From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id sBrNK+918maG6AAAqHPOHw:P1 (envelope-from ) for ; Tue, 24 Sep 2024 08:18:55 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id sBrNK+918maG6AAAqHPOHw (envelope-from ) for ; Tue, 24 Sep 2024 10:18:55 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=dMNeto7f; dkim=fail ("headers rsa verify failed") header.d=trop.in header.s=key1 header.b=e0NwnLIB; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1727165935; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=iBrnz3X+3eRgpwNnivrcGbASdEgheQuN1oO7BGISW88=; b=tCa8/1uhqsnf6R1ycXs2UiL7UXVnuteAbdmYl2Hj/7+JYD6HreQDII1MTvUb8PpWnztsq2 EQPltcJ39jirX/kGhuiEBXeKYS/lx0skXp2ldWqrtpYcW3ZEGdLfEQm0fmIImOUPnW7jtq Os6UfQ5xPt/lKwOtRuWx+/MrUk8UaxOBoxKebsB1yMeYjzj6Xn/PnfRDuavKG1899apCfp 2YnAsm55rn3d/QoZSk+It4FTr1etW9qyt2kJhCcOnYHJLv6pYesIXRRIN+LcrQXIiUXPVM Y4wLQ85dakLUotCbkMuh35eK3ioNH+6rlMIEn3LBxdeS8nln/qkb3vmXlrnZhA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=dMNeto7f; dkim=fail ("headers rsa verify failed") header.d=trop.in header.s=key1 header.b=e0NwnLIB; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1727165935; a=rsa-sha256; cv=none; b=lCkx3vCfNrLGuF3Y+SD9xDZ2clMqByKcU36J/KTfq36UhvqqhmXczXeXxFhpBlxxO4ywd8 KBK8pgzbXaFQ2Og1KrPXvGwGgE/DPLEe3wfJJKuoorEsQSiceDEkniCHO8GF9oFHHixbhh 2bD3stjcjHktuVydCoQFSak5efPTgs6NMD3lZCyXVQQZwOPsJOusu2e74MrCqbvRTs5wL1 ywhFpWlWtXay6rRih0MaXdnzwTD0C1VX5vK/MGVDCP+FXL7kbqhx+wCJ6n9TbkFS74bmb0 2Dhrx5wy/L9jmuDpzX35UeotcVnRiAoz6c1QoKueYR4CxjQ73pQ5CIJPm/FIgA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8403D6BFF9 for ; Tue, 24 Sep 2024 10:18:55 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1st0kr-00079U-F8; Tue, 24 Sep 2024 04:18:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1st0kp-00079G-1s for guix-patches@gnu.org; Tue, 24 Sep 2024 04:18:39 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1st0ko-0000dF-PG for guix-patches@gnu.org; Tue, 24 Sep 2024 04:18:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=iBrnz3X+3eRgpwNnivrcGbASdEgheQuN1oO7BGISW88=; b=dMNeto7fg3b1X/+RHY4Y50Ty8PkwaV1by3Q4hrVdrTNTODA7NSQ6JrB7+0uwZGJxZ+mp7HylT24Y8LBPb+GMV4IZnhUoio4F1HgLE3BB8ES23g3cLvWSKGfneuJ0vXfaUpY9t/ocBNcpHyDww9FRCKKWvwTAsopcIY6Ol067RMeISjSihIzMBDeXKVMreLIbQvW7bDZLd70MXi3EPBqoljxkRbtdgwFlzDOYczTPeGEU6DurwEsQTpOysCWKaxRTMCPlMUnBnyNGfPEv1fyZtmd/JC11PjWb+YkGXgBUK3jwuQ0eC+GmzAiBMyI27Z8dNVXhgRaQ2wlIrnRH8CNlJg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1st0lB-00012E-OD for guix-patches@gnu.org; Tue, 24 Sep 2024 04:19:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes] Resent-From: Andrew Tropin Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 24 Sep 2024 08:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73429 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ian Eure , 73429@debbugs.gnu.org Cc: =?UTF-8?Q?Andr=C3=A9?= Batista , mhw@netris.org, jonathan.brielmaier@web.de, Ian Eure Received: via spool by 73429-submit@debbugs.gnu.org id=B73429.17271659413972 (code B ref 73429); Tue, 24 Sep 2024 08:19:01 +0000 Received: (at 73429) by debbugs.gnu.org; 24 Sep 2024 08:19:01 +0000 Received: from localhost ([127.0.0.1]:45222 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1st0lA-00011z-Do for submit@debbugs.gnu.org; Tue, 24 Sep 2024 04:19:01 -0400 Received: from out-186.mta1.migadu.com ([95.215.58.186]:40473) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1st0l7-00011h-CW for 73429@debbugs.gnu.org; Tue, 24 Sep 2024 04:18:59 -0400 X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trop.in; s=key1; t=1727165875; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iBrnz3X+3eRgpwNnivrcGbASdEgheQuN1oO7BGISW88=; b=e0NwnLIBP4IyD+h07Xzi5DlcdgCjGywEB6EDhL2WNKCAQr3TS6xMqsKzYYDD6MI2PQHxCs