GNU bug report logs
Report forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Sat, 08 Mar 2025 15:41:02 GMT) (full text , mbox , link ).
Acknowledgement sent
to Ian Eure <ian@retrospec.tv>:guix-patches@gnu.org.
(Sat, 08 Mar 2025 15:41:02 GMT) (full text , mbox , link ).
Message #5 received at submit@debbugs.gnu.org (full text , mbox , reply ):
More complex update than usual.
- LW now requires nss >= 3.108. Update nss-rapid to 3.109.
- LW now requires libpng-apng >= 1.6.46. libpng is very low in the graph and
needs to build on a branch. #76798 updates it in core-packages-team, I
added libpng-for-librewolf in the meantime.
- LW now needs icu4c >= 76.1, updated in #76750. There's also a bug with
this, which requires a workaround until (presumably) 136.0.1-1.
- Update firefox-l10n to the current HEAD.
gnu/packages/librewolf.scm | 62 ++++++++++++++++++++++++++++++++------
gnu/packages/nss.scm | 6 ++--
2 files changed, 56 insertions(+), 12 deletions(-)
--
2.48.1
Information forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Sat, 08 Mar 2025 17:41:02 GMT) (full text , mbox , link ).
Message #8 received at 76869@debbugs.gnu.org (full text , mbox , reply ):
* gnu/packages/librewolf.scm (firefox-l10n): Update to 24e2602d2221646fbbe92e908bed0d605acd2e8a.
Change-Id: I32c4748b6d76c21cf1e4dadbb0859cb55fb9a2ef
---
gnu/packages/librewolf.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 2a4bf3fada..7a356b6d91 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -117,14 +117,14 @@ (define (librewolf-source-origin version hash)
(define computed-origin-method (@@ (guix packages) computed-origin-method))
(define firefox-l10n
- (let ((commit "d219efa7c64850dfb5904893e17a5431c7058192"))
+ (let ((commit "24e2602d2221646fbbe92e908bed0d605acd2e8a"))
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/mozilla-l10n/firefox-l10n.git" )
(commit commit)))
(file-name (git-file-name "firefox-l10n" commit))
- (sha256 (base32 "0g778fnxg5mkqm3rgryzl64f3n4pczngjdlby07vh2dycvmlyga8")))))
+ (sha256 (base32 "1xnldwgldls07m5hmm9wnln6g2vcar5w4k4918qkmakldaw6ang0")))))
(define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
(let* ((ff-src (firefox-source-origin
--
2.48.1
Information forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Sat, 08 Mar 2025 17:41:03 GMT) (full text , mbox , link ).
Message #11 received at 76869@debbugs.gnu.org (full text , mbox , reply ):
* gnu/packages/nss.scm (nss-rapid): Update to 3.109.
Change-Id: I6afa0f9ab714aa26dcd17c6526e4b95be07b9eb9
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 9b5d901063..8bcb593ed7 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -334,7 +334,7 @@ (define-public nss-rapid
(package
(inherit nss)
(name "nss-rapid")
- (version "3.107")
+ (version "3.109")
(source (origin
(inherit (package-source nss))
(uri (let ((version-with-underscores
@@ -345,7 +345,7 @@ (define-public nss-rapid
"nss-" version ".tar.gz")))
(sha256
(base32
- "0ab7kpyg54aha86aw0ak70ckmfj1ih7d9x8mlrqhf59q7r3rczkz"))))
+ "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
@@ -377,7 +377,7 @@ (define-public nss-rapid
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734 >. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-11-29" "./nss/tests/all.sh"))
+ (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))))))
(synopsis "Network Security Services (Rapid Release)")
(description
--
2.48.1
Information forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Sat, 08 Mar 2025 17:41:03 GMT) (full text , mbox , link ).
Message #14 received at 76869@debbugs.gnu.org (full text , mbox , reply ):
CVE-2025-1930 : AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939 : Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931 : Use-after-free in WebTransportChild
CVE-2025-1932 : Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933 : JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940 : Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956 : Passkey phishing within Bluetooth range
CVE-2025-1934 : Unexpected GC during RegExp bailout processing
CVE-2025-1941 : Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942 : Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935 : Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936 : Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937 : Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938 : Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943 : Memory safety bugs fixed in Firefox 136 and Thunderbird
136
* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.
Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
---
gnu/packages/librewolf.scm | 58 +++++++++++++++++++++++++++++++++-----
1 file changed, 51 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 7a356b6d91..f65e8bc69f 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -200,23 +200,56 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
;;; but since in Guix only the latest packaged Rust is officially supported,
;;; it is a tradeoff worth making.
