~ruther/guix-local

2c34e9ccb687f8f87b5411215c973f6c5354c965 — Ian Eure a month ago 679e309 
gnu: librewolf: Update to 147.0.1-3 [security-fixes].

Contains fixes for:
CVE-2026-0877: Mitigation bypass in the DOM: Security component
CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in
               the Graphics: CanvasWebGL component
CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in
               the Graphics component
CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics
               component
CVE-2026-0881: Sandbox escape in the Messaging System component
CVE-2026-0882: Use-after-free in the IPC component
CVE-2026-0883: Information disclosure in the Networking component
CVE-2026-0884: Use-after-free in the JavaScript Engine component
CVE-2026-0885: Use-after-free in the JavaScript: GC component
CVE-2026-0886: Incorrect boundary conditions in the Graphics component
CVE-2026-0887: Clickjacking issue, information disclosure in the PDF
               Viewer component
CVE-2026-0888: Information disclosure in the XML component
CVE-2026-0889: Denial-of-service in the DOM: Service Workers component
CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop
               component
CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7,
               Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147
CVE-2026-0892: Memory safety bugs fixed in Firefox 147 and Thunderbird
               147

* gnu/packages/librewolf.scm (librewolf-bsys6): New variable.
* gnu/packages/librewolf.scm (make-librewolf-source): Don’t attempt to GPG
sign the source tarball, the key isn’t available.
* gnu/packages/librewolf.scm (librewolf): Update to 147.0.1-3.
[native-inputs] Add librewolf-bsys6.
[phases 'patch-icu-lookup]: Delete.
[phases 'install-desktop-entry]: Use the .desktop file template from librewolf-bsys6.

Change-Id: Ic7ff0197294cbb2485cb8db2f42f4fb499e39277
patch browse .tar.gz 
1 files changed, 47 insertions(+), 47 deletions(-)

M gnu/packages/librewolf.scm

M gnu/packages/librewolf.scm => gnu/packages/librewolf.scm +47 -47
@@ 184,6 184,10 @@
                 (("^ff_source_tarball:=.*")
                  (string-append "ff_source_tarball:=" #+ff-src)))

               ;; Neuter GPG signing of the tarball.
               (substitute* '("Makefile")
                 (("if [ -f pk.asc ].*") ""))

               ;; Stage locales.
               (begin
                 (substitute* "scripts/librewolf-patches.py"


@@ 216,6 220,16 @@
                     "media/libwebp"
                     "modules/zlib"))))))

(define librewolf-bsys6
  (let ((commit "e0397b2b95aa14e1a83be460681ffbeb0b41ca3f"))
    (origin
      (method git-fetch)
      (uri (git-reference
             (url "https://codeberg.org/librewolf/bsys6.git")
             (commit commit)))
      (file-name (git-file-name "librewolf-bsys6" commit))
      (sha256 (base32 "16b2z1b89y0lm9b9xrvvfa5j0av4ibmcgkksnnqxmn2qrz04awzw")))))

;;; Define the versions of rust needed to build firefox, trying to match
;;; upstream.  See table at [0], `Uses' column for the specific version.
;;; Using `rust' will likely lead to a newer version then listed in the table,


@@ 228,17 242,17 @@
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
;; or: (format-time-string "%Y%m%d%H%M%S")
(define %librewolf-build-id "20251219212454")
(define %librewolf-build-id "20260118150544")

(define-public librewolf
  (package
    (name "librewolf")
    (version "146.0.1-1")
    (version "147.0.1-3")
    (source
     (make-librewolf-source
      #:version version
      #:firefox-hash "1swih4jljq162vgdl2m2d8xn4s4hj4vjqcfww59kk4kkhh78lrz9"
      #:librewolf-hash "13gxagaibv0bmn34rz3hfkfy7rgdksl635znmrq24l8v80y792ii"
      #:firefox-hash "1jvx0q134nfa19jbdjr3cj2xi8fc6ggmr6glqj9d8bvpqd52gs09"
      #:librewolf-hash "1290vvbbinlaff60n1gabdggam7ayslrr3rnlpkwprab77gq45yh"
      #:l10n firefox-l10n))
    (build-system gnu-build-system)
    (arguments


@@ 421,18 435,6 @@
            (lambda _
              (setenv "MOZ_BUILD_DATE"
                      #$%librewolf-build-id)))
          ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
          (add-before 'configure 'patch-icu-lookup
            (lambda _
              (let* ((file "js/moz.configure")
                     (old-content (call-with-input-file file get-string-all)))
                (substitute* file
                  (("icu-i18n >= 76.1" all)
                   (string-append all ", icu-uc >= 76.1")))
                (if (string=? old-content
                              (pk (call-with-input-file file get-string-all)))
                    (error
                     "substitute did nothing, phase requires an update")))))
          (replace 'configure
            (lambda* (#:key inputs outputs configure-flags
                      #:allow-other-keys)


@@ 575,26 577,21 @@
                  `("MOZ_ALLOW_DOWNGRADE" =
                    ("1"))))))
          (add-after 'wrap-program 'install-desktop-entry
            (lambda* (#:key outputs #:allow-other-keys)
              (let* ((desktop-file
                      "toolkit/mozapps/installer/linux/rpm/mozilla.desktop")
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((desktop-file-name "librewolf.desktop")
                     (desktop-file-template
                      (search-input-file inputs "assets/linux.librewolf.desktop.in"))
                     (applications (string-append #$output
                                                  "/share/applications")))
                (substitute* desktop-file
                  (("^Exec=@MOZ_APP_NAME@")
                   (string-append "Exec="
                                  #$output "/bin/librewolf %u"))
                  (("@MOZ_APP_DISPLAYNAME@")
                   "LibreWolf")
                  (("@MOZ_APP_REMOTINGNAME@")
                   "LibreWolf")
                  (("^Icon=@MOZ_APP_NAME@")
                (copy-file desktop-file-template desktop-file-name)
                (substitute* desktop-file-name
                  (("MYDIR/librewolf")
                   (string-append #$output "/bin/librewolf"))
                  (("^Icon=librewolf")
                   (string-append "Icon="
                                  #$output
                                  "/share/icons/hicolor/128x128/apps/librewolf.png")))

                (copy-file desktop-file "librewolf.desktop")
                (install-file "librewolf.desktop" applications))))
                (install-file desktop-file-name applications))))
          (add-after 'install-desktop-entry 'install-icons
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((icon-source-dir (string-append #$output


@@ 640,7 637,7 @@
                  gtk+
                  gtk+-2
                  hunspell
                  icu4c-76
                  icu4c-78
                  jemalloc
                  libcanberra
                  libevent


@@ 674,21 671,24 @@
                  unzip
                  zip
                  zlib))
    (native-inputs (list alsa-lib
                         autoconf-2.13
                         `(,rust-librewolf "cargo")
                         clang-18
                         llvm-18
                         m4
                         nasm
                         node-lts
                         perl
                         pkg-config
                         python
                         rust-librewolf
                         rust-cbindgen-0.29
                         which
                         yasm))
    (native-inputs
     (list
      alsa-lib
      autoconf-2.13
      `(,rust-librewolf "cargo")
      clang-18
      librewolf-bsys6
      llvm-18
      m4
      nasm
      node-lts
      perl
      pkg-config
      python
      rust-librewolf
      rust-cbindgen-0.29
      which
      yasm))
    (native-search-paths
     (list (search-path-specification
            (variable "ICECAT_SYSTEM_DIR")