[PATCH 0/3] Update LibreWolf to 136.0-2 [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • Ian Eure
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Ian Eure
Severity
normal

Debbugs page

I
I
Ian Eure wrote on 8 Mar 07:39 -0800
(address . guix-patches@gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20250308153954.5863-1-ian@retrospec.tv
More complex update than usual.

- LW now requires nss >= 3.108. Update nss-rapid to 3.109.
- LW now requires libpng-apng >= 1.6.46. libpng is very low in the graph and
needs to build on a branch. #76798 updates it in core-packages-team, I
added libpng-for-librewolf in the meantime.
- LW now needs icu4c >= 76.1, updated in #76750. There's also a bug with
this, which requires a workaround until (presumably) 136.0.1-1.
- Update firefox-l10n to the current HEAD.

gnu/packages/librewolf.scm | 62 ++++++++++++++++++++++++++++++++------
gnu/packages/nss.scm | 6 ++--
2 files changed, 56 insertions(+), 12 deletions(-)

--
2.48.1
I
I
Ian Eure wrote on 8 Mar 09:40 -0800
[PATCH 2/3] gnu: firefox-l10n: Update to 24e2602d2221646fbbe92e908bed0d605acd2e8a.
(address . 76869@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20250308174010.21764-2-ian@retrospec.tv
* gnu/packages/librewolf.scm (firefox-l10n): Update to 24e2602d2221646fbbe92e908bed0d605acd2e8a.

Change-Id: I32c4748b6d76c21cf1e4dadbb0859cb55fb9a2ef
---
gnu/packages/librewolf.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 2a4bf3fada..7a356b6d91 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -117,14 +117,14 @@ (define (librewolf-source-origin version hash)
(define computed-origin-method (@@ (guix packages) computed-origin-method))
(define firefox-l10n
- (let ((commit "d219efa7c64850dfb5904893e17a5431c7058192"))
+ (let ((commit "24e2602d2221646fbbe92e908bed0d605acd2e8a"))
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/mozilla-l10n/firefox-l10n.git")
(commit commit)))
(file-name (git-file-name "firefox-l10n" commit))
- (sha256 (base32 "0g778fnxg5mkqm3rgryzl64f3n4pczngjdlby07vh2dycvmlyga8")))))
+ (sha256 (base32 "1xnldwgldls07m5hmm9wnln6g2vcar5w4k4918qkmakldaw6ang0")))))
(define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
(let* ((ff-src (firefox-source-origin
--
2.48.1
I
I
Ian Eure wrote on 8 Mar 09:40 -0800
[PATCH 1/3] gnu: nss-rapid: Update to 3.109.
(address . 76869@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20250308174010.21764-1-ian@retrospec.tv
* gnu/packages/nss.scm (nss-rapid): Update to 3.109.

Change-Id: I6afa0f9ab714aa26dcd17c6526e4b95be07b9eb9
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 9b5d901063..8bcb593ed7 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -334,7 +334,7 @@ (define-public nss-rapid
(package
(inherit nss)
(name "nss-rapid")
- (version "3.107")
+ (version "3.109")
(source (origin
(inherit (package-source nss))
(uri (let ((version-with-underscores
@@ -345,7 +345,7 @@ (define-public nss-rapid
"nss-" version ".tar.gz")))
(sha256
(base32
- "0ab7kpyg54aha86aw0ak70ckmfj1ih7d9x8mlrqhf59q7r3rczkz"))))
+ "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
@@ -377,7 +377,7 @@ (define-public nss-rapid
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-11-29" "./nss/tests/all.sh"))
+ (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))))))
(synopsis "Network Security Services (Rapid Release)")
(description
--
2.48.1
I
I
Ian Eure wrote on 8 Mar 09:40 -0800
[PATCH 3/3] gnu: librewolf: Update to 136.0-2 [security fixes].
(address . 76869@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20250308174010.21764-3-ian@retrospec.tv
CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931: Use-after-free in WebTransportChild
CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940: Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956: Passkey phishing within Bluetooth range
CVE-2025-1934: Unexpected GC during RegExp bailout processing
CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
136

* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.

Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
---
gnu/packages/librewolf.scm | 58 +++++++++++++++++++++++++++++++++-----
1 file changed, 51 insertions(+), 7 deletions(-)

