From 81a3e4842f5f6f7480769f9a839fc9dc72ae548a Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Wed, 12 Nov 2025 08:20:58 +0900 Subject: [PATCH] gnu: icedove: Update to 140.4.0 [security fixes]. Fixes CVE-2025-11708, CVE-2025-11709, CVE-2025-11710, CVE-2025-11711, CVE-2025-11712, CVE-2025-11713, CVE-2025-11714 and CVE-2025-11715. * gnu/packages/gnuzilla.scm (%icecat-140.3-source): Delete variable. (icedove): Update to 140.4.0. (%icedove-build-id): Bump to 20251111000000. (%icedove-version): Bump to 140.4.0. (thunderbird-comm-source): Update changeset/hash. (icedove-source): Use icecat-source. Change-Id: If339c9588295103c03afc6b002ca6f82e17d9ca1 --- gnu/packages/gnuzilla.scm | 171 ++------------------------------------ 1 file changed, 7 insertions(+), 164 deletions(-) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 7620337142c42254a80cd5fdcaa4996ffe9ea180..8d0eccef9c8d5b3d7a169cc513cf9f58798cd961 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1247,168 +1247,10 @@ testing.") (cpe-name . "firefox_esr") (cpe-version . ,(first (string-split version #\-))))))) -(define icecat-140.3-source - (let* ((%icecat-140.3-base-version "140.3.1") - (%icecat-140.3-version (string-append %icecat-140.3-base-version "-gnu1")) - (major-version (first (string-split %icecat-140.3-base-version #\.))) - (minor-version (second (string-split %icecat-140.3-base-version #\.))) - (sub-version (third (string-split %icecat-140.3-base-version #\.))) - - (upstream-firefox-version (string-append %icecat-140.3-base-version "esr")) - (upstream-firefox-source - (origin - (method url-fetch) - (uri (string-append - "https://ftp.mozilla.org/pub/firefox/releases/" - upstream-firefox-version "/source/" - "firefox-" upstream-firefox-version ".source.tar.xz")) - (sha256 - (base32 - "0db7qgcvw4knl6qbkn0a52vh2pcghcw4s2djdvcna1zlqjhv6hqb")))) - - (gnuzilla-commit "b7f0c6b7d19ececd92640f26eaa43cfec29cf728") - (gnuzilla-source - (origin - (method git-fetch) - (uri (git-reference - (url "git://git.savannah.gnu.org/gnuzilla.git") - (commit gnuzilla-commit))) - (file-name (git-file-name "gnuzilla" - (string-take gnuzilla-commit 8))) - (sha256 - (base32 - "1hzwa4dbk5pvwas867vp2iivdr9zqppr9zbw2xgyd2mdf2kj4a20")))) - - ;; 'search-patch' returns either a valid file name or #f, so wrap it - ;; in 'assume-valid-file-name' to avoid 'local-file' warnings. - (makeicecat-patch - (local-file (assume-valid-file-name - (search-patch "icecat-makeicecat.patch"))))) - - (origin - (method computed-origin-method) - (file-name (string-append "icecat-" %icecat-140.3-version ".tar.zst")) - (sha256 #f) - (uri - (delay - (with-imported-modules '((guix build utils)) - #~(begin - (use-modules (guix build utils)) - (let ((firefox-dir - (string-append "firefox-" #$%icecat-140.3-base-version)) - (icecat-dir - (string-append "icecat-" #$%icecat-140.3-version))) - - (set-path-environment-variable - "PATH" '("bin") - (list #+python - #+(canonical-package bash) - #+(canonical-package coreutils) - #+(canonical-package findutils) - #+(canonical-package patch) - #+(canonical-package xz) - #+(canonical-package zstd) - #+(canonical-package sed) - #+(canonical-package grep) - #+(canonical-package bzip2) - #+(canonical-package gzip) - #+(canonical-package tar))) - - (set-path-environment-variable - "PYTHONPATH" - (list #+(format #f "lib/python~a/site-packages" - (version-major+minor - (package-version python)))) - '#+(cons python-jsonschema - (map second - (package-transitive-propagated-inputs - python-jsonschema)))) - - ;; We copy the gnuzilla source directory because it is - ;; read-only in 'gnuzilla-source', and the makeicecat script - ;; uses "cp -a" to copy parts of it and assumes that the - ;; copies will be writable. - (copy-recursively #+gnuzilla-source "/tmp/gnuzilla" - #:log (%make-void-port "w")) - - (with-directory-excursion "/tmp/gnuzilla" - (make-file-writable "makeicecat") - (invoke "patch" "--force" "--no-backup-if-mismatch" - "-p1" "--input" #+makeicecat-patch) - (patch-shebang "makeicecat") - (substitute* "makeicecat" - (("^readonly FFMAJOR=(.