GNU bug report logs -
#76869
[PATCH 0/3] Update LibreWolf to 136.0-2 [security fixes]
Previous Next
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Sat, 8 Mar 2025 15:41:02 UTC
Severity: normal
Tags: patch
Done: Ian Eure <ian <at> retrospec.tv>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 76869 in the body.
You can then email your comments to 76869 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Sat, 08 Mar 2025 15:41:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ian Eure <ian <at> retrospec.tv>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 08 Mar 2025 15:41:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
More complex update than usual.
- LW now requires nss >= 3.108. Update nss-rapid to 3.109.
- LW now requires libpng-apng >= 1.6.46. libpng is very low in the graph and
needs to build on a branch. #76798 updates it in core-packages-team, I
added libpng-for-librewolf in the meantime.
- LW now needs icu4c >= 76.1, updated in #76750. There's also a bug with
this, which requires a workaround until (presumably) 136.0.1-1.
- Update firefox-l10n to the current HEAD.
gnu/packages/librewolf.scm | 62 ++++++++++++++++++++++++++++++++------
gnu/packages/nss.scm | 6 ++--
2 files changed, 56 insertions(+), 12 deletions(-)
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Sat, 08 Mar 2025 17:41:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 76869 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/librewolf.scm (firefox-l10n): Update to 24e2602d2221646fbbe92e908bed0d605acd2e8a.
Change-Id: I32c4748b6d76c21cf1e4dadbb0859cb55fb9a2ef
---
gnu/packages/librewolf.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 2a4bf3fada..7a356b6d91 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -117,14 +117,14 @@ (define (librewolf-source-origin version hash)
(define computed-origin-method (@@ (guix packages) computed-origin-method))
(define firefox-l10n
- (let ((commit "d219efa7c64850dfb5904893e17a5431c7058192"))
+ (let ((commit "24e2602d2221646fbbe92e908bed0d605acd2e8a"))
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/mozilla-l10n/firefox-l10n.git")
(commit commit)))
(file-name (git-file-name "firefox-l10n" commit))
- (sha256 (base32 "0g778fnxg5mkqm3rgryzl64f3n4pczngjdlby07vh2dycvmlyga8")))))
+ (sha256 (base32 "1xnldwgldls07m5hmm9wnln6g2vcar5w4k4918qkmakldaw6ang0")))))
(define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
(let* ((ff-src (firefox-source-origin
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Sat, 08 Mar 2025 17:41:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 76869 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/nss.scm (nss-rapid): Update to 3.109.
Change-Id: I6afa0f9ab714aa26dcd17c6526e4b95be07b9eb9
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 9b5d901063..8bcb593ed7 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -334,7 +334,7 @@ (define-public nss-rapid
(package
(inherit nss)
(name "nss-rapid")
- (version "3.107")
+ (version "3.109")
(source (origin
(inherit (package-source nss))
(uri (let ((version-with-underscores
@@ -345,7 +345,7 @@ (define-public nss-rapid
"nss-" version ".tar.gz")))
(sha256
(base32
- "0ab7kpyg54aha86aw0ak70ckmfj1ih7d9x8mlrqhf59q7r3rczkz"))))
+ "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
@@ -377,7 +377,7 @@ (define-public nss-rapid
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-11-29" "./nss/tests/all.sh"))
+ (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))))))
(synopsis "Network Security Services (Rapid Release)")
(description
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Sat, 08 Mar 2025 17:41:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 76869 <at> debbugs.gnu.org (full text, mbox):
CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931: Use-after-free in WebTransportChild
CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940: Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956: Passkey phishing within Bluetooth range
CVE-2025-1934: Unexpected GC during RegExp bailout processing
CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
136
* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.
Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
---
gnu/packages/librewolf.scm | 58 +++++++++++++++++++++++++++++++++-----
1 file changed, 51 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 7a356b6d91..f65e8bc69f 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -200,23 +200,56 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
;;; but since in Guix only the latest packaged Rust is officially supported,
;;; it is a tradeoff worth making.
;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
-;; 135.0 wants 1.83, but it's not available in Guix yet.
+;; 136.0 wants 1.84, but it's not available in Guix yet.
(define rust-librewolf rust-1.82)
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250209210057")
+(define %librewolf-build-id "20250306064037")
+
+;; Temporary, until 76798 merges into core-packages-team, and that merges into
+;; master.
