GNU bug report logs - #78249
[PATCH 0/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].

Previous Next

Package: guix-patches;

Reported by: Ian Eure <ian <at> retrospec.tv>

Date: Sun, 4 May 2025 23:19:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 78249 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Sun, 04 May 2025 23:19:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ian Eure <ian <at> retrospec.tv>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sun, 04 May 2025 23:19:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: guix-patches <at> gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH 0/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].
Date: Sun,  4 May 2025 16:18:31 -0700
The 138.x series needs both nspr and nss bumps.  This adds nspr 4.36 to avoid
a large rebuild.  I have a WIP v2 patch for #73152 which includes that update,
and I'll clean this stuff up after that merges.

Ian Eure (3):
  gnu: Add nspr-4.36.
  gnu: nss-rapid: Update to 3.110.
  gnu: librewolf: Update to 138.0.1-2 [security fixes].

 gnu/packages/librewolf.scm                    | 12 ++++----
 gnu/packages/nss.scm                          | 30 +++++++++++++++++--
 .../patches/torbrowser-compare-paths.patch    | 17 +++--------
 3 files changed, 37 insertions(+), 22 deletions(-)

-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Sun, 04 May 2025 23:20:01 GMT) Full text and rfc822 format available.

Message #8 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH 1/3] gnu: Add nspr-4.36.
Date: Sun,  4 May 2025 16:19:29 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable.

Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985
---
 gnu/packages/nss.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 8bcb593ed7..7a8c6b075d 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,6 +95,19 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
+(define-public nspr-4.36
+  (package
+    (inherit nspr)
+    (version "4.36")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
+                    version "/src/nspr-" version ".tar.gz"))
+              (sha256
+               (base32
+                "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))))
+
 (define-public nspr-4.32
   (package
     (inherit nspr)
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Sun, 04 May 2025 23:20:02 GMT) Full text and rfc822 format available.

Message #11 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH] gnu: librewolf: Update to 137.0-1 [security fixes].
Date: Sun,  4 May 2025 16:19:30 -0700
Contains fixes for:

CVE-2025-3028: Use-after-free triggered by XSLTProcessor
CVE-2025-3031: JIT optimization bug with different stack slot sizes
CVE-2025-3032: Leaking file descriptors from the fork server
CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
CVE-2025-3033: Opening local .url files could lead to another file
               being opened
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird
               137, Firefox ESR 128.9, and Thunderbird 128.9
CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird
               137

* gnu/packages/librewolf.scm (librewolf): Update to 137.0-1.

Change-Id: I23d8cbefc242e57c19b4e98660fd22bd1dda8d6a
---
 gnu/packages/librewolf.scm | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 1cb7084f23..ae4d64534c 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -206,17 +206,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250327215540")
+(define %librewolf-build-id "20250401171639")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "136.0.4-1")
+    (version "137.0-1")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "0hn2ywyacgg8n47qz1q2l8bf32mszj3vnpkl6kag3wmqqbhvja2a"
-      #:librewolf-hash "045il4xrji2zh1scx3aiy6hx6jv098232aycda6bhsh27szbsrfa"
+      #:firefox-hash "07d9rdxmp48gbk41y1c6gggzziv9aqdhjwgi6c0hrf6chcppxi0y"
+      #:librewolf-hash "164bvissxzhzlwjafp9pdyhhg8hhdxh8w61ifkak497qm4yf8af7"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -236,8 +236,6 @@ (define-public librewolf
                               "--with-system-ffi"
                               "--enable-system-pixman"
                               "--enable-jemalloc"
-
-                              ;; see https://bugs.gnu.org/32833
                               "--with-system-nspr"
                               "--with-system-nss"
 
@@ -312,7 +310,7 @@ (define (write-setting key value)
                      (libavcodec (string-append ffmpeg
                                                 "/lib/libavcodec.so")))
                 ;; Arrange to load libavcodec.so by its absolute file name.
-                (substitute* 
+                (substitute*
                     "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                   (("libavcodec\\.so")
                    libavcodec)))))
@@ -405,7 +403,7 @@ (define (write-setting key value)
                    (string-append all ", icu-uc >= 76.1")))
                 (if (string=? old-content
                               (pk (call-with-input-file file get-string-all)))
-                    (error 
+                    (error
                      "substitute did nothing, phase requires an update")))))
           (replace 'configure
             (lambda* (#:key inputs outputs configure-flags
@@ -478,7 +476,7 @@ (define write-flags
               (invoke "./mach" "configure")))
           (add-before 'build 'fix-addons-placeholder
             (lambda _
-              (substitute* 
+              (substitute*
                   "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl"
                 (("addons.mozilla.org")
                  "gnuzilla.gnu.org"))))
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Sun, 04 May 2025 23:20:02 GMT) Full text and rfc822 format available.