;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
-;; 135.0 wants 1.83, but it's not available in Guix yet.
+;; 136.0 wants 1.84, but it's not available in Guix yet.
(define rust-librewolf rust-1.82)
;; Update this id with every update to its release date.
;; It's used for cache validation and therefore can lead to strange bugs.
;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250209210057")
+(define %librewolf-build-id "20250306064037")
+
+;; Temporary, until 76798 merges into core-packages-team, and that merges into
+;; master.
+(define libpng-apng-for-librewolf
+ (hidden-package
+ (package
+ (inherit libpng-apng)
+ (version "1.6.46")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
+ version "/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src "
+ "/libpng16/libpng-" version ".tar.xz")
+ (string-append
+ "ftp://ftp.simplesystems.org/pub/libpng/png/src/history "
+ "/libpng16/libpng-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1cbwf20zlm4gcv8rpjivkngrjgl5366w21lr9qmbk2lr0dq8papk"))))
+ (inputs
+ (modify-inputs (package-inputs libpng-apng)
+ (replace "apng"
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://sourceforge/libpng-apng/libpng16/"
+ version "/libpng-" version "-apng.patch.gz"))
+ (sha256
+ (base32
+ "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
(define-public librewolf
(package
(name "librewolf")
- (version "135.0-1")
+ (version "136.0-2")
(source
(make-librewolf-source
#:version version
- #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
- #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
+ #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
+ #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
#:l10n firefox-l10n))
(build-system gnu-build-system)
(arguments
@@ -392,6 +425,17 @@ (define (write-setting key value)
(lambda _
(setenv "MOZ_BUILD_DATE"
#$%librewolf-build-id)))
+ ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
+ (add-before 'configure 'patch-icu-lookup
+ (lambda _
+ (let* ((file "js/moz.configure")
+ (old-content (call-with-input-file file get-string-all)))
+ (substitute* file
+ (("icu-i18n >= 76.1" all)
+ (string-append all ", icu-uc >= 76.1")))
+ (if (string=? old-content
+ (pk (call-with-input-file file get-string-all)))
+ (error "substitute did nothing, phase requires an update")))))
(replace 'configure
(lambda* (#:key inputs outputs configure-flags
#:allow-other-keys)
@@ -671,7 +715,7 @@ (define (runpaths-of-input label)
gtk+
gtk+-2
hunspell
- icu4c-75
+ icu4c-76
jemalloc
libcanberra
libevent
@@ -679,7 +723,7 @@ (define (runpaths-of-input label)
libgnome
libjpeg-turbo
libnotify
- libpng-apng
+ libpng-apng-for-librewolf
libva
libvpx
libwebp
--
2.48.1
Information forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Wed, 12 Mar 2025 03:40:02 GMT) (full text , mbox , link ).
Message #17 received at 76869@debbugs.gnu.org (full text , mbox , reply ):
Hi,
Ian Eure <ian@retrospec.tv> writes:
> CVE-2025-1930 : AudioIPC StreamData could trigger a use-after-free in
> the Browser process
> CVE-2025-1939 : Tapjacking in Android Custom Tabs using transition
> animations
> CVE-2025-1931 : Use-after-free in WebTransportChild
> CVE-2025-1932 : Inconsistent comparator in XSLT sorting led to
> out-of-bounds access
> CVE-2025-1933 : JIT corruption of WASM i32 return values on 64-bit CPUs
> CVE-2025-1940 : Android Intent confirmation prompt tapjacking using
> Select options
> CVE-2024-9956 : Passkey phishing within Bluetooth range
> CVE-2025-1934 : Unexpected GC during RegExp bailout processing
> CVE-2025-1941 : Lock screen setting bypass in Firefox Focus for Android
> CVE-2025-1942 : Disclosure of uninitialized memory when .toUpperCase()
> causes string to get longer
> CVE-2025-1935 : Clickjacking the registerProtocolHandler info-bar
> CVE-2025-1936 : Adding %00 and a fake extension to a jar: URL changed
> the interpretation of the contents
> CVE-2025-1937 : Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 115.21, Firefox ESR 128.8, and
> Thunderbird 128.8
> CVE-2025-1938 : Memory safety bugs fixed in Firefox 136, Thunderbird
> 136, Firefox ESR 128.8, and Thunderbird 128.8
> CVE-2025-1943 : Memory safety bugs fixed in Firefox 136 and Thunderbird
> 136
Wooh!
