From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 2MAyGwr9CGd4CAEAe85BDQ:P1 (envelope-from ) for ; Fri, 11 Oct 2024 10:25:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 2MAyGwr9CGd4CAEAe85BDQ (envelope-from ) for ; Fri, 11 Oct 2024 12:25:14 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=qK+e3fwS; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=hpqGr49e; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1728642314; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=/aZ8htzcfKFb1q1s8kogFKy3IagYF6tN85NLds8TqO8=; b=VgfqYCwmaUSnTArpZTmCFCaFpWihrtdZr1eJy4HmoOw9j+hffL0O+gsR1EBMl30lRk0AQ5 RvdpJUAJozQ8tEt1LzkRrnola6d7XIOX2qgnVCsb4dFbeWJJY3XJnDEk9BbAaWyWysdPSF gbAzFcyaKyvKzj8dTaco4D+wOyh7D2wNEbTPNwv6IDA83m3NBSo3r6FCoL1BHkwUZId3bj 04GLy9pDsdXhBs+eh4XmScIHkT3XT6z6Cirby6WFjRQA/7EEGUD+I5zDHvc8+h1powXaQ5 m44zSeDwayRnvnujh9+r1yryUBYVaXGQ+ySESCmNn7Pw/N9qYJGlPs3VgMXU0A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1728642314; a=rsa-sha256; cv=none; b=sEMR7dtjyGVztW6WV5xBAMlI1P31eTFcshNSS5JGAGSibEelDjH12Acu+/h4Dw8CZLrhus Or8WOokon39HKl36a7IPNcOQdg+9ssa6XCyE6OUqG7riKGq/AZzeWgPYAZL75CG+34uSsH WgWaXlRPFfYhoQOxp2XvTpAXG0jNBw8BpDN4mkSei3hE8/zlaZU5BXeCipNP971Pkmm7JU D2qYHIuhsH3fpe2/BjR+7vyNglYzucFIX0WtacTSHMp50IExF5P1Lgq4Oe6pi1M0UfmbWI 6rceNc2PurJadtLYbiqwI33W3liYLY6AvywExRmsGgvPleRVaTDF2Tx7glJSmA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=qK+e3fwS; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=hpqGr49e; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4350A5CECC for ; Fri, 11 Oct 2024 12:25:13 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1szCpH-0007Jg-Rf; Fri, 11 Oct 2024 06:24:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1szCpF-0007J5-LV for guix-patches@gnu.org; Fri, 11 Oct 2024 06:24:49 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1szCpF-0001DJ-D8 for guix-patches@gnu.org; Fri, 11 Oct 2024 06:24:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:From:Date:To:Subject; bh=/aZ8htzcfKFb1q1s8kogFKy3IagYF6tN85NLds8TqO8=; b=qK+e3fwSD/VnYM7YV2M9KAc0Q4q+n40oK2/R/EhOMx4hBc4K6HbBuBp8f/c28KwX1xj9to9ADY1Q6jkBQ2MRiKlGd5QlmKDg4DDJhs58m/vt4Qq7Tx+kxJwd83tiSnGzijt3PKHqmR3tkkrfhlvBfvM5O+UmAmKzBMedwsWxpwVQpkhWnfqp9vpiUER5q8pEfCZodKVbzVTRQtbPlVH1JrtYlMCZB+HRe7w++YUhiTbeUUsf71mPbmm56gjO2zzgasUg5cJHvsrwmSkOCcRNPAvUJWo/ywXVopS83jUQ3X/XHC+KrIB4kSnuR12H5bNR9YfKYiy/LCe7v/A1GZ3/GA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1szCpR-0000zl-TP for guix-patches@gnu.org; Fri, 11 Oct 2024 06:25:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73742] [PATCH] gnu: librewolf: Update to 131.0.2-1 [security fixes]. Resent-From: Hilton Chain Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 11 Oct 2024 10:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73742 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ian Eure Cc: 73742@debbugs.gnu.org Received: via spool by 73742-submit@debbugs.gnu.org id=B73742.17286422933803 (code B ref 73742); Fri, 11 Oct 2024 10:25:01 +0000 Received: (at 73742) by debbugs.gnu.org; 11 Oct 2024 10:24:53 +0000 Received: from localhost ([127.0.0.1]:33569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szCpI-0000zH-Bh for submit@debbugs.gnu.org; Fri, 11 Oct 2024 06:24:52 -0400 Received: from mail.boiledscript.com ([144.168.59.46]:49208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szCpG-0000z3-M2 for 73742@debbugs.gnu.org; Fri, 11 Oct 2024 06:24:51 -0400 Date: Fri, 11 Oct 2024 18:22:50 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1728642270; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/aZ8htzcfKFb1q1s8kogFKy3IagYF6tN85NLds8TqO8=; b=hpqGr49e9IsucqAcyN3RXdAtvGUedSBF8qXIrDOETYkfeWm/KlcYgAqBEjP+VCUw8RctaE WbytmDzlvb/78TR03FNIa3+bkvmTq/YPbyiYT7xyU8IVxHG1TwUIo3h1Dq/GyOPYwMllKk 6upnr4d5vKfBNo61f0hAKJ+rVhivjyqiT/1WEVIjKeJ6+pfMIfcDArSmSQ7dOoeNZNtIdj EWLBMSOob9m+afZYq3j/bGYweh6LTy8e6MZmEOWBdHFRt61J+MXlnbjcg8RIrjfkV3QaGT w7bcknKV8PIw9+tiSy8enBVilju3FE+8mtoPrF36OCBDyM+VO5qdQ8eJ7H0nnQ== Message-ID: <87v7xz2b2d.wl-hako@ultrarare.space> In-Reply-To: <20241011044218.2449-1-ian@retrospec.tv> References: <20241011044218.2449-1-ian@retrospec.tv> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spamd-Bar: -- X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Hilton Chain X-ACL-Warn: , Hilton Chain via Guix-patches From: Hilton Chain via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -3.32 