Message #14 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH 2/3] gnu: nss-rapid: Update to 3.110.
Date: Sun,  4 May 2025 16:19:31 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110.

Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99
---
 gnu/packages/nss.scm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7a8c6b075d..24f4b60369 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -347,7 +347,7 @@ (define-public nss-rapid
   (package
    (inherit nss)
    (name "nss-rapid")
-   (version "3.109")
+   (version "3.110")
    (source (origin
              (inherit (package-source nss))
              (uri (let ((version-with-underscores
@@ -358,11 +358,19 @@ (define-public nss-rapid
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
        #~(modify-phases #$phases
+           (add-after 'unpack 'neutralize-network-test
+             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
+             ;; to no networking in the build environment.
+             ;; Behavior changed as of 3.110.
+             (lambda _
+               (substitute* "nss/tests/ssl/ssl.sh"
+                 ((" ssl_policy_pkix_ocsp" all)
+                  (string-append "#" all)))))
            (replace 'check
              (lambda* (#:key tests? #:allow-other-keys)
                (if tests?
@@ -390,8 +398,11 @@ (define-public nss-rapid
                      ;; leading to test failures:
                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
                      ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
+                     (invoke "faketime" "2025-03-28" "./nss/tests/all.sh"))
                    (format #t "test suite not run~%"))))))))
+   (propagated-inputs
+        (modify-inputs (package-propagated-inputs nss)
+          (replace "nspr" nspr-4.36)))
    (synopsis "Network Security Services (Rapid Release)")
    (description
     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Sun, 04 May 2025 23:20:03 GMT) Full text and rfc822 format available.

Message #17 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].
Date: Sun,  4 May 2025 16:19:32 -0700
Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2.
* gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                      | 12 ++++++------
 .../patches/torbrowser-compare-paths.patch      | 17 ++++-------------
 2 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd1..8a8dbd05ad 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.1-2")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q"
+      #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch
index 7d4d5fdb78..8e880bf390 100644
--- a/gnu/packages/patches/torbrowser-compare-paths.patch
+++ b/gnu/packages/patches/torbrowser-compare-paths.patch
@@ -5,20 +5,11 @@ name.
 
 --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
 +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3606,6 +3606,7 @@
+@@ -3753,6 +3753,7 @@
      if (
        newAddon ||
        oldAddon.updateDate != xpiState.mtime ||
 +      oldAddon.path != xpiState.path ||
-       (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
-     ) {
-       newAddon = this.updateMetadata(
-@@ -3614,8 +3615,6 @@
-         xpiState,
-         newAddon
-       );
--    } else if (oldAddon.path != xpiState.path) {
--      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
-     } else if (aUpdateCompatibility || aSchemaChange) {
-       newAddon = this.updateCompatibility(
-         installLocation,
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 07 May 2025 23:06:02 GMT) Full text and rfc822 format available.

Message #20 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v2 1/3] gnu: Add nspr-4.36.
Date: Wed,  7 May 2025 16:05:14 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable.

Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985
---
 gnu/packages/nss.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 8bcb593ed7..7a8c6b075d 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,6 +95,19 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
+(define-public nspr-4.36
+  (package
+    (inherit nspr)
+    (version "4.36")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
+                    version "/src/nspr-" version ".tar.gz"))
+              (sha256
+               (base32
+                "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))))
+
 (define-public nspr-4.32
   (package
     (inherit nspr)
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 07 May 2025 23:06:02 GMT) Full text and rfc822 format available.

Message #23 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v2 2/3] gnu: nss-rapid: Update to 3.110.
Date: Wed,  7 May 2025 16:05:15 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110.

Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99
---
 gnu/packages/nss.scm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7a8c6b075d..24f4b60369 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -347,7 +347,7 @@ (define-public nss-rapid
   (package
    (inherit nss)
    (name "nss-rapid")
-   (version "3.109")
+   (version "3.110")
    (source (origin
              (inherit (package-source nss))
              (uri (let ((version-with-underscores
@@ -358,11 +358,19 @@ (define-public nss-rapid
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
        #~(modify-phases #$phases
+           (add-after 'unpack 'neutralize-network-test
+             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
+             ;; to no networking in the build environment.
+             ;; Behavior changed as of 3.110.
+             (lambda _
+               (substitute* "nss/tests/ssl/ssl.sh"
+                 ((" ssl_policy_pkix_ocsp" all)
+                  (string-append "#" all)))))
            (replace 'check
              (lambda* (#:key tests? #:allow-other-keys)
                (if tests?
@@ -390,8 +398,11 @@ (define-public nss-rapid
                      ;; leading to test failures:
                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
                      ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
+                     (invoke "faketime" "2025-03-28" "./nss/tests/all.sh"))
                    (format #t "test suite not run~%"))))))))
+   (propagated-inputs
+        (modify-inputs (package-propagated-inputs nss)
+          (replace "nspr" nspr-4.36)))
    (synopsis "Network Security Services (Rapid Release)")
    (description
     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 07 May 2025 23:06:03 GMT) Full text and rfc822 format available.

Message #26 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v2 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].
Date: Wed,  7 May 2025 16:05:16 -0700
Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2.
* gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                      | 12 ++++++------
 .../patches/torbrowser-compare-paths.patch      | 17 ++++-------------
 2 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd1..8a8dbd05ad 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.1-2")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q"
+      #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch
index 7d4d5fdb78..8e880bf390 100644
--- a/gnu/packages/patches/torbrowser-compare-paths.patch
+++ b/gnu/packages/patches/torbrowser-compare-paths.patch
@@ -5,20 +5,11 @@ name.
 
 --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
 +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3606,6 +3606,7 @@
+@@ -3753,6 +3753,7 @@
      if (
        newAddon ||
        oldAddon.updateDate != xpiState.mtime ||
 +      oldAddon.path != xpiState.path ||
-       (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
-     ) {
-       newAddon = this.updateMetadata(
-@@ -3614,8 +3615,6 @@
-         xpiState,
-         newAddon
-       );
--    } else if (oldAddon.path != xpiState.path) {
--      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
-     } else if (aUpdateCompatibility || aSchemaChange) {
-       newAddon = this.updateCompatibility(
-         installLocation,
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 14 May 2025 00:26:01 GMT) Full text and rfc822 format available.

Message #29 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v3 1/3] gnu: Add nspr-4.36.
Date: Tue, 13 May 2025 17:25:03 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable.

Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985
---
 gnu/packages/nss.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 8bcb593ed75..7a8c6b075d7 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,6 +95,19 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
+(define-public nspr-4.36
+  (package
+    (inherit nspr)
+    (version "4.36")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
+                    version "/src/nspr-" version ".tar.gz"))
+              (sha256
+               (base32
+                "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))))
+
 (define-public nspr-4.32
   (package
     (inherit nspr)
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 14 May 2025 00:26:02 GMT) Full text and rfc822 format available.

Message #32 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v3 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes].
Date: Tue, 13 May 2025 17:25:05 -0700
Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                        | 14 +++++++-------
 .../patches/librewolf-compare-paths.patch         | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd15..5b3c3a4a837 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -191,7 +191,7 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
                           #$output)))))
       (patches
        (search-patches
-        "torbrowser-compare-paths.patch"
+        "librewolf-compare-paths.patch"
         "librewolf-use-system-wide-dir.patch"
         "librewolf-add-store-to-rdd-allowlist.patch")))))
 
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.1-2")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q"
+      #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch
new file mode 100644
index 00000000000..8e880bf3908
--- /dev/null
+++ b/gnu/packages/patches/librewolf-compare-paths.patch
@@ -0,0 +1,15 @@
+See comment in gnu/build/icecat-extension.scm.
+This is only needed while icecat and torbrowser remain on
+different ESR versions as the patched file has changed its
+name.
+
+--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+@@ -3753,6 +3753,7 @@
+     if (
+       newAddon ||
+       oldAddon.updateDate != xpiState.mtime ||
++      oldAddon.path != xpiState.path ||
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Wed, 14 May 2025 00:26:02 GMT) Full text and rfc822 format available.

Message #35 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v3 2/3] gnu: nss-rapid: Update to 3.110.
Date: Tue, 13 May 2025 17:25:04 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110.

Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99
---
 gnu/packages/nss.scm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7a8c6b075d7..24f4b603694 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -347,7 +347,7 @@ (define-public nss-rapid
   (package
    (inherit nss)
    (name "nss-rapid")
-   (version "3.109")
+   (version "3.110")
    (source (origin
              (inherit (package-source nss))
              (uri (let ((version-with-underscores
@@ -358,11 +358,19 @@ (define-public nss-rapid
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
        #~(modify-phases #$phases
+           (add-after 'unpack 'neutralize-network-test
+             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
+             ;; to no networking in the build environment.
+             ;; Behavior changed as of 3.110.
+             (lambda _
+               (substitute* "nss/tests/ssl/ssl.sh"
+                 ((" ssl_policy_pkix_ocsp" all)
+                  (string-append "#" all)))))
            (replace 'check
              (lambda* (#:key tests? #:allow-other-keys)
                (if tests?
@@ -390,8 +398,11 @@ (define-public nss-rapid
                      ;; leading to test failures:
                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
                      ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
+                     (invoke "faketime" "2025-03-28" "./nss/tests/all.sh"))
                    (format #t "test suite not run~%"))))))))
+   (propagated-inputs
+        (modify-inputs (package-propagated-inputs nss)
+          (replace "nspr" nspr-4.36)))
    (synopsis "Network Security Services (Rapid Release)")
    (description
     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.

