From: Ian Eure <ian@retrospec.tv>
To: 73429@debbugs.gnu.org
Cc: "André Batista" <nandre@riseup.net>,
mhw@netris.org, jonathan.brielmaier@web.de,
"Ian Eure" <ian@retrospec.tv>
Subject: [bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes]
Date: Sun, 22 Sep 2024 13:53:42 -0700 [thread overview]
Message-ID: <20240922205343.21437-2-ian@retrospec.tv> (raw)
In-Reply-To: <20240922205343.21437-1-ian@retrospec.tv>
This patch:
- Updates LibreWolf to the latest version
- Removes the code which disabled encoding_rs.patch from upstream. It’s no
longer in the repo, so the code did nothing, and the underlying issue (Guix
being stuck with an old Rust version) has been fixed.
- Integrates changes from #72265 with some slight tweaks. This should allow
LibreWolf to use accelerated video decoding on supported hardware.
- Neuters the GenAI chat feature, which direcly integrates with non-free
services, by excluding it from the build and locking the preferences which
would enable it.
Fixes:
CVE-2024-8385: WASM type confusion involving ArrayTypes
CVE-2024-8381: Type confusion when looking up a property name in a "with" block
CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts
CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
CVE-2024-8383: Firefox did not ask before openings news: links in an external application
CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions
CVE-2024-8386: SelectElements could be shown over another site if popups are allowed
CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
CVE-2024-8389: Memory safety bugs fixed in Firefox 130
* gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
---
gnu/packages/librewolf.scm | 55 ++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 26 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 21f73f799d..bade479656 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -117,9 +117,11 @@ (define (librewolf-source-origin version hash)
(define computed-origin-method (@@ (guix packages) computed-origin-method))
(define librewolf-source
- (let* ((ff-src (firefox-source-origin "129.0.1" "0wy0fn0pavlhlkdybr59hhbn5ng0zn56mxa7gsknf8f2whiyipwx"))
- (version "129.0.1-1")
- (lw-src (librewolf-source-origin version "0pvv3v23q31hdjvqi1f3cqfyjrb8dbrrbfwxj2wacak1g0mzbxf4")))
+ (let* ((ff-src (firefox-source-origin "130.0"
+ "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"))
+ (lw-src (librewolf-source-origin
+ "130.0.1-1"
+ "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")))
(origin
(method computed-origin-method)
@@ -164,11 +166,6 @@ (define librewolf-source
(("^ff_source_tarball:=.*")
(string-append "ff_source_tarball:=" #+ff-src)))
- ;; Remove encoding_rs patch, it doesn't build with Rust 1.75.
- (substitute* '("assets/patches.txt")
- (("patches/encoding_rs.patch\\\n$")
- ""))
-
;; Stage locales.
(begin
(format #t "Staging locales...~%")
@@ -215,13 +212,17 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20240817075827")
+(define %librewolf-build-id "20240922110507")
(define-public librewolf
(package
(name "librewolf")
- (version "129.0.1-1")
- (source librewolf-source)
+ (version "130.0.1-1")
+ (source
+ (origin
+ (inherit librewolf-source)
+ (patches
+ (search-patches "librewolf-add-paths-to-rdd-allowlist.patch"))))
(build-system gnu-build-system)
(arguments
(list
@@ -318,6 +319,22 @@ (define (write-setting key value)
(substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
(("libavcodec\\.so")
libavcodec)))))
+ (add-after 'unpack 'neuter-genai
+ (lambda* _
+ ;; Don't compile the code in.
+ (substitute* "browser/components/moz.build"
+ (("\"genai\",") ""))
+ ;; Lock the preferences so they can't be enabled.
+ (substitute* "lw/librewolf.cfg"
+ (("defaultPref\\(\"browser\\.ml\\.")
+ "lockPref(\"browser.ml."))
+ ;; Correct a preference typo
+ ;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954
+ ;; Remove this in the next update.
+ (substitute* "lw/librewolf.cfg"
+ (("browser\\.ml\\.enabled")
+ "browser.ml.enable"))
+ ))
(add-after 'patch-source-shebangs 'patch-cargo-checksums
(lambda _
(use-modules (guix build cargo-utils))
@@ -575,26 +592,12 @@ (define (runpaths-of-input label)
;; For U2F and WebAuthn
"eudev")))
- ;; VA-API is run in the RDD (Remote Data Decoder) sandbox
- ;; and must be explicitly given access to files it needs.
- ;; Rather than adding the whole store (as Nix had
- ;; upstream do, see
- ;; <https://github.com/NixOS/nixpkgs/pull/165964> and
- ;; linked upstream patches), we can just follow the
- ;; runpaths of the needed libraries to add everything to
- ;; LD_LIBRARY_PATH. These will then be accessible in the
- ;; RDD sandbox.
- (rdd-whitelist (map (cut string-append <> "/")
- (delete-duplicates (append-map
- runpaths-of-input
- '("mesa"
- "ffmpeg")))))
(gtk-share (string-append (assoc-ref inputs
"gtk+")
"/share")))
(wrap-program (car (find-files lib "^librewolf$"))
`("LD_LIBRARY_PATH" prefix
- (,@libs ,@rdd-whitelist))
+ ,libs)
`("XDG_DATA_DIRS" prefix
(,gtk-share))
`("MOZ_LEGACY_PROFILES" =
--
2.46.0
next prev parent reply other threads:[~2024-09-22 20:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-22 20:51 [bug#73429] [PATCH 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes] Ian Eure
2024-09-22 20:53 ` [bug#73429] [PATCH 1/3] gnu: nss-rapid: Update to 3.104 Ian Eure
2024-09-22 20:53 ` Ian Eure [this message]
2024-09-24 8:17 ` [bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes] Andrew Tropin via Guix-patches via
2024-09-22 20:53 ` [bug#73429] [PATCH 3/3] gnu: librewolf-source: Turn into a procedure Ian Eure
2024-09-23 14:47 ` [bug#73429] [PATCH v2 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes] Ian Eure
2024-09-23 14:47 ` [bug#73429] [PATCH v2 1/3] gnu: nss-rapid: Update to 3.104 Ian Eure
2024-09-23 14:47 ` [bug#73429] [PATCH v2 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes] Ian Eure
2024-09-23 14:47 ` [bug#73429] [PATCH v2 3/3] gnu: librewolf-source: Turn into a procedure Ian Eure
2024-09-24 7:11 ` bug#73429: [PATCH v2 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes] Andrew Tropin via Guix-patches via
2024-09-27 3:46 ` [bug#73429] closed (Re: [bug#73429] [PATCH v2 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes]) John Kehayias via Guix-patches via
2024-09-27 15:52 ` [bug#73429] [PATCH v2 0/3] Update LibreWolf to 130.0.1-1 & nss-rapid to 3.104 [security fixes] not emma via Guix-patches via
2024-09-27 16:14 ` Ian Eure
2024-09-27 16:22 ` not emma via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240922205343.21437-2-ian@retrospec.tv \
--to=ian@retrospec.tv \
--cc=73429@debbugs.gnu.org \
--cc=jonathan.brielmaier@web.de \
--cc=mhw@netris.org \
--cc=nandre@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).