[...]
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20250209210057")
> +(define %librewolf-build-id "20250306064037")
> +
> +;; Temporary, until 76798 merges into core-packages-team, and that merges into
> +;; master.
> +(define libpng-apng-for-librewolf
> + (hidden-package
> + (package
> + (inherit libpng-apng)
That package should be defined in (gnu packages libpng-apng), to avoid
cyclic import problems down the road (info "(guix) Cyclic Module
Dependencies").
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "135.0-1")
> + (version "136.0-2")
> (source
> (make-librewolf-source
> #:version version
> - #:firefox-hash "0q5r2q6q56kyzl5pknrir9bzlhmzbvv9hi5gi4852izgcali4zl2"
> - #:librewolf-hash "0fg4vji5xb17pgvq7jnfz4dq08gi0rl998xhj37hfm5zxs19y8jk"
> + #:firefox-hash "0mvg53fr9zi6pq2pwa6qzqi88brqig1wlzic9sz52i4knx733viv"
> + #:librewolf-hash "0zb5f6hml7nmyf8hms66s07ba97x2px2hgqqi4lmwr5hm9mf942z"
> #:l10n firefox-l10n))
> (build-system gnu-build-system)
> (arguments
> @@ -392,6 +425,17 @@ (define (write-setting key value)
> (lambda _
> (setenv "MOZ_BUILD_DATE"
> #$%librewolf-build-id)))
> + ;; https://bugzilla.mozilla.org/show_bug.cgi?id=1927380
> + (add-before 'configure 'patch-icu-lookup
> + (lambda _
> + (let* ((file "js/moz.configure")
> + (old-content (call-with-input-file file get-string-all)))
> + (substitute* file
> + (("icu-i18n >= 76.1" all)
> + (string-append all ", icu-uc >= 76.1")))
> + (if (string=? old-content
> + (pk (call-with-input-file file get-string-all)))
> + (error "substitute did nothing, phase requires an update")))))
Please try to keep the max column width < 80 columns. That's why often
we use something like, to keep the hanging indent small.
--8<---------------cut here---------------start------------->8---
#:phases
(list
#~(modify-phases %standard-phases
(add-after ...)))
--8<---------------cut here---------------end--------------->8---
Other than these small things, it LGTM. I'll try testing it to see if
the localization issue I had mentioned is resolved.
Thanks for maintaining it!
--
Maxim
Information forwarded
to guix-patches@gnu.org:bug#76869; Package guix-patches.
(Wed, 12 Mar 2025 04:23:02 GMT) (full text , mbox , link ).
Message #20 received at 76869@debbugs.gnu.org (full text , mbox , reply ):
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> Hi,
>
> Ian Eure <ian@retrospec.tv> writes:
>
>> +;; Temporary, until 76798 merges into core-packages-team, and
>> that merges into
>> +;; master.
>> +(define libpng-apng-for-librewolf
>> + (hidden-package
>> + (package
>> + (inherit libpng-apng)
>
> That package should be defined in (gnu packages libpng-apng), to
> avoid
> cyclic import problems down the road (info "(guix) Cyclic Module
> Dependencies").
Huh, okay. I’ll move it.
> Please try to keep the max column width < 80 columns. That's
> why often
> we use something like, to keep the hanging indent small.
Ooh, yeah, some of these have gotten out of hand.
Will fix both issues and push.
> Other than these small things, it LGTM. I'll try testing it to
> see
> if the localization issue I had mentioned is resolved.
I haven’t had a chance to look into this / compare with other LW
packages, so I wouldn’t expect much.
> Thanks for maintaining it!
Happy to! Thank you for the review.
-- Ian
bug closed, send any further explanations to
76869@debbugs.gnu.org and Ian Eure <ian@retrospec.tv>
Request was from Ian Eure <ian@retrospec.tv>
to control@debbugs.gnu.org.
(Wed, 12 Mar 2025 04:32:02 GMT) (full text , mbox , link ).
bug archived.
Request was from Debbugs Internal Request <help-debbugs@gnu.org>
to internal_control@debbugs.gnu.org.
(Wed, 09 Apr 2025 11:24:19 GMT) (full text , mbox , link ).
Display info messages
Send a report that this bug log contains spam .
debbugs.gnu.org maintainers
<help-debbugs@gnu.org >.
Last modified:
Wed Apr 16 03:34:01 2025;
Machine Name:
wallace-server
GNU bug tracking system
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/ .
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.