~ruther/guix-local

f718e0e5e0c137ca5441de13ea56866d045c983e — Ian Eure 1 year, 2 months ago 71da0b3
gnu: librewolf: Update to 138.0.3-1 [security fixes].

Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
2 files changed, 22 insertions(+), 7 deletions(-)

M gnu/packages/librewolf.scm
A gnu/packages/patches/librewolf-compare-paths.patch
M gnu/packages/librewolf.scm => gnu/packages/librewolf.scm +7 -7
@@ 191,7 191,7 @@
                          #$output)))))
      (patches
       (search-patches
        "torbrowser-compare-paths.patch"
        "librewolf-compare-paths.patch"
        "librewolf-use-system-wide-dir.patch"
        "librewolf-add-store-to-rdd-allowlist.patch")))))



@@ 207,17 207,17 @@
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
(define %librewolf-build-id "20250416062358")
(define %librewolf-build-id "20250502155055")

(define-public librewolf
  (package
    (name "librewolf")
    (version "137.0.2-1")
    (version "138.0.3-1")
    (source
     (make-librewolf-source
      #:version version
      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
      #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2"
      #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c"
      #:l10n firefox-l10n))
    (build-system gnu-build-system)
    (arguments


@@ 639,7 639,7 @@
                  libxt
                  mesa
                  mit-krb5
                  nspr
                  nspr-4.36
                  nss-rapid
                  pango
                  pciutils


@@ 665,7 665,7 @@
                         pkg-config
                         python
                         rust-librewolf
                         rust-cbindgen-0.26
                         rust-cbindgen-0.28
                         which
                         yasm))
    (native-search-paths

A gnu/packages/patches/librewolf-compare-paths.patch => gnu/packages/patches/librewolf-compare-paths.patch +15 -0
@@ 0,0 1,15 @@
See comment in gnu/build/icecat-extension.scm.
This is only needed while icecat and torbrowser remain on
different ESR versions as the patched file has changed its
name.

--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
@@ -3753,6 +3753,7 @@
     if (
       newAddon ||
       oldAddon.updateDate != xpiState.mtime ||
+      oldAddon.path != xpiState.path ||
       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
       // update addon metadata if the addon in bundled into
       // the omni jar and version or the resource URI pointing