GNU bug report logs -
#74648
[PATCH] gnu: librewolf: Add %u to Exec option to open URLs.
Previous Next
Reported by: Roman Scherer <roman <at> burningswell.com>
Date: Mon, 2 Dec 2024 12:21:02 UTC
Severity: normal
Tags: patch
Done: Sharlatan Hellseher <sharlatanus <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74648 in the body.
You can then email your comments to 74648 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
nandre <at> riseup.net, clement <at> lassieur.org, jonathan.brielmaier <at> web.de, mhw <at> netris.org, guix-patches <at> gnu.org:
bug#74648; Package
guix-patches.
(Mon, 02 Dec 2024 12:21:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Roman Scherer <roman <at> burningswell.com>:
New bug report received and forwarded. Copy sent to
nandre <at> riseup.net, clement <at> lassieur.org, jonathan.brielmaier <at> web.de, mhw <at> netris.org, guix-patches <at> gnu.org.
(Mon, 02 Dec 2024 12:21:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
---
gnu/packages/librewolf.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 5d432cfad8..42d212e9f9 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -605,7 +605,7 @@ (define-public librewolf
(substitute* desktop-file
(("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
- #$output "/bin/librewolf"))
+ #$output "/bin/librewolf %u"))
(("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
(("@MOZ_APP_REMOTINGNAME@")
base-commit: 2756c660fb2d9e2fe3e1fd0898e4d7038c8273c7
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74648; Package
guix-patches.
(Mon, 02 Dec 2024 14:32:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 74648 <at> debbugs.gnu.org (full text, mbox):
Hi Roman,
seg 02 dez 2024 às 13:20:20 (1733156420), roman <at> burningswell.com enviou:
> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
>
> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
> ---
> gnu/packages/librewolf.scm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 5d432cfad8..42d212e9f9 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -605,7 +605,7 @@ (define-public librewolf
> (substitute* desktop-file
> (("^Exec=@MOZ_APP_NAME@")
> (string-append "Exec="
> - #$output "/bin/librewolf"))
> + #$output "/bin/librewolf %u"))
> (("@MOZ_APP_DISPLAYNAME@")
>
This was its previous state and was removed on commit
280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
Copying Ian, who was the author of that change and has been maintaining
Librewolf.
Cheers!
Information forwarded
to
guix-patches <at> gnu.org:
bug#74648; Package
guix-patches.
(Mon, 02 Dec 2024 15:31:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 74648 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
André Batista <nandre <at> riseup.net> writes:
Hi André,
thanks for taking a look. So this is fixing a security issue? Which one
exactly? Is it this one?
CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
Are we planning todo the same for Icecat? If so, could we have a variant
of the browsers in Guix that are less hardened, and would allow opening
URLs?
I'm using Slack via Flatpack and not being able to open URLs from there
or other applications with my browser is a bit tedious.
Roman
> Hi Roman,
>
> seg 02 dez 2024 às 13:20:20 (1733156420), roman <at> burningswell.com enviou:
>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
>>
>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>> ---
>> gnu/packages/librewolf.scm | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
>> index 5d432cfad8..42d212e9f9 100644
>> --- a/gnu/packages/librewolf.scm
>> +++ b/gnu/packages/librewolf.scm
>> @@ -605,7 +605,7 @@ (define-public librewolf
>> (substitute* desktop-file
>> (("^Exec=@MOZ_APP_NAME@")
>> (string-append "Exec="
>> - #$output "/bin/librewolf"))
>> + #$output "/bin/librewolf %u"))
>> (("@MOZ_APP_DISPLAYNAME@")
>>
>
> This was its previous state and was removed on commit
> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>
> Copying Ian, who was the author of that change and has been maintaining
> Librewolf.
>
> Cheers!
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#74648; Package
guix-patches.
(Mon, 02 Dec 2024 16:31:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 74648 <at> debbugs.gnu.org (full text, mbox):
Hi Roman, André,
Roman Scherer <roman <at> burningswell.com> writes:
> André Batista <nandre <at> riseup.net> writes:
>
> Hi André,
>
> thanks for taking a look. So this is fixing a security issue?
> Which one
> exactly? Is it this one?
>
This isn’t a security issue, the concern was created in a change
which also had security updates. The current nature of the
browser ecosystem means nearly every Firefox update contains
security fixes, so presence of them isn’t a very useful signal.
>
>> Hi Roman,
>>
>> seg 02 dez 2024 às 13:20:20 (1733156420),
>> roman <at> burningswell.com enviou:
>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec
>>> option to open URLs.
