* [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].
@ 2024-10-11 4:42 Ian Eure
2024-10-11 8:36 ` [bug#73742] QA review for 73742 Rutherther via Guix-patches via
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ian Eure @ 2024-10-11 4:42 UTC (permalink / raw)
To: 73742; +Cc: Ian Eure
Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
---
gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
1 file changed, 13 insertions(+), 22 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 31de7a7171..4b91132d9b 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241005085731")
+(define %librewolf-build-id "20241010143544")
(define-public librewolf
(package
(name "librewolf")
- (version "130.0.1-1")
+ (version "131.0.2-1")
(source
(origin
(inherit (make-librewolf-source
#:version version
- #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
- #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
+ #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
+ #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
(build-system gnu-build-system)
(arguments
(list
@@ -619,33 +619,24 @@ (define (runpaths-of-input label)
(add-after 'wrap-program 'install-desktop-entry
(lambda* (#:key outputs #:allow-other-keys)
(let* ((desktop-file
- "taskcluster/docker/firefox-snap/firefox.desktop")
+ "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
(applications (string-append #$output
"/share/applications")))
(substitute* desktop-file
- (("^Exec=firefox")
+ (("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
#$output "/bin/librewolf"))
- ;; "Firefox" -> "LibreWolf" everywhere
- (("Firefox")
+ (("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
- ;; Remove non-Latin translations.
- (("^Name\\[(ar|bn)\\].*$")
- "")
- (("^Icon=.*")
+ (("@MOZ_APP_REMOTINGNAME@")
+ "LibreWolf")
+ (("^Icon=@MOZ_APP_NAME@")
(string-append "Icon="
#$output
- "/share/icons/hicolor/128x128/apps/librewolf.png
-"))
- ;; These commands were changed.
- (("-NewWindow")
- "-new-window")
- (("-NewPrivateWindow")
- "-new-private-window")
- (("StartupNotify=true")
- "StartupNotify=true\nStartupWMClass=LibreWolf"))
+ "/share/icons/hicolor/128x128/apps/librewolf.png")))
+
(copy-file desktop-file "librewolf.desktop")
- (install-file "librewolf.desktop" applications))))
+ (install-file "librewolf.desktop" (string-append applications)))))
(add-after 'install-desktop-entry 'install-icons
(lambda* (#:key outputs #:allow-other-keys)
(let ((icon-source-dir (string-append #$output
--
2.46.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#73742] QA review for 73742
2024-10-11 4:42 [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Ian Eure
@ 2024-10-11 8:36 ` Rutherther via Guix-patches via
2024-10-11 10:22 ` [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Hilton Chain via Guix-patches via
2024-10-11 10:50 ` bug#73742: " Hilton Chain via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Rutherther via Guix-patches via @ 2024-10-11 8:36 UTC (permalink / raw)
To: control, 73742; +Cc: Ian Eure
user guix
usertag 73742 + reviewed-looks-good
thanks
Applies and builds fine, works fine. This is probably quite critical
as there is a vulnerability that is reported to be exploited
in the wild by Mozilla regarding animations.
See https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
Apart from the security fixes this seems to also fix sound
problems for me that I had with previous version. Or maybe
some dependency update caused this, not sure.
Regards,
Rutherther
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].
2024-10-11 4:42 [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Ian Eure
2024-10-11 8:36 ` [bug#73742] QA review for 73742 Rutherther via Guix-patches via
@ 2024-10-11 10:22 ` Hilton Chain via Guix-patches via
2024-10-11 10:50 ` bug#73742: " Hilton Chain via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-10-11 10:22 UTC (permalink / raw)
To: Ian Eure; +Cc: 73742
Hi Ian,
Thanks for the patch, I'll make two minor changes (see details below) when
pushing it.
On Fri, 11 Oct 2024 12:42:18 +0800,
Ian Eure wrote:
>
> Updates the package and changes how the .desktop file is generated. The
> .desktop file the package had been using was removed upstream.