Message #38 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v4 1/3] gnu: Add nspr-4.36.
Date: Wed, 14 May 2025 22:11:11 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable.

Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985
---
 gnu/packages/nss.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 8bcb593ed75..7a8c6b075d7 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,6 +95,19 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
+(define-public nspr-4.36
+  (package
+    (inherit nspr)
+    (version "4.36")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
+                    version "/src/nspr-" version ".tar.gz"))
+              (sha256
+               (base32
+                "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))))
+
 (define-public nspr-4.32
   (package
     (inherit nspr)
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.

Message #41 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v4 2/3] gnu: nss-rapid: Update to 3.110.
Date: Wed, 14 May 2025 22:11:12 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110.

Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99
---
 gnu/packages/nss.scm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7a8c6b075d7..24f4b603694 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -347,7 +347,7 @@ (define-public nss-rapid
   (package
    (inherit nss)
    (name "nss-rapid")
-   (version "3.109")
+   (version "3.110")
    (source (origin
              (inherit (package-source nss))
              (uri (let ((version-with-underscores
@@ -358,11 +358,19 @@ (define-public nss-rapid
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
        #~(modify-phases #$phases
+           (add-after 'unpack 'neutralize-network-test
+             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
+             ;; to no networking in the build environment.
+             ;; Behavior changed as of 3.110.
+             (lambda _
+               (substitute* "nss/tests/ssl/ssl.sh"
+                 ((" ssl_policy_pkix_ocsp" all)
+                  (string-append "#" all)))))
            (replace 'check
              (lambda* (#:key tests? #:allow-other-keys)
                (if tests?
@@ -390,8 +398,11 @@ (define-public nss-rapid
                      ;; leading to test failures:
                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
                      ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2025-03-01" "./nss/tests/all.sh"))
+                     (invoke "faketime" "2025-03-28" "./nss/tests/all.sh"))
                    (format #t "test suite not run~%"))))))))
+   (propagated-inputs
+        (modify-inputs (package-propagated-inputs nss)
+          (replace "nspr" nspr-4.36)))
    (synopsis "Network Security Services (Rapid Release)")
    (description
     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-- 
2.49.0





Information forwarded to guix-patches <at> gnu.org:
bug#78249; Package guix-patches. (Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.

Message #44 received at 78249 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: 78249 <at> debbugs.gnu.org
Cc: Ian Eure <ian <at> retrospec.tv>
Subject: [PATCH v4 3/3] gnu: librewolf: Update to 138.0.3-1 [security fixes].
Date: Wed, 14 May 2025 22:11:13 -0700
Contains fixes for:

CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
               macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
               in cross-origin frames

CVE-2025-4085: Potential information leakage and privilege escalation
               in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
               download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
               redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
               command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
               138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
               138

* gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.

Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
---
 gnu/packages/librewolf.scm                        | 14 +++++++-------
 .../patches/librewolf-compare-paths.patch         | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index bcacbf8dd15..063a89420fe 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -191,7 +191,7 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n)
                           #$output)))))
       (patches
        (search-patches
-        "torbrowser-compare-paths.patch"
+        "librewolf-compare-paths.patch"
         "librewolf-use-system-wide-dir.patch"
         "librewolf-add-store-to-rdd-allowlist.patch")))))
 
@@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82)
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.3-1")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2"
+      #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -639,7 +639,7 @@ (define (runpaths-of-input label)
                   libxt
                   mesa
                   mit-krb5
-                  nspr
+                  nspr-4.36
                   nss-rapid
                   pango
                   pciutils
@@ -665,7 +665,7 @@ (define (runpaths-of-input label)
                          pkg-config
                          python
                          rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                          which
                          yasm))
     (native-search-paths
diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch
new file mode 100644
index 00000000000..8e880bf3908
--- /dev/null
+++ b/gnu/packages/patches/librewolf-compare-paths.patch
@@ -0,0 +1,15 @@
+See comment in gnu/build/icecat-extension.scm.
+This is only needed while icecat and torbrowser remain on
+different ESR versions as the patched file has changed its
+name.
+
+--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+@@ -3753,6 +3753,7 @@
+     if (
+       newAddon ||
+       oldAddon.updateDate != xpiState.mtime ||
++      oldAddon.path != xpiState.path ||
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
-- 
2.49.0





This bug report was last modified today.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.