>>>
>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>> ---
>>> gnu/packages/librewolf.scm | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/librewolf.scm
>>> b/gnu/packages/librewolf.scm
>>> index 5d432cfad8..42d212e9f9 100644
>>> --- a/gnu/packages/librewolf.scm
>>> +++ b/gnu/packages/librewolf.scm
>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>> (substitute* desktop-file
>>> (("^Exec=@MOZ_APP_NAME@")
>>> (string-append "Exec="
>>> - #$output
>>> "/bin/librewolf"))
>>> + #$output
>>> "/bin/librewolf %u"))
>>> (("@MOZ_APP_DISPLAYNAME@")
>>>
>>
>> This was its previous state and was removed on commit
>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>
>> Copying Ian, who was the author of that change and has been
>> maintaining
>> Librewolf.
>>
The context behind this change is that Firefox used to ship a
taskcluster/docker/firefox-snap/firefox.desktop file which had an
Exec line like this:
Exec=@MOZ_APP_NAME@ %u
The Guix package would use that file, replacing the token with the
path to the binary. The presence of %u in the package definition
is because the substitute* regexp is sloppy and replaces the whole
line instead of @MOZ_APP_NAME@ only. For reasons unknown to me,
Firefox stopped shipping this file and deleted it from their repo.
I looked around the repo and found
toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm
package. Its Exec line is:
Exec=@MOZ_APP_NAME@
So I updated the package to use that, and the regexp to match.
The patch in #74648 looks fine to me, and I think it should be
pushed.
Thanks,
— Ian
Information forwarded
to
guix-patches <at> gnu.org:
bug#74648; Package
guix-patches.
(Tue, 03 Dec 2024 09:33:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 74648 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ian Eure <ian <at> retrospec.tv> writes:
Ok, thanks for the summary Ian. Looking forward for the patch to be
applied.
Thanks, Roman.
> Hi Roman, André,
>
> Roman Scherer <roman <at> burningswell.com> writes:
>
>> André Batista <nandre <at> riseup.net> writes:
>>
>> Hi André,
>>
>> thanks for taking a look. So this is fixing a security issue? Which
>> one
>> exactly? Is it this one?
>>
>
> This isn’t a security issue, the concern was created in a change which
> also had security updates. The current nature of the browser
> ecosystem means nearly every Firefox update contains security fixes,
> so presence of them isn’t a very useful signal.
>
>>
>>> Hi Roman,
>>>
>>> seg 02 dez 2024 às 13:20:20 (1733156420), roman <at> burningswell.com
>>> enviou:
>>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to
>>>> open URLs.
>>>>
>>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>>> ---
>>>> gnu/packages/librewolf.scm | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/librewolf.scm
>>>> b/gnu/packages/librewolf.scm
>>>> index 5d432cfad8..42d212e9f9 100644
>>>> --- a/gnu/packages/librewolf.scm
>>>> +++ b/gnu/packages/librewolf.scm
>>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>>> (substitute* desktop-file
>>>> (("^Exec=@MOZ_APP_NAME@")
>>>> (string-append "Exec="
>>>> - #$output
>>>> "/bin/librewolf"))
>>>> + #$output
>>>> "/bin/librewolf %u"))
>>>> (("@MOZ_APP_DISPLAYNAME@")
>>>>
>>>
>>> This was its previous state and was removed on commit
>>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>>
>>> Copying Ian, who was the author of that change and has been
>>> maintaining
>>> Librewolf.
>>>
>
> The context behind this change is that Firefox used to ship a
> taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
> line like this:
>
> Exec=@MOZ_APP_NAME@ %u
>
> The Guix package would use that file, replacing the token with the
> path to the binary. The presence of %u in the package definition is
> because the substitute* regexp is sloppy and replaces the whole line
> instead of @MOZ_APP_NAME@ only. For reasons unknown to me, Firefox
> stopped shipping this file and deleted it from their repo. I looked
> around the repo and found
> toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm
> package. Its Exec line is:
>
> Exec=@MOZ_APP_NAME@
>
> So I updated the package to use that, and the regexp to match.
>
> The patch in #74648 looks fine to me, and I think it should be pushed.
>
> Thanks,
>
> — Ian
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Sharlatan Hellseher <sharlatanus <at> gmail.com>:
You have taken responsibility.
(Wed, 11 Dec 2024 20:31:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Roman Scherer <roman <at> burningswell.com>:
bug acknowledged by developer.
(Wed, 11 Dec 2024 20:31:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 74648-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Pushed with updated commit message as
dc2df5b86942e70c4d9f24533f6609153e9b2889 to master.
--
Oleg
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 09 Jan 2025 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 162 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.