>
> Fixes:
>
> CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
> for Android
> CVE-2024-9392: Compromised content process can bypass site isolation
> CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
> CVE-2024-9394: Cross-origin access to JSON contents through multipart
> responses
> CVE-2024-9395: Specially crafted filename could be used to obscure download
> type
> CVE-2024-9396: Potential memory corruption may occur when cloning certain
> objects
> CVE-2024-9397: Potential directory upload bypass via clickjacking
> CVE-2024-9398: External protocol handlers could be enumerated via popups
> CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
> service
> CVE-2024-9400: Potential memory corruption during JIT compilation
> CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
> Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
> Thunderbird 131, and Thunderbird 128.3
> CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
> CVE-2024-9680: Use-after-free in Animation timeline
>
> * gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1.
>
> Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
> ---
> gnu/packages/librewolf.scm | 35 +++++++++++++----------------------
> 1 file changed, 13 insertions(+), 22 deletions(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 31de7a7171..4b91132d9b 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20241005085731")
> +(define %librewolf-build-id "20241010143544")
>
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "130.0.1-1")
> + (version "131.0.2-1")
> (source
> (origin
> (inherit (make-librewolf-source
> #:version version
> - #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"
> - #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))))
> + #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
> + #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
> (build-system gnu-build-system)
> (arguments
> (list
> @@ -619,33 +619,24 @@ (define (runpaths-of-input label)
> (add-after 'wrap-program 'install-desktop-entry
> (lambda* (#:key outputs #:allow-other-keys)
> (let* ((desktop-file
> - "taskcluster/docker/firefox-snap/firefox.desktop")
> + "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
> (applications (string-append #$output
> "/share/applications")))
> (substitute* desktop-file
> - (("^Exec=firefox")
> + (("^Exec=@MOZ_APP_NAME@")
> (string-append "Exec="
> #$output "/bin/librewolf"))
1. Add a %u[1] after "/bin/librewolf".
[1]: https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html
> - ;; "Firefox" -> "LibreWolf" everywhere
> - (("Firefox")
> + (("@MOZ_APP_DISPLAYNAME@")
> "LibreWolf")
> - ;; Remove non-Latin translations.
> - (("^Name\\[(ar|bn)\\].*$")
> - "")
> - (("^Icon=.*")
> + (("@MOZ_APP_REMOTINGNAME@")
> + "LibreWolf")
> + (("^Icon=@MOZ_APP_NAME@")
> (string-append "Icon="
> #$output
> - "/share/icons/hicolor/128x128/apps/librewolf.png
> -"))
> - ;; These commands were changed.
> - (("-NewWindow")
> - "-new-window")
> - (("-NewPrivateWindow")
> - "-new-private-window")
> - (("StartupNotify=true")
> - "StartupNotify=true\nStartupWMClass=LibreWolf"))
> + "/share/icons/hicolor/128x128/apps/librewolf.png")))
> +
> (copy-file desktop-file "librewolf.desktop")
> - (install-file "librewolf.desktop" applications))))
> + (install-file "librewolf.desktop" (string-append applications)))))
2. Remove this string-append.
> (add-after 'install-desktop-entry 'install-icons
> (lambda* (#:key outputs #:allow-other-keys)
> (let ((icon-source-dir (string-append #$output
> --
> 2.46.0
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#73742: [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes].
2024-10-11 4:42 [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Ian Eure
2024-10-11 8:36 ` [bug#73742] QA review for 73742 Rutherther via Guix-patches via
2024-10-11 10:22 ` [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Hilton Chain via Guix-patches via
@ 2024-10-11 10:50 ` Hilton Chain via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-10-11 10:50 UTC (permalink / raw)
To: Ian Eure; +Cc: Rutherther, 73742-done
Hi Ian, and Rutherther, thank you for the review.
Applied as cdb262e993a2ffdf49f7995cc12fa523d4578c05 with changes mentioned in my
previous mail.
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-11 17:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-11 4:42 [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Ian Eure
2024-10-11 8:36 ` [bug#73742] QA review for 73742 Rutherther via Guix-patches via
2024-10-11 10:22 ` [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes] Hilton Chain via Guix-patches via
2024-10-11 10:50 ` bug#73742: " Hilton Chain via Guix-patches via
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).