Toggle diff (104 lines)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 7a356b6d91..f65e8bc69f 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -200,23 +200,56 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
;;; but since in Guix only the latest packaged Rust is officially supported,
;;; it is a tradeoff worth making.
;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
-;; 135.0 wants 1.83, but it's not available in Guix yet.
+;; 136.0 wants 1.84, but it's not available in Guix yet.
(define rust-librewolf rust-1.82)
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250209210057")
+(define %librewolf-build-id "20250306064037")
+
+;; Temporary, until 76798 merges into core-packages-team, and that merges into
+;; master.
+(define libpng-apng-for-librewolf
+ (hidden-package
+ (package
+ (inherit libpng-apng)
+ (version "1.6.46")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
+ version "/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src"
+ "/libpng16/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
+ "/libpng16/libpng-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1cbwf20zlm4gcv8rpjivkngrjgl5366w21lr9qmbk2lr0dq8papk"))))
+ (inputs
+ (modify-inputs (package-inputs libpng-apng)
+ (replace "apng"
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://sourceforge/libpng-apng/libpng16/"
+ version "/libpng-" version "-apng.patch.gz"))
+ (sha256
+ (base32
+ "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
(define-public librewolf
(package
(name "librewolf")
- (version "135.0-1")
+ (version "136.0-2")
(source
(make-librewolf-source
#:version version
- #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
- #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
+ #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
+ #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
#:l10n firefox-l10n))
(build-system gnu-build-system)
(arguments
@@ -392,6 +425,17 @@ (define (write-setting key value)
(lambda _
(setenv "MOZ_BUILD_DATE"
#$%librewolf-build-id)))
+ ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
+ (add-before 'configure 'patch-icu-lookup
+ (lambda _
+ (let* ((file "js/moz.configure")
+ (old-content (call-with-input-file file get-string-all)))
+ (substitute* file
+ (("icu-i18n >= 76.1" all)
+ (string-append all ", icu-uc >= 76.1")))
+ (if (string=? old-content
+ (pk (call-with-input-file file get-string-all)))
+ (error "substitute did nothing, phase requires an update")))))
(replace 'configure
(lambda* (#:key inputs outputs configure-flags
#:allow-other-keys)
@@ -671,7 +715,7 @@ (define (runpaths-of-input label)
gtk+
gtk+-2
hunspell
- icu4c-75
+ icu4c-76
jemalloc
libcanberra
libevent
@@ -679,7 +723,7 @@ (define (runpaths-of-input label)
libgnome
libjpeg-turbo
libnotify
- libpng-apng
+ libpng-apng-for-librewolf
libva
libvpx
libwebp
--
2.48.1
M
M
Maxim Cournoyer wrote on 11 Mar 20:39 -0700
(name . Ian Eure)(address . ian@retrospec.tv)(address . 76869@debbugs.gnu.org)
87cyemgbo1.fsf@gmail.com
Hi,

Ian Eure <ian@retrospec.tv> writes:

Toggle quote (26 lines)
> CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
> the Browser process
> CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
> animations
> CVE-2025-1931: Use-after-free in WebTransportChild
> CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
> out-of-bounds access
> CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
> CVE-2025-1940: Android Intent confirmation prompt tapjacking using
> Select options
> CVE-2024-9956: Passkey phishing within Bluetooth range
> CVE-2025-1934: Unexpected GC during RegExp bailout processing
> CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
> CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
> causes string to get longer
> CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
> CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
> the interpretation of the contents
> CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 115.21, Firefox ESR 128.8, and
> Thunderbird 128.8
> CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 128.8, and Thunderbird 128.8
> CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
> 136

Wooh!

[...]

Toggle quote (13 lines)
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20250209210057")
> +(define %librewolf-build-id "20250306064037")
> +
> +;; Temporary, until 76798 merges into core-packages-team, and that merges into
> +;; master.
> +(define libpng-apng-for-librewolf
> + (hidden-package
> + (package
> + (inherit libpng-apng)

That package should be defined in (gnu packages libpng-apng), to avoid
cyclic import problems down the road (info "(guix) Cyclic Module
Dependencies").

Toggle quote (31 lines)
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "135.0-1")
> + (version "136.0-2")
> (source
> (make-librewolf-source
> #:version version
> - #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
> - #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
> + #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
> + #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
> #:l10n firefox-l10n))
> (build-system gnu-build-system)
> (arguments
> @@ -392,6 +425,17 @@ (define (write-setting key value)
> (lambda _
> (setenv "MOZ_BUILD_DATE"
> #$%librewolf-build-id)))
> + ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
> + (add-before 'configure 'patch-icu-lookup
> + (lambda _
> + (let* ((file "js/moz.configure")
> + (old-content (call-with-input-file file get-string-all)))
> + (substitute* file
> + (("icu-i18n >= 76.1" all)
> + (string-append all ", icu-uc >= 76.1")))
> + (if (string=? old-content
> + (pk (call-with-input-file file get-string-all)))
> + (error "substitute did nothing, phase requires an update")))))

Please try to keep the max column width < 80 columns. That's why often
we use something like, to keep the hanging indent small.

Toggle snippet (5 lines)
#:phases
(list
#~(modify-phases %standard-phases
(add-after ...)))
Other than these small things, it LGTM. I'll try testing it to see if
the localization issue I had mentioned is resolved.

Thanks for maintaining it!

--
Maxim
I
I
Ian Eure wrote on 11 Mar 21:21 -0700
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 76869@debbugs.gnu.org)
87r032khei.fsf@retrospec.tv
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (17 lines)
> Hi,
>
> Ian Eure <ian@retrospec.tv> writes:
>
>> +;; Temporary, until 76798 merges into core-packages-team, and
>> that merges into
>> +;; master.
>> +(define libpng-apng-for-librewolf
>> + (hidden-package
>> + (package
>> + (inherit libpng-apng)
>
> That package should be defined in (gnu packages libpng-apng), to
> avoid
> cyclic import problems down the road (info "(guix) Cyclic Module
> Dependencies").

Huh, okay. I’ll move it.

Toggle quote (4 lines)
> Please try to keep the max column width < 80 columns. That's
> why often
> we use something like, to keep the hanging indent small.

Ooh, yeah, some of these have gotten out of hand.

Will fix both issues and push.

Toggle quote (4 lines)
> Other than these small things, it LGTM. I'll try testing it to
> see
> if the localization issue I had mentioned is resolved.

I haven’t had a chance to look into this / compare with other LW
packages, so I wouldn’t expect much.

Toggle quote (2 lines)
> Thanks for maintaining it!

Happy to! Thank you for the review.

-- Ian
I
I
Ian Eure wrote on 11 Mar 21:31 -0700
control message for bug #76869
(address . control@debbugs.gnu.org)
87plimkgyk.fsf_-_@retrospec.tv
close 76869
quit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 76869@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 76869
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch