From 313d34687e1bcc374809eccc90a8298f0cc7f854 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 14 Oct 2025 09:29:50 -0400 Subject: [PATCH] gnu: icecat: Update to 140.4.0-gnu1 [security fixes]. Includes fixes for CVE-2025-11708, CVE-2025-11709, CVE-2025-11710, CVE-2025-11711, CVE-2025-11712, CVE-2025-11713, CVE-2025-11714, and CVE-2025-11715. * gnu/packages/gnuzilla.scm (%icecat-base-version, %icecat-build-id): Update. (icecat-source): Update 'gnuzilla-commit' and hashes. (icecat-140.3-source): New variable. (icedove-source): Use 'icecat-140.3-source'. --- gnu/packages/gnuzilla.scm | 170 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 164 insertions(+), 6 deletions(-) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 60d7a2e33e73a26ced702c5ff2a1731633b14cea..15113503006b22b5225c32ebe18f68713d37bded 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -603,9 +603,9 @@ in the case of Firefox, it is browser/locales/all-locales." "zh-CN" "zh-TW")) -(define %icecat-base-version "140.3.1") +(define %icecat-base-version "140.4.0") (define %icecat-version (string-append %icecat-base-version "-gnu1")) -(define %icecat-build-id "20250923000000") ;must be of the form YYYYMMDDhhmmss +(define %icecat-build-id "20251014000000") ;must be of the form YYYYMMDDhhmmss ;; 'icecat-source' is a "computed" origin that generates an IceCat tarball ;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat' @@ -625,9 +625,9 @@ in the case of Firefox, it is browser/locales/all-locales." "firefox-" upstream-firefox-version ".source.tar.xz")) (sha256 (base32 - "0db7qgcvw4knl6qbkn0a52vh2pcghcw4s2djdvcna1zlqjhv6hqb")))) + "1xx4rsdkfkx9nxlfzw07j5di07kfqi0a7jplcixvqihh2xrhdwj9")))) - (gnuzilla-commit "b7f0c6b7d19ececd92640f26eaa43cfec29cf728") + (gnuzilla-commit "579bc2897077119e38a7e1493bca6ec97a06a36a") (gnuzilla-source (origin (method git-fetch) @@ -638,7 +638,7 @@ in the case of Firefox, it is browser/locales/all-locales." (string-take gnuzilla-commit 8))) (sha256 (base32 - "1hzwa4dbk5pvwas867vp2iivdr9zqppr9zbw2xgyd2mdf2kj4a20")))) + "094sci1mvvmb6xrpfjw0r482lspkmkfdln78mrkcqq7a5x3gwp83")))) ;; 'search-patch' returns either a valid file name or #f, so wrap it ;; in 'assume-valid-file-name' to avoid 'local-file' warnings. @@ -1240,6 +1240,164 @@ testing.") (cpe-name . "firefox_esr") (cpe-version . ,(first (string-split version #\-))))))) +(define icecat-140.3-source + (let* ((%icecat-140.3-base-version "140.3.1") + (%icecat-140.3-version (string-append %icecat-140.3-base-version "-gnu1")) + (major-version (first (string-split %icecat-140.3-base-version #\.))) + (minor-version (second (string-split %icecat-140.3-base-version #\.))) + (sub-version (third (string-split %icecat-140.3-base-version #\.))) + + (upstream-firefox-version (string-append %icecat-140.3-base-version "esr")) + (upstream-firefox-source + (origin + (method url-fetch) + (uri (string-append + "https://ftp.mozilla.org/pub/firefox/releases/" + upstream-firefox-version "/source/" + "firefox-" upstream-firefox-version ".source.tar.xz")) + (sha256 + (base32 + "0db7qgcvw4knl6qbkn0a52vh2pcghcw4s2djdvcna1zlqjhv6hqb")))) + + (gnuzilla-commit "b7f0c6b7d19ececd92640f26eaa43cfec29cf728") + (gnuzilla-source + (origin + (method git-fetch) + (uri (git-reference + (url "git://git.savannah.gnu.org/gnuzilla.git") + (commit gnuzilla-commit))) + (file-name (git-file-name "gnuzilla" + (string-take gnuzilla-commit 8))) + (sha256 + (base32 + "1hzwa4dbk5pvwas867vp2iivdr9zqppr9zbw2xgyd2mdf2kj4a20")))) + + ;; 'search-patch' returns either a valid file name or #f, so wrap it + ;; in 'assume-valid-file-name' to avoid 'local-file' warnings. + (makeicecat-patch + (local-file (assume-valid-file-name + (search-patch "icecat-makeicecat.patch"))))) + + (origin + (method computed-origin-method) + (file-name (string-append "icecat-" %icecat-140.3-version ".tar.zst")) + (sha256 #f) + (uri + (delay + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (let ((firefox-dir + (string-append "firefox-" #$%icecat-140.3-base-version)) + (icecat-dir + (string-append "icecat-" #$%icecat-140.3-version))) + + (set-path-environment-variable + "PATH" '("bin") + (list #+python + #+(canonical-package bash) + #+(canonical-package coreutils) + #+(canonical-package findutils) + #+(canonical-package patch) + #+(canonical-package xz) + #+(canonical-package zstd) + #+(canonical-package sed) + #+(canonical-package grep) + #+(canonical-package bzip2) + #+(canonical-package gzip) + #+(canonical-package tar))) + + (set-path-environment-variable + "PYTHONPATH" + (list #+(format #f "lib/python~a/site-packages" + (version-major+minor + (package-version python)))) + '#+(cons python-jsonschema + (map second + (package-transitive-propagated-inputs + python-jsonschema)))) + + ;; We copy the gnuzilla source directory because it is + ;; read-only in 'gnuzilla-source', and the makeicecat script + ;; uses "cp -a" to copy parts of it and assumes that the + ;; copies will be writable. + (copy-recursively #+gnuzilla-source "/tmp/gnuzilla" + #:log (%make-void-port "w")) + + (with-directory-excursion "/tmp/gnuzilla" + (make-file-writable "makeicecat") + (invoke "patch" "--force" "--no-backup-if-mismatch" + "-p1" "--input" #+makeicecat-patch) + (patch-shebang "makeicecat") + (substitute* "makeicecat" + (("^readonly FFMAJOR=(.*)" all ffmajor) + (unless (string=? #$major-version + (string-trim-both ffmajor)) + ;; The makeicecat script cannot be expected to work + ;; properly on a different version of Firefox, even if + ;; no errors occur during execution. + (error "makeicecat major version mismatch")) + (string-append "readonly FFMAJOR=" #$major-version "\n")) + (("^readonly FFMINOR=.*") + (string-append "readonly FFMINOR=" #$minor-version "\n")) + (("^readonly FFSUB=.*") + (string-append "readonly FFSUB=" #$sub-version "\n")) + (("^readonly DATADIR=.*") + "readonly DATADIR=/tmp/gnuzilla/data\n") + (("^readonly SOURCEDIR=.*") + (string-append "readonly SOURCEDIR=" icecat-dir "\n")) + (("/bin/sed") + #+(file-append (canonical-package sed) "/bin/sed")))) + + (format #t "Unpacking upstream firefox tarball...~%") + (force-output) + (invoke "tar" "xf" #+upstream-firefox-source) + (rename-file firefox-dir icecat-dir) + + (with-directory-excursion icecat-dir + (format #t "Populating l10n directory...~%") + (force-output) + (mkdir "l10n") + (with-directory-excursion "l10n" + (for-each + (lambda (locale) + (let ((locale-dir (string-append #+mozilla-l10n "/" + locale))) + (format #t " ~a~%" locale) + (force-output) + (copy-recursively locale-dir locale + #:log (%make-void-port "w")) + (for-each make-file-writable (find-files locale)) + (with-directory-excursion locale + (mkdir-p "browser/chrome/browser/preferences") + (call-with-output-file "browser/chrome/browser/\ +preferences/advanced-scripts.dtd" + (lambda (port) #f))))) + '#+%icecat-locales) + (copy-recursively #+mozilla-compare-locales + "compare-locales" + #:log (%make-void-port "w")) + (delete-file "compare-locales/.gitignore"))) + + (format #t "Running makeicecat script...~%") + (force-output) + (invoke "bash" "/tmp/gnuzilla/makeicecat") + + (format #t "Packing IceCat source tarball...~%") + (force-output) + (setenv "ZSTD_NBTHREADS" (number->string (parallel-job-count))) + (invoke "tar" "cfa" #$output + ;; Avoid non-determinism in the archive. We set the + ;; mtime of files in the archive to early 1980 because + ;; the build process fails if the mtime of source + ;; files is pre-1980, due to the creation of zip + ;; archives. + "--mtime=@315619200" ; 1980-01-02 UTC + "--owner=root:0" + "--group=root:0" + "--sort=name" + icecat-dir))))))))) + (define %icedove-build-id "20250916000000") ;must be of the form YYYYMMDDhhmmss ;;; See ;;; for the source of truth regarding Thunderbird releases. @@ -1367,7 +1525,7 @@ testing.") ;; Extract the base Icecat tarball, renaming its top-level ;; directory. (invoke "tar" "--transform" (string-append "s,[^/]*," #$name ",") - "-xf" #$icecat-source) + "-xf" #$icecat-140.3-source) (chdir #$name) ;; Merge the Thunderdbird localization data.