*)" all ffmajor) - (unless (string=? #$major-version - (string-trim-both ffmajor)) - ;; The makeicecat script cannot be expected to work - ;; properly on a different version of Firefox, even if - ;; no errors occur during execution. - (error "makeicecat major version mismatch")) - (string-append "readonly FFMAJOR=" #$major-version "\n")) - (("^readonly FFMINOR=.*") - (string-append "readonly FFMINOR=" #$minor-version "\n")) - (("^readonly FFSUB=.*") - (string-append "readonly FFSUB=" #$sub-version "\n")) - (("^readonly DATADIR=.*") - "readonly DATADIR=/tmp/gnuzilla/data\n") - (("^readonly SOURCEDIR=.*") - (string-append "readonly SOURCEDIR=" icecat-dir "\n")) - (("/bin/sed") - #+(file-append (canonical-package sed) "/bin/sed")))) - - (format #t "Unpacking upstream firefox tarball...~%") - (force-output) - (invoke "tar" "xf" #+upstream-firefox-source) - (rename-file firefox-dir icecat-dir) - - (with-directory-excursion icecat-dir - (format #t "Populating l10n directory...~%") - (force-output) - (mkdir "l10n") - (with-directory-excursion "l10n" - (for-each - (lambda (locale) - (let ((locale-dir (string-append #+mozilla-l10n "/" - locale))) - (format #t " ~a~%" locale) - (force-output) - (copy-recursively locale-dir locale - #:log (%make-void-port "w")) - (for-each make-file-writable (find-files locale)) - (with-directory-excursion locale - (mkdir-p "browser/chrome/browser/preferences") - (call-with-output-file "browser/chrome/browser/\ -preferences/advanced-scripts.dtd" - (lambda (port) #f))))) - '#+%icecat-locales) - (copy-recursively #+mozilla-compare-locales - "compare-locales" - #:log (%make-void-port "w")) - (delete-file "compare-locales/.gitignore"))) - - (format #t "Running makeicecat script...~%") - (force-output) - (invoke "bash" "/tmp/gnuzilla/makeicecat") - - (format #t "Packing IceCat source tarball...~%") - (force-output) - (setenv "ZSTD_NBTHREADS" (number->string (parallel-job-count))) - (invoke "tar" "cfa" #$output - ;; Avoid non-determinism in the archive. We set the - ;; mtime of files in the archive to early 1980 because - ;; the build process fails if the mtime of source - ;; files is pre-1980, due to the creation of zip - ;; archives. - "--mtime=@315619200" ; 1980-01-02 UTC - "--owner=root:0" - "--group=root:0" - "--sort=name" - icecat-dir))))))))) - -(define %icedove-build-id "20250916000000") ;must be of the form YYYYMMDDhhmmss +(define %icedove-build-id "20251111000000") ;must be of the form YYYYMMDDhhmmss ;;; See ;;; for the source of truth regarding Thunderbird releases. -(define %icedove-version "140.3.0") +(define %icedove-version "140.4.0") ;; Provides the "comm" folder which is inserted into the icecat source. ;; Avoids the duplication of Icecat's source tarball. Pick the changeset that @@ -1418,11 +1260,11 @@ preferences/advanced-scripts.dtd" (method hg-fetch) (uri (hg-reference (url "https://hg.mozilla.org/releases/comm-esr140") - (changeset "0a019f4060541a15af8be50c4d923aebe6b9ccb2"))) + (changeset "efb07defaa2d56105675dc1d936af581ebfd8ffa"))) (file-name (string-append "thunderbird-" %icedove-version "-checkout")) (sha256 (base32 - "00m2xzb1mvyllg31yrz7kw0m89c28b55cdd486mbk0k6xwv2gm8m")) + "1jnjcyciwgvkn00wsxlhdsrc7xa377vx51qwip4rmywdslgz6yhg")) (patches (search-patches "icedove-observer-fix.patch")))) ;;; To regenerate, see the `format-locales' helper defined above. @@ -1497,7 +1339,8 @@ preferences/advanced-scripts.dtd" (define thunderbird-comm-l10n ;; The commit to use can be found in the mail/locales/l10n-changesets.json - ;; file in Thunderbird's source. + ;; file in Thunderbird's source (e.g.: + ;; ) (let* ((commit "b6fd3d6c75ba35d91fe131a654df76ca86f35ac5") (revision "0") (version (git-version %icedove-version revision commit))) @@ -1532,7 +1375,7 @@ preferences/advanced-scripts.dtd" ;; Extract the base Icecat tarball, renaming its top-level ;; directory. (invoke "tar" "--transform" (string-append "s,[^/]*," #$name ",") - "-xf" #$icecat-140.3-source) + "-xf" #$icecat-source) (chdir #$name) ;; Merge the Thunderdbird localization data.