From: Ian Eure <ian@retrospec.tv>
To: 74070@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
Subject: [bug#74070] [PATCH v2 2/2] gnu: librewolf: Update to 132.0-1 [security fixes].
Date: Wed, 6 Nov 2024 06:26:00 -0800 [thread overview]
Message-ID: <20241106142600.3116-3-ian@retrospec.tv> (raw)
In-Reply-To: <20241106142600.3116-1-ian@retrospec.tv>
New upstream version. The 132.0-2-1 release switches to the firefox-l10n
repository, necessitating rework of locale handling.
131.0.3-1 fixes CVEs:
CVE-2024-9936: Undefined behavior in selection node cache
132.0-1 fixes CVEs:
CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol
handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long
URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a
Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird
132, Firefox ESR 128.4, and Thunderbird 128.4
* gnu/packages/librewolf.scm (librewolf): Update to 132.0-1.
Change-Id: I4afbcb496a8b0a329254762259cd1598d574761e
---
gnu/packages/librewolf.scm | 68 +++++++------------
.../librewolf-neuter-locale-download.patch | 17 +++++
2 files changed, 41 insertions(+), 44 deletions(-)
create mode 100644 gnu/packages/patches/librewolf-neuter-locale-download.patch
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index d696a3058f..6517c1953d 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -111,10 +111,21 @@ (define (librewolf-source-origin version hash)
(commit version)
(recursive? #t)))
(file-name (git-file-name "librewolf-source" version))
+ (patches (search-patches "librewolf-neuter-locale-download.patch"))
(sha256 (base32 hash))))
(define computed-origin-method (@@ (guix packages) computed-origin-method))
+(define firefox-l10n
+ (let ((commit "bdfd4e10606204450a3e88d219ecf2b252349c2b"))
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/mozilla-l10n/firefox-l10n.git")
+ (commit commit)))
+ (file-name (git-file-name "firefox-l10n" commit))
+ (sha256 (base32 "0i31b1024jck6467j9phcqvac32psl4nkyb0nm4h9zzyj8zw31xp")))))
+
(define* (make-librewolf-source #:key version firefox-hash librewolf-hash)
(let* ((ff-src (firefox-source-origin
(car (string-split version #\-))
@@ -168,34 +179,10 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash)
;; Stage locales.
(begin
- (format #t "Staging locales...~%")
- (force-output)
- (mkdir "l10n-staging")
- (with-directory-excursion "l10n-staging"
- (for-each
- (lambda (locale-dir)
- (let ((locale
- (string-drop
- (basename locale-dir)
- (+ 32 ; length of hash
- (string-length "-mozilla-locale-")))))
- (format #t " ~a~%" locale)
- (force-output)
- (copy-recursively locale-dir locale
- #:log (%make-void-port "w"))
- (for-each make-file-writable (find-files locale))
- (with-directory-excursion locale
- (when (file-exists? ".hgtags")
- (delete-file ".hgtags")))))
- '#+all-mozilla-locales)))
-
- ;; Patch build script to use staged locales.
- (begin
- (substitute* '("scripts/generate-locales.sh")
- (("wget") "# wget")
- (("unzip") "# unzip")
- (("mv browser/locales/l10n/\\$1-\\*/")
- "mv ../l10n-staging/$1/")))
+ (substitute* "scripts/librewolf-patches.py"
+ (("l10n_dir = Path(\"..\", \"l10n\")")
+ (string-append
+ "l10n_dir = \"" #+firefox-l10n "\""))))
;; Run the build script
(invoke "make" "all")
@@ -212,18 +199,17 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20241010143544")
+(define %librewolf-build-id "20241105185710")
(define-public librewolf
(package
(name "librewolf")
- (version "131.0.2-1")
+ (version "132.0-1")
(source
- (origin
- (inherit (make-librewolf-source
- #:version version
- #:firefox-hash "05knnwfxqd3mb6a5y2yh73sn4g648dxnz9kpkmpj9madr55863h4"
- #:librewolf-hash "1knx485kdjv8d0rn5ai1x1jp0403dvxz9m7lpim1y2d2ilyi26x7"))))
+ (make-librewolf-source
+ #:version version
+ #:firefox-hash "0zjwqn13rbzyxa3f63mvz5xv0158bsvr2llpqrh48davi52b2249"
+ #:librewolf-hash "1kfpcv89kh2521f3c296asjizb1swb15mfkkkrlis9ncm1gp6fw6"))
(build-system gnu-build-system)
(arguments
(list
@@ -325,14 +311,7 @@ (define (write-setting key value)
;; Lock the preferences so they can't be enabled.