+(define libpng-apng-for-librewolf
+ (hidden-package
+ (package
+ (inherit libpng-apng)
+ (version "1.6.46")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
+ version "/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src"
+ "/libpng16/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
+ "/libpng16/libpng-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1cbwf20zlm4gcv8rpjivkngrjgl5366w21lr9qmbk2lr0dq8papk"))))
+ (inputs
+ (modify-inputs (package-inputs libpng-apng)
+ (replace "apng"
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://sourceforge/libpng-apng/libpng16/"
+ version "/libpng-" version "-apng.patch.gz"))
+ (sha256
+ (base32
+ "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
(define-public librewolf
(package
(name "librewolf")
- (version "135.0-1")
+ (version "136.0-2")
(source
(make-librewolf-source
#:version version
- #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
- #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
+ #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
+ #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
#:l10n firefox-l10n))
(build-system gnu-build-system)
(arguments
@@ -392,6 +425,17 @@ (define (write-setting key value)
(lambda _
(setenv "MOZ_BUILD_DATE"
#$%librewolf-build-id)))
+ ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
+ (add-before 'configure 'patch-icu-lookup
+ (lambda _
+ (let* ((file "js/moz.configure")
+ (old-content (call-with-input-file file get-string-all)))
+ (substitute* file
+ (("icu-i18n >= 76.1" all)
+ (string-append all ", icu-uc >= 76.1")))
+ (if (string=? old-content
+ (pk (call-with-input-file file get-string-all)))
+ (error "substitute did nothing, phase requires an update")))))
(replace 'configure
(lambda* (#:key inputs outputs configure-flags
#:allow-other-keys)
@@ -671,7 +715,7 @@ (define (runpaths-of-input label)
gtk+
gtk+-2
hunspell
- icu4c-75
+ icu4c-76
jemalloc
libcanberra
libevent
@@ -679,7 +723,7 @@ (define (runpaths-of-input label)
libgnome
libjpeg-turbo
libnotify
- libpng-apng
+ libpng-apng-for-librewolf
libva
libvpx
libwebp
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Wed, 12 Mar 2025 03:40:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 76869 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ian Eure <ian <at> retrospec.tv> writes:
> CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
> the Browser process
> CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
> animations
> CVE-2025-1931: Use-after-free in WebTransportChild
> CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
> out-of-bounds access
> CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
> CVE-2025-1940: Android Intent confirmation prompt tapjacking using
> Select options
> CVE-2024-9956: Passkey phishing within Bluetooth range
> CVE-2025-1934: Unexpected GC during RegExp bailout processing
> CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
> CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
> causes string to get longer
> CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
> CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
> the interpretation of the contents
> CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 115.21, Firefox ESR 128.8, and
> Thunderbird 128.8
> CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 128.8, and Thunderbird 128.8
> CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
> 136
Wooh!
[...]
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20250209210057")
> +(define %librewolf-build-id "20250306064037")
> +
> +;; Temporary, until 76798 merges into core-packages-team, and that merges into
> +;; master.
> +(define libpng-apng-for-librewolf
> + (hidden-package
> + (package
> + (inherit libpng-apng)
That package should be defined in (gnu packages libpng-apng), to avoid
cyclic import problems down the road (info "(guix) Cyclic Module
Dependencies").
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "135.0-1")
> + (version "136.0-2")
> (source
> (make-librewolf-source
> #:version version
> - #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
> - #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
> + #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
> + #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
> #:l10n firefox-l10n))
> (build-system gnu-build-system)
> (arguments
> @@ -392,6 +425,17 @@ (define (write-setting key value)
> (lambda _
> (setenv "MOZ_BUILD_DATE"
> #$%librewolf-build-id)))
> + ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
> + (add-before 'configure 'patch-icu-lookup
> + (lambda _
> + (let* ((file "js/moz.configure")
> + (old-content (call-with-input-file file get-string-all)))
> + (substitute* file
> + (("icu-i18n >= 76.1" all)
> + (string-append all ", icu-uc >= 76.1")))
> + (if (string=? old-content
> + (pk (call-with-input-file file get-string-all)))
> + (error "substitute did nothing, phase requires an update")))))
Please try to keep the max column width < 80 columns. That's why often
we use something like, to keep the hanging indent small.
--8<---------------cut here---------------start------------->8---
#:phases
(list
#~(modify-phases %standard-phases
(add-after ...)))
--8<---------------cut here---------------end--------------->8---
Other than these small things, it LGTM. I'll try testing it to see if
the localization issue I had mentioned is resolved.
Thanks for maintaining it!
--
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#76869; Package
guix-patches.
(Wed, 12 Mar 2025 04:23:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 76869 <at> debbugs.gnu.org (full text, mbox):
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Ian Eure <ian <at> retrospec.tv> writes:
>
>> +;; Temporary, until 76798 merges into core-packages-team, and
>> that merges into
>> +;; master.
>> +(define libpng-apng-for-librewolf
>> + (hidden-package
>> + (package
>> + (inherit libpng-apng)
>
> That package should be defined in (gnu packages libpng-apng), to
> avoid
> cyclic import problems down the road (info "(guix) Cyclic Module
> Dependencies").
Huh, okay. I’ll move it.
> Please try to keep the max column width < 80 columns. That's
> why often
> we use something like, to keep the hanging indent small.
Ooh, yeah, some of these have gotten out of hand.
Will fix both issues and push.
> Other than these small things, it LGTM. I'll try testing it to
> see
> if the localization issue I had mentioned is resolved.
I haven’t had a chance to look into this / compare with other LW
packages, so I wouldn’t expect much.
> Thanks for maintaining it!
Happy to! Thank you for the review.
-- Ian
bug closed, send any further explanations to
76869 <at> debbugs.gnu.org and Ian Eure <ian <at> retrospec.tv>
Request was from
Ian Eure <ian <at> retrospec.tv>
to
control <at> debbugs.gnu.org.
(Wed, 12 Mar 2025 04:32:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 09 Apr 2025 11:24:19 GMT)
Full text and
rfc822 format available.
This bug report was last modified 73 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.