GNU bug report logs -
#76869
[PATCH 0/3] Update LibreWolf to 136.0-2 [security fixes]
Previous Next
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Sat, 8 Mar 2025 15:41:02 UTC
Severity: normal
Tags: patch
Done: Ian Eure <ian <at> retrospec.tv>
Bug is archived. No further changes may be made.
Full log
Message #17 received at 76869 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ian Eure <ian <at> retrospec.tv> writes:
> CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
> the Browser process
> CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
> animations
> CVE-2025-1931: Use-after-free in WebTransportChild
> CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
> out-of-bounds access
> CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
> CVE-2025-1940: Android Intent confirmation prompt tapjacking using
> Select options
> CVE-2024-9956: Passkey phishing within Bluetooth range
> CVE-2025-1934: Unexpected GC during RegExp bailout processing
> CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
> CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
> causes string to get longer
> CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
> CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
> the interpretation of the contents
> CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 115.21, Firefox ESR 128.8, and
> Thunderbird 128.8
> CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 128.8, and Thunderbird 128.8
> CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
> 136
Wooh!
[...]
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20250209210057")
> +(define %librewolf-build-id "20250306064037")
> +
> +;; Temporary, until 76798 merges into core-packages-team, and that merges into
> +;; master.
> +(define libpng-apng-for-librewolf
> + (hidden-package
> + (package
> + (inherit libpng-apng)
That package should be defined in (gnu packages libpng-apng), to avoid
cyclic import problems down the road (info "(guix) Cyclic Module
Dependencies").
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "135.0-1")
> + (version "136.0-2")
> (source
> (make-librewolf-source
> #:version version
> - #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
> - #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
> + #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
> + #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
> #:l10n firefox-l10n))
> (build-system gnu-build-system)
> (arguments
> @@ -392,6 +425,17 @@ (define (write-setting key value)
> (lambda _
> (setenv "MOZ_BUILD_DATE"
> #$%librewolf-build-id)))
> + ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
> + (add-before 'configure 'patch-icu-lookup
> + (lambda _
> + (let* ((file "js/moz.configure")
> + (old-content (call-with-input-file file get-string-all)))
> + (substitute* file
> + (("icu-i18n >= 76.1" all)
> + (string-append all ", icu-uc >= 76.1")))
> + (if (string=? old-content
> + (pk (call-with-input-file file get-string-all)))
> + (error "substitute did nothing, phase requires an update")))))
Please try to keep the max column width < 80 columns. That's why often
we use something like, to keep the hanging indent small.
--8<---------------cut here---------------start------------->8---
#:phases
(list
#~(modify-phases %standard-phases
(add-after ...)))
--8<---------------cut here---------------end--------------->8---
Other than these small things, it LGTM. I'll try testing it to see if
the localization issue I had mentioned is resolved.
Thanks for maintaining it!
--
Maxim
This bug report was last modified 73 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.