(substitute* "lw/librewolf.cfg"
(("defaultPref\\(\"browser\\.ml\\.")
- "lockPref(\"browser.ml."))
- ;; Correct a preference typo
- ;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954
- ;; Remove this in the next update.
- (substitute* "lw/librewolf.cfg"
- (("browser\\.ml\\.enabled")
- "browser.ml.enable"))
- ))
+ "lockPref(\"browser.ml."))))
(add-after 'patch-source-shebangs 'patch-cargo-checksums
(lambda _
(use-modules (guix build cargo-utils))
@@ -417,6 +396,7 @@ (define (write-setting key value)
(which "bash"))
(setenv "MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE"
"system")
+ (setenv "LANG" "en_US.utf8")
;; This should use the host info probably (does it
;; build on non-x86_64 though?)
(setenv "GUIX_PYTHONPATH"
@@ -625,7 +605,7 @@ (define (runpaths-of-input label)
(substitute* desktop-file
(("^Exec=@MOZ_APP_NAME@")
(string-append "Exec="
- #$output "/bin/librewolf %u"))
+ #$output "/bin/librewolf"))
(("@MOZ_APP_DISPLAYNAME@")
"LibreWolf")
(("@MOZ_APP_REMOTINGNAME@")
diff --git a/gnu/packages/patches/librewolf-neuter-locale-download.patch b/gnu/packages/patches/librewolf-neuter-locale-download.patch
new file mode 100644
index 0000000000..da300542f5
--- /dev/null
+++ b/gnu/packages/patches/librewolf-neuter-locale-download.patch
@@ -0,0 +1,17 @@
+diff --git a/scripts/librewolf-patches.py b/scripts/librewolf-patches.py
+index 48dc6bc..01a6c58 100755
+--- a/scripts/librewolf-patches.py
++++ b/scripts/librewolf-patches.py
+@@ -147,12 +147,6 @@ def librewolf_patches():
+ with open(file, "w") as f:
+ f.write("{}-{}".format(version,release))
+
+- print("-> Downloading locales from https://github.com/mozilla-l10n/firefox-l10n")
+- with TemporaryDirectory() as tmpdir:
+- exec(f"wget -qO {tmpdir}/l10n.zip 'https://codeload.github.com/mozilla-l10n/firefox-l10n/zip/refs/heads/main'")
+- exec(f"unzip -qo {tmpdir}/l10n.zip -d {tmpdir}/l10n")
+- exec(f"mv {tmpdir}/l10n/firefox-l10n-main lw/l10n")
+-
+ print("-> Patching appstrings.properties")
+ # Why is "Firefox" hardcoded there???
+ exec("find . -path '*/appstrings.properties' -exec sed -i s/Firefox/LibreWolf/ {} \;")
--
2.46.0
next prev parent reply other threads:[~2024-11-06 14:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 22:20 [bug#74070] [PATCH] gnu: librewolf: Update to 131.0.3-1 [security fixes] Ian Eure
2024-11-01 18:28 ` [bug#74070] QA review for 74070 Noé Lopez via Guix-patches via
2024-11-06 14:25 ` [bug#74070] [PATCH v2 0/2] gnu: librewolf: Update to 132.0-1 [security fixes] Ian Eure
2024-11-06 14:25 ` [bug#74070] [PATCH v2 1/2] gnu: nss-rapid: Update to 3.105 Ian Eure
2024-11-06 14:26 ` Ian Eure [this message]
2024-11-06 22:16 ` bug#74070: [PATCH v2 0/2] gnu: librewolf: Update to 132.0-1 [security fixes] Ludovic Courtès
2024-11-09 17:32 ` [bug#74070] " Ian Eure
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106142600.3116-3-ian@retrospec.tv \
--to=ian@retrospec.tv \
--cc=74070@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.