X-Spam-Score: -3.32 X-Migadu-Queue-Id: 4350A5CECC X-Migadu-Scanner: mx13.migadu.com X-TUID: 5s8hWlyarleg Hi Ian, Thanks for the patch, I'll make two minor changes (see details below) when pushing it. On Fri, 11 Oct 2024 12:42:18 +0800, Ian Eure wrote: > > Updates the package and changes how the .desktop file is generated. The > .desktop file the package had been using was removed upstream. > > Fixes: > > CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus > for Android > CVE-2024-9392: Compromised content process can bypass site isolation > CVE-2024-9393: Cross-origin access to PDF contents through multipart responses > CVE-2024-9394: Cross-origin access to JSON contents through multipart > responses > CVE-2024-9395: Specially crafted filename could be used to obscure download > type > CVE-2024-9396: Potential memory corruption may occur when cloning certain > objects > CVE-2024-9397: Potential directory upload bypass via clickjacking > CVE-2024-9398: External protocol handlers could be enumerated via popups > CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of > service > CVE-2024-9400: Potential memory corruption during JIT compilation > CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, > Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 > CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, > Thunderbird 131, and Thunderbird 128.3 > CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 > CVE-2024-9680: Use-after-free in Animation timeline > > * gnu/packages/librewolf.scm (librewolf): Update to 131.0.2-1. > > Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec > --- > gnu/packages/librewolf.scm | 35 +++++++++++++---------------------- > 1 file changed, 13 insertions(+), 22 deletions(-) > > diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm > index 31de7a7171..4b91132d9b 100644 > --- a/gnu/packages/librewolf.scm > +++ b/gnu/packages/librewolf.scm > @@ -212,18 +212,18 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum. > ;; Update this id with every update to its release date. > ;; It's used for cache validation and therefore can lead to strange bugs. > ;; ex: date '+%Y%m%d%H%M%S' > -(define %librewolf-build-id "20241005085731") > +(define %librewolf-build-id "20241010143544") > > (define-public librewolf > (package > (name "librewolf") > - (version "130.0.1-1") > + (version "131.0.2-1") > (source > (origin > (inherit (make-librewolf-source > #:version version > - #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2" > - #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")))) > + #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4" > + #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7")))) > (build-system gnu-build-system) > (arguments > (list > @@ -619,33 +619,24 @@ (define (runpaths-of-input label) > (add-after 'wrap-program 'install-desktop-entry > (lambda* (#:key outputs #:allow-other-keys) > (let* ((desktop-file > - "taskcluster/docker/firefox-snap/firefox.desktop") > + "toolkit/mozapps/installer/linux/rpm/mozilla.desktop") > (applications (string-append #$output > "/share/applications"))) > (substitute* desktop-file > - (("^Exec=firefox") > + (("^Exec=@MOZ_APP_NAME@") > (string-append "Exec=" > #$output "/bin/librewolf")) 1. Add a %u[1] after "/bin/librewolf". [1]: https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html > - ;; "Firefox" -> "LibreWolf" everywhere > - (("Firefox") > + (("@MOZ_APP_DISPLAYNAME@") > "LibreWolf") > - ;; Remove non-Latin translations. > - (("^Name\\[(ar|bn)\\].*$") > - "") > - (("^Icon=.*") > + (("@MOZ_APP_REMOTINGNAME@") > + "LibreWolf") > + (("^Icon=@MOZ_APP_NAME@") > (string-append "Icon=" > #$output > - "/share/icons/hicolor/128x128/apps/librewolf.png > -")) > - ;; These commands were changed. > - (("-NewWindow") > - "-new-window") > - (("-NewPrivateWindow") > - "-new-private-window") > - (("StartupNotify=true") > - "StartupNotify=true\nStartupWMClass=LibreWolf")) > + "/share/icons/hicolor/128x128/apps/librewolf.png"))) > + > (copy-file desktop-file "librewolf.desktop") > - (install-file "librewolf.desktop" applications)))) > + (install-file "librewolf.desktop" (string-append applications))))) 2. Remove this string-append. > (add-after 'install-desktop-entry 'install-icons > (lambda* (#:key outputs #:allow-other-keys) > (let ((icon-source-dir (string-append #$output > -- > 2.46.0 > > > >