EiFG7c4I9l1vQs2V0wcGs81R4rlOBEc1dps0T7GsSHyGTAn0byoC/2qgoInMLg1rvfB9GH fFhmif/3eZLC3BP4UFcZfnVye1uV3M+7m+X3hr1pny+hLUbOwwnB2rFe5ZwMaKBgPnmfUy eDJiRHQrFTfjeXXz71OwRbZXCNQ8WiigN4u5e0osyaUoEXvkYLGQHHN1S19Nmmbc2fwpoz 9W5uNw3zOTkmz6kp2uXJKMOM1BDWbtbz3zmOT0bgq1cMCc0or54Fmf+3y+dcFw== In-Reply-To: <20240922205343.21437-2-ian@retrospec.tv> References: <20240922205343.21437-1-ian@retrospec.tv> <20240922205343.21437-2-ian@retrospec.tv> Date: Tue, 24 Sep 2024 12:17:50 +0400 Message-ID: <87cyktv51t.fsf@trop.in> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Andrew Tropin X-ACL-Warn: , Andrew Tropin via Guix-patches From: Andrew Tropin via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 8403D6BFF9 X-Migadu-Scanner: mx11.migadu.com X-Spam-Score: -9.22 X-Migadu-Spam-Score: -9.22 X-TUID: dUI/urB3bqfi --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2024-09-22 13:53, Ian Eure wrote: > This patch: > > - Updates LibreWolf to the latest version > - Removes the code which disabled encoding_rs.patch from upstream. It=E2= =80=99s no > longer in the repo, so the code did nothing, and the underlying issue (= Guix > being stuck with an old Rust version) has been fixed. > - Integrates changes from #72265 with some slight tweaks. This should al= low > LibreWolf to use accelerated video decoding on supported hardware. > - Neuters the GenAI chat feature, which direcly integrates with non-free > services, by excluding it from the build and locking the preferences wh= ich > would enable it. > > Fixes: > CVE-2024-8385: WASM type confusion involving ArrayTypes > CVE-2024-8381: Type confusion when looking up a property name in a "with"= block > CVE-2024-8388: Fullscreen notice on Android could be hidden under various= panels and OS prompts > CVE-2024-8382: Internal event interfaces were exposed to web content when= browser EventHandler listener callbacks ran > CVE-2024-8383: Firefox did not ask before openings news: links in an exte= rnal application > CVE-2024-8384: Garbage collection could mis-color cross-compartment objec= ts in OOM conditions > CVE-2024-8386: SelectElements could be shown over another site if popups = are allowed > CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2= , and Thunderbird 128.2 > CVE-2024-8389: Memory safety bugs fixed in Firefox 130 > > * gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1. > > Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a > --- > gnu/packages/librewolf.scm | 55 ++++++++++++++++++++------------------ > 1 file changed, 29 insertions(+), 26 deletions(-) > > diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm > index 21f73f799d..bade479656 100644 > --- a/gnu/packages/librewolf.scm > +++ b/gnu/packages/librewolf.scm > @@ -117,9 +117,11 @@ (define (librewolf-source-origin version hash) > (define computed-origin-method (@@ (guix packages) computed-origin-metho= d)) >=20=20 > (define librewolf-source > - (let* ((ff-src (firefox-source-origin "129.0.1" "0wy0fn0pavlhlkdybr59h= hbn5ng0zn56mxa7gsknf8f2whiyipwx")) > - (version "129.0.1-1") > - (lw-src (librewolf-source-origin version "0pvv3v23q31hdjvqi1f3c= qfyjrb8dbrrbfwxj2wacak1g0mzbxf4"))) > + (let* ((ff-src (firefox-source-origin "130.0" > + "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"= )) > + (lw-src (librewolf-source-origin > + "130.0.1-1" > + "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"= ))) >=20=20 > (origin > (method computed-origin-method) > @@ -164,11 +166,6 @@ (define librewolf-source > (("^ff_source_tarball:=3D.*") > (string-append "ff_source_tarball:=3D" #+ff-src))) >=20=20 > - ;; Remove encoding_rs patch, it doesn't build with Rust 1= .75. > - (substitute* '("assets/patches.txt") > - (("patches/encoding_rs.patch\\\n$") > - "")) > - > ;; Stage locales. > (begin > (format #t "Staging locales...