other-keys)
(let ((icon-source-dir (string-append #$output
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#73742; Package
guix-patches.
(Fri, 11 Oct 2024 08:37:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 73742 <at> debbugs.gnu.org (full text, mbox):
user guix
usertag 73742 + reviewed-looks-good
thanks
Applies and builds fine, works fine. This is probably quite critical
as there is a vulnerability that is reported to be exploited
in the wild by Mozilla regarding animations.
See https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
Apart from the security fixes this seems to also fix sound
problems for me that I had with previous version. Or maybe
some dependency update caused this, not sure.
Regards,
Rutherther
Information forwarded
to
guix-patches <at> gnu.org:
bug#73742; Package
guix-patches.
(Fri, 11 Oct 2024 10:25:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 73742 <at> debbugs.gnu.org (full text, mbox):
Hi Ian,
Thanks for the patch, I'll make two minor changes (see details below) when
pushing it.
On Fri, 11 Oct 2024 12:42:18 +0800,
Ian Eure wrote:
>
> Updates the package and changes how the .desktop file is generated. The
> .desktop file the package had been using was removed upstream.
>
> Fixes:
>
> CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
> for Android
> CVE-2024-9392: Compromised content process can bypass site isolation
> CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
> CVE-2024-9394: Cross-origin access to JSON contents through multipart
> responses
> CVE-2024-9395: Specially crafted filename could be used to obscure download
> type
> CVE-2024-9396: Potential memory corruption may occur when cloning certain
> objects
> CVE-2024-9397: Potential directory upload bypass via clickjacking
> CVE-2024-9398: External protocol handlers could be enumerated via popups
> CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
> service
> CVE-2024-9400: Potential memory corruption during JIT compilation
> CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
> Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
> Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
> CVE-2024-9680: Use-after-free in Animation timeline
>
> * gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
>
> Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
> ---
> gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
> 1 file changed, 13 insertions(+), 22 deletions(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 31de7a7171..4b91132d9b 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20241005085731")
> +(define %librewolf-build-id "20241010143544")
>
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "130.0.1-1")
> + (version "131.0.2-1")
> (source
> (origin
> (inherit (make-librewolf-source
> #:version version
> - #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
> - #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
> + #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
> + #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
> (build-system gnu-build-system)
> (arguments
> (list
> @@ -619,33 +619,24 @@ (define (runpaths-of-input label)
> (add-after 'wrap-program 'install-desktop-entry
> (lambda* (#:key outputs #:allow-other-keys)
> (let* ((desktop-file
> - "taskcluster/docker/firefox-snap/firefox.desktop")
> + "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
> (applications (string-append #$output
> "/share/applications")))
> (substitute* desktop-file
> - (("^Exec=firefox")
> + (("^Exec=@MOZ_APP_NAME@")
> (string-append "Exec="
> #$output "/bin/librewolf"))
1. Add a %u[1] after "/bin/librewolf".
[1]: https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html
> - ;; "Firefox" -> "LibreWolf" everywhere
> - (("Firefox")
> + (("@MOZ_APP_DISPLAYNAME@")
> "LibreWolf")
> - ;; Remove non-Latin translations.
> - (("^Name\\[(ar|bn)\\].*$")
> - "")
> - (("^Icon=.*")
> + (("@MOZ_APP_REMOTINGNAME@")
> + "LibreWolf")
> + (("^Icon=@MOZ_APP_NAME@")
> (string-append "Icon="
> #$output
> - "/share/icons/hicolor/128x128/apps/librewolf.png
> -"))
> - ;; These commands were changed.
> - (("-NewWindow")
> - "-new-window")
> - (("-NewPrivateWindow")
> - "-new-private-window")
> - (("StartupNotify=true")
> - "StartupNotify=true\nStartupWMClass=LibreWolf"))
> + "/share/icons/hicolor/128x128/apps/librewolf.png")))
> +
> (copy-file desktop-file "librewolf.desktop")
> - (install-file "librewolf.desktop" applications))))
> + (install-file "librewolf.desktop" (string-append applications)))))
2. Remove this string-append.
> (add-after 'install-desktop-entry 'install-icons
> (lambda* (#:key outputs #:allow-other-keys)
> (let ((icon-source-dir (string-append #$output
> --
> 2.46.0
>
>
>
>
Reply sent
to
Hilton Chain <hako <at> ultrarare.space>:
You have taken responsibility.
(Fri, 11 Oct 2024 10:52:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ian Eure <ian <at> retrospec.tv>:
bug acknowledged by developer.
(Fri, 11 Oct 2024 10:52:03 GMT)
Full text and
rfc822 format available.
Message #16 received at 73742-done <at> debbugs.gnu.org (full text, mbox):
Hi Ian, and Rutherther, thank you for the review.
Applied as cdb262e993a2ffdf49f7995cc12fa523d4578c05 with changes mentioned in my
previous mail.
Thanks
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 08 Nov 2024 12:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 219 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.