~%") > @@ -215,13 +212,17 @@ (define rust-librewolf rust) ; 1.75 is the default = in Guix, 1.65 is the minimum. > ;; Update this id with every update to its release date. > ;; It's used for cache validation and therefore can lead to strange bugs. > ;; ex: date '+%Y%m%d%H%M%S' > -(define %librewolf-build-id "20240817075827") > +(define %librewolf-build-id "20240922110507") >=20=20 > (define-public librewolf > (package > (name "librewolf") > - (version "129.0.1-1") > - (source librewolf-source) > + (version "130.0.1-1") > + (source > + (origin > + (inherit librewolf-source) > + (patches > + (search-patches "librewolf-add-paths-to-rdd-allowlist.patch")))) It seems I was too hasty, the patch adding /gnu/store and /run/current-system/profile/lib to whitelist is not in the guix repo yet. Will add it in a few minutes. > (build-system gnu-build-system) > (arguments > (list > @@ -318,6 +319,22 @@ (define (write-setting key value) > (substitute* "dom/media/platforms/ffmpeg/FFmpeg= RuntimeLinker.cpp" > (("libavcodec\\.so") > libavcodec))))) > + (add-after 'unpack 'neuter-genai > + (lambda* _ > + ;; Don't compile the code in. > + (substitute* "browser/components/moz.build" > + (("\"genai\",") "")) > + ;; Lock the preferences so they can't be enabled. > + (substitute* "lw/librewolf.cfg" > + (("defaultPref\\(\"browser\\.ml\\.") > + "lockPref(\"browser.ml.")) > + ;; Correct a preference typo > + ;; see https://codeberg.org/librewolf/issues/issu= es/1919#issuecomment-2325954 > + ;; Remove this in the next update. > + (substitute* "lw/librewolf.cfg" > + (("browser\\.ml\\.enabled") > + "browser.ml.enable")) > + )) > (add-after 'patch-source-shebangs 'patch-cargo-checks= ums > (lambda _ > (use-modules (guix build cargo-utils)) > @@ -575,26 +592,12 @@ (define (runpaths-of-input label) > ;; For U2F and WebAuthn > "eudev"))) >=20=20 > - ;; VA-API is run in the RDD (Remote Data D= ecoder) sandbox > - ;; and must be explicitly given access to = files it needs. > - ;; Rather than adding the whole store (as = Nix had > - ;; upstream do, see > - ;; and > - ;; linked upstream patches), we can just f= ollow the > - ;; runpaths of the needed libraries to add= everything to > - ;; LD_LIBRARY_PATH. These will then be ac= cessible in the > - ;; RDD sandbox. > - (rdd-whitelist (map (cut string-append <> = "/") > - (delete-duplicates (ap= pend-map > - ru= npaths-of-input > - '(= "mesa" > - = "ffmpeg"))))) > (gtk-share (string-append (assoc-ref inputs > "gtk+= ") > "/share"))) > (wrap-program (car (find-files lib "^librewolf$= ")) > `("LD_LIBRARY_PATH" prefix > - (,@libs ,@rdd-whitelist)) > + ,libs) > `("XDG_DATA_DIRS" prefix > (,gtk-share)) > `("MOZ_LEGACY_PROFILES" =3D =2D-=20 Best regards, Andrew Tropin --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmbyda4ACgkQIgjSCVjB 3rAm5g/9F0RJWFKJv/WmyL54EfKg7qdmvshNYwnLSfct40rPNdVPNR785fG+7Djk mRd0/LYZv73goSR2Nnd/DwkFxxfEQMNwYdaVuOtQcRxEPKZ4k+rTI852N5nyI/n6 aL6SawPNxjkcdezvyoxQ7yupKuvRG9LBLMkRNXNpOgBm9VPHfbndDF1HPm8lNV0u kSpTxRakfJ9fwrN0mMzrztcxrcK7zlSj400fNvdDjv6Civ7xInDS0ckNZFAqOT65 p8zfMYYa75rC46rqms0nkWda4v1zQ4KR1tnLxrXEeXE7sTlmywRtoFZcYpulowGY gB2cghEyziq7AKNUNPOd8IbHHtzhKqGlcnN5C8H2PrFKu8risHtwbAHadHqvl4bR wsydboWUq65M8T+9bazaQ/iQnWOCfw22Ji5H9vAFax8AsBKLAUDWJUPYgzvUqOU4 gOAoGoZk+OxA0WC0w9lt+CBHXPDH0uTKqb5vUh/fGsC60otkpuUiz0+sOvo88hCE p4ZA3XVkffpuLxQc1FG7tuTQ2u9aA+Mbg6MkqRgOzkhYXth61K6D0oA8qPyNvJre VD5H2qXyozYvgVG6iQv8AtmXFkGpS6NBDHGqI3QlYJ6XnUPyZ1lzFdJ+AwScpQlo FS+jCNg/11FaMoeVcZKr40BMsbXXS+K/CoeqdtpFDKl5hYsI8xs= =H/k/ -----END PGP SIGNATURE----- --=-=-=--