Package: guix-patches;
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Sun, 4 May 2025 23:19:02 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 78249 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Sun, 04 May 2025 23:19:02 GMT) Full text and rfc822 format available.Ian Eure <ian <at> retrospec.tv>
:guix-patches <at> gnu.org
.
(Sun, 04 May 2025 23:19:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: guix-patches <at> gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 0/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Date: Sun, 4 May 2025 16:18:31 -0700
The 138.x series needs both nspr and nss bumps. This adds nspr 4.36 to avoid a large rebuild. I have a WIP v2 patch for #73152 which includes that update, and I'll clean this stuff up after that merges. Ian Eure (3): gnu: Add nspr-4.36. gnu: nss-rapid: Update to 3.110. gnu: librewolf: Update to 138.0.1-2 [security fixes]. gnu/packages/librewolf.scm | 12 ++++---- gnu/packages/nss.scm | 30 +++++++++++++++++-- .../patches/torbrowser-compare-paths.patch | 17 +++-------- 3 files changed, 37 insertions(+), 22 deletions(-) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Sun, 04 May 2025 23:20:01 GMT) Full text and rfc822 format available.Message #8 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 1/3] gnu: Add nspr-4.36. Date: Sun, 4 May 2025 16:19:29 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable. Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985 --- gnu/packages/nss.scm | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 8bcb593ed7..7a8c6b075d 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -95,6 +95,19 @@ (define-public nspr in the Mozilla clients.") (license license:mpl2.0))) +(define-public nspr-4.36 + (package + (inherit nspr) + (version "4.36") + (source (origin + (method url-fetch) + (uri (string-append + "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v" + version "/src/nspr-" version ".tar.gz")) + (sha256 + (base32 + "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm")))))) + (define-public nspr-4.32 (package (inherit nspr) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Sun, 04 May 2025 23:20:02 GMT) Full text and rfc822 format available.Message #11 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH] gnu: librewolf: Update to 137.0-1 [security fixes]. Date: Sun, 4 May 2025 16:19:30 -0700
Contains fixes for: CVE-2025-3028: Use-after-free triggered by XSLTProcessor CVE-2025-3031: JIT optimization bug with different stack slot sizes CVE-2025-3032: Leaking file descriptors from the fork server CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters CVE-2025-3035: Tab title disclosure across pages when using AI chatbot CVE-2025-3033: Opening local .url files could lead to another file being opened CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9 CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird 137 * gnu/packages/librewolf.scm (librewolf): Update to 137.0-1. Change-Id: I23d8cbefc242e57c19b4e98660fd22bd1dda8d6a --- gnu/packages/librewolf.scm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index 1cb7084f23..ae4d64534c 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -206,17 +206,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250327215540") +(define %librewolf-build-id "20250401171639") (define-public librewolf (package (name "librewolf") - (version "136.0.4-1") + (version "137.0-1") (source (make-librewolf-source #:version version - #:firefox-hash "0hn2ywyacgg8n47qz1q2l8bf32mszj3vnpkl6kag3wmqqbhvja2a" - #:librewolf-hash "045il4xrji2zh1scx3aiy6hx6jv098232aycda6bhsh27szbsrfa" + #:firefox-hash "07d9rdxmp48gbk41y1c6gggzziv9aqdhjwgi6c0hrf6chcppxi0y" + #:librewolf-hash "164bvissxzhzlwjafp9pdyhhg8hhdxh8w61ifkak497qm4yf8af7" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -236,8 +236,6 @@ (define-public librewolf "--with-system-ffi" "--enable-system-pixman" "--enable-jemalloc" - - ;; see https://bugs.gnu.org/32833 "--with-system-nspr" "--with-system-nss" @@ -312,7 +310,7 @@ (define (write-setting key value) (libavcodec (string-append ffmpeg "/lib/libavcodec.so"))) ;; Arrange to load libavcodec.so by its absolute file name. - (substitute* + (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp" (("libavcodec\\.so") libavcodec))))) @@ -405,7 +403,7 @@ (define (write-setting key value) (string-append all ", icu-uc >= 76.1"))) (if (string=? old-content (pk (call-with-input-file file get-string-all))) - (error + (error "substitute did nothing, phase requires an update"))))) (replace 'configure (lambda* (#:key inputs outputs configure-flags @@ -478,7 +476,7 @@ (define write-flags (invoke "./mach" "configure"))) (add-before 'build 'fix-addons-placeholder (lambda _ - (substitute* + (substitute* "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl" (("addons.mozilla.org") "gnuzilla.gnu.org")))) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Sun, 04 May 2025 23:20:02 GMT) Full text and rfc822 format available.Message #14 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 2/3] gnu: nss-rapid: Update to 3.110. Date: Sun, 4 May 2025 16:19:31 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110. Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99 --- gnu/packages/nss.scm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 7a8c6b075d..24f4b60369 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -347,7 +347,7 @@ (define-public nss-rapid (package (inherit nss) (name "nss-rapid") - (version "3.109") + (version "3.110") (source (origin (inherit (package-source nss)) (uri (let ((version-with-underscores @@ -358,11 +358,19 @@ (define-public nss-rapid "nss-" version ".tar.gz"))) (sha256 (base32 - "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y")))) + "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw")))) (arguments (substitute-keyword-arguments (package-arguments nss) ((#:phases phases) #~(modify-phases #$phases + (add-after 'unpack 'neutralize-network-test + ;; Test tries to resolve `wrong.host.badssl.com' which fails due + ;; to no networking in the build environment. + ;; Behavior changed as of 3.110. + (lambda _ + (substitute* "nss/tests/ssl/ssl.sh" + ((" ssl_policy_pkix_ocsp" all) + (string-append "#" all))))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (if tests? @@ -390,8 +398,11 @@ (define-public nss-rapid ;; leading to test failures: ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To ;; work around that, set the time to roughly the release date. - (invoke "faketime" "2025-03-01" "./nss/tests/all.sh")) + (invoke "faketime" "2025-03-28" "./nss/tests/all.sh")) (format #t "test suite not run~%")))))))) + (propagated-inputs + (modify-inputs (package-propagated-inputs nss) + (replace "nspr" nspr-4.36))) (synopsis "Network Security Services (Rapid Release)") (description "Network Security Services (@dfn{NSS}) is a set of libraries designed to -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Sun, 04 May 2025 23:20:03 GMT) Full text and rfc822 format available.Message #17 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Date: Sun, 4 May 2025 16:19:32 -0700
Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2. * gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 12 ++++++------ .../patches/torbrowser-compare-paths.patch | 17 ++++------------- 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd1..8a8dbd05ad 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.1-2") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q" + #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch index 7d4d5fdb78..8e880bf390 100644 --- a/gnu/packages/patches/torbrowser-compare-paths.patch +++ b/gnu/packages/patches/torbrowser-compare-paths.patch @@ -5,20 +5,11 @@ name. --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs -@@ -3606,6 +3606,7 @@ +@@ -3753,6 +3753,7 @@ if ( newAddon || oldAddon.updateDate != xpiState.mtime || + oldAddon.path != xpiState.path || - (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) - ) { - newAddon = this.updateMetadata( -@@ -3614,8 +3615,6 @@ - xpiState, - newAddon - ); -- } else if (oldAddon.path != xpiState.path) { -- newAddon = this.updatePath(installLocation, oldAddon, xpiState); - } else if (aUpdateCompatibility || aSchemaChange) { - newAddon = this.updateCompatibility( - installLocation, + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 07 May 2025 23:06:02 GMT) Full text and rfc822 format available.Message #20 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 1/3] gnu: Add nspr-4.36. Date: Wed, 7 May 2025 16:05:14 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable. Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985 --- gnu/packages/nss.scm | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 8bcb593ed7..7a8c6b075d 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -95,6 +95,19 @@ (define-public nspr in the Mozilla clients.") (license license:mpl2.0))) +(define-public nspr-4.36 + (package + (inherit nspr) + (version "4.36") + (source (origin + (method url-fetch) + (uri (string-append + "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v" + version "/src/nspr-" version ".tar.gz")) + (sha256 + (base32 + "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm")))))) + (define-public nspr-4.32 (package (inherit nspr) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 07 May 2025 23:06:02 GMT) Full text and rfc822 format available.Message #23 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 2/3] gnu: nss-rapid: Update to 3.110. Date: Wed, 7 May 2025 16:05:15 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110. Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99 --- gnu/packages/nss.scm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 7a8c6b075d..24f4b60369 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -347,7 +347,7 @@ (define-public nss-rapid (package (inherit nss) (name "nss-rapid") - (version "3.109") + (version "3.110") (source (origin (inherit (package-source nss)) (uri (let ((version-with-underscores @@ -358,11 +358,19 @@ (define-public nss-rapid "nss-" version ".tar.gz"))) (sha256 (base32 - "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y")))) + "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw")))) (arguments (substitute-keyword-arguments (package-arguments nss) ((#:phases phases) #~(modify-phases #$phases + (add-after 'unpack 'neutralize-network-test + ;; Test tries to resolve `wrong.host.badssl.com' which fails due + ;; to no networking in the build environment. + ;; Behavior changed as of 3.110. + (lambda _ + (substitute* "nss/tests/ssl/ssl.sh" + ((" ssl_policy_pkix_ocsp" all) + (string-append "#" all))))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (if tests? @@ -390,8 +398,11 @@ (define-public nss-rapid ;; leading to test failures: ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To ;; work around that, set the time to roughly the release date. - (invoke "faketime" "2025-03-01" "./nss/tests/all.sh")) + (invoke "faketime" "2025-03-28" "./nss/tests/all.sh")) (format #t "test suite not run~%")))))))) + (propagated-inputs + (modify-inputs (package-propagated-inputs nss) + (replace "nspr" nspr-4.36))) (synopsis "Network Security Services (Rapid Release)") (description "Network Security Services (@dfn{NSS}) is a set of libraries designed to -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 07 May 2025 23:06:03 GMT) Full text and rfc822 format available.Message #26 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Date: Wed, 7 May 2025 16:05:16 -0700
Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2. * gnu/packages/patches/torbrowser-compare-paths.patch: Adjust for new version. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 12 ++++++------ .../patches/torbrowser-compare-paths.patch | 17 ++++------------- 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd1..8a8dbd05ad 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.1-2") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q" + #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/torbrowser-compare-paths.patch b/gnu/packages/patches/torbrowser-compare-paths.patch index 7d4d5fdb78..8e880bf390 100644 --- a/gnu/packages/patches/torbrowser-compare-paths.patch +++ b/gnu/packages/patches/torbrowser-compare-paths.patch @@ -5,20 +5,11 @@ name. --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs -@@ -3606,6 +3606,7 @@ +@@ -3753,6 +3753,7 @@ if ( newAddon || oldAddon.updateDate != xpiState.mtime || + oldAddon.path != xpiState.path || - (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) - ) { - newAddon = this.updateMetadata( -@@ -3614,8 +3615,6 @@ - xpiState, - newAddon - ); -- } else if (oldAddon.path != xpiState.path) { -- newAddon = this.updatePath(installLocation, oldAddon, xpiState); - } else if (aUpdateCompatibility || aSchemaChange) { - newAddon = this.updateCompatibility( - installLocation, + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 14 May 2025 00:26:01 GMT) Full text and rfc822 format available.Message #29 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 1/3] gnu: Add nspr-4.36. Date: Tue, 13 May 2025 17:25:03 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable. Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985 --- gnu/packages/nss.scm | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 8bcb593ed75..7a8c6b075d7 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -95,6 +95,19 @@ (define-public nspr in the Mozilla clients.") (license license:mpl2.0))) +(define-public nspr-4.36 + (package + (inherit nspr) + (version "4.36") + (source (origin + (method url-fetch) + (uri (string-append + "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v" + version "/src/nspr-" version ".tar.gz")) + (sha256 + (base32 + "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm")))))) + (define-public nspr-4.32 (package (inherit nspr) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 14 May 2025 00:26:02 GMT) Full text and rfc822 format available.Message #32 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 3/3] gnu: librewolf: Update to 138.0.1-2 [security fixes]. Date: Tue, 13 May 2025 17:25:05 -0700
Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.1-2. * gnu/packages/patches/librewolf-compare-paths.patch: New file. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 14 +++++++------- .../patches/librewolf-compare-paths.patch | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd15..5b3c3a4a837 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -191,7 +191,7 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n) #$output))))) (patches (search-patches - "torbrowser-compare-paths.patch" + "librewolf-compare-paths.patch" "librewolf-use-system-wide-dir.patch" "librewolf-add-store-to-rdd-allowlist.patch"))))) @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.1-2") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "0aybkr6zan7klybc1r455lgzz524rmhzj85g6xv88vw70dibk54q" + #:librewolf-hash "0c98hjhfklfbi2biib7bk5qijp6x77hmp8ska2fy3lzi78lsz08z" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch new file mode 100644 index 00000000000..8e880bf3908 --- /dev/null +++ b/gnu/packages/patches/librewolf-compare-paths.patch @@ -0,0 +1,15 @@ +See comment in gnu/build/icecat-extension.scm. +This is only needed while icecat and torbrowser remain on +different ESR versions as the patched file has changed its +name. + +--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs ++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +@@ -3753,6 +3753,7 @@ + if ( + newAddon || + oldAddon.updateDate != xpiState.mtime || ++ oldAddon.path != xpiState.path || + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Wed, 14 May 2025 00:26:02 GMT) Full text and rfc822 format available.Message #35 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 2/3] gnu: nss-rapid: Update to 3.110. Date: Tue, 13 May 2025 17:25:04 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110. Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99 --- gnu/packages/nss.scm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 7a8c6b075d7..24f4b603694 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -347,7 +347,7 @@ (define-public nss-rapid (package (inherit nss) (name "nss-rapid") - (version "3.109") + (version "3.110") (source (origin (inherit (package-source nss)) (uri (let ((version-with-underscores @@ -358,11 +358,19 @@ (define-public nss-rapid "nss-" version ".tar.gz"))) (sha256 (base32 - "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y")))) + "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw")))) (arguments (substitute-keyword-arguments (package-arguments nss) ((#:phases phases) #~(modify-phases #$phases + (add-after 'unpack 'neutralize-network-test + ;; Test tries to resolve `wrong.host.badssl.com' which fails due + ;; to no networking in the build environment. + ;; Behavior changed as of 3.110. + (lambda _ + (substitute* "nss/tests/ssl/ssl.sh" + ((" ssl_policy_pkix_ocsp" all) + (string-append "#" all))))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (if tests? @@ -390,8 +398,11 @@ (define-public nss-rapid ;; leading to test failures: ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To ;; work around that, set the time to roughly the release date. - (invoke "faketime" "2025-03-01" "./nss/tests/all.sh")) + (invoke "faketime" "2025-03-28" "./nss/tests/all.sh")) (format #t "test suite not run~%")))))))) + (propagated-inputs + (modify-inputs (package-propagated-inputs nss) + (replace "nspr" nspr-4.36))) (synopsis "Network Security Services (Rapid Release)") (description "Network Security Services (@dfn{NSS}) is a set of libraries designed to -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.Message #38 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v4 1/3] gnu: Add nspr-4.36. Date: Wed, 14 May 2025 22:11:11 -0700
* gnu/packages/nss.scm (nspr-4.36): New variable. Change-Id: I5c7c4f5f96e3b9ed763c63c9b5b5996a63d45985 --- gnu/packages/nss.scm | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 8bcb593ed75..7a8c6b075d7 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -95,6 +95,19 @@ (define-public nspr in the Mozilla clients.") (license license:mpl2.0))) +(define-public nspr-4.36 + (package + (inherit nspr) + (version "4.36") + (source (origin + (method url-fetch) + (uri (string-append + "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v" + version "/src/nspr-" version ".tar.gz")) + (sha256 + (base32 + "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm")))))) + (define-public nspr-4.32 (package (inherit nspr) -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.Message #41 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v4 2/3] gnu: nss-rapid: Update to 3.110. Date: Wed, 14 May 2025 22:11:12 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.110. Change-Id: Ibdae3c70066a70cdde560c5d8f9bac797cd2cd99 --- gnu/packages/nss.scm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 7a8c6b075d7..24f4b603694 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -347,7 +347,7 @@ (define-public nss-rapid (package (inherit nss) (name "nss-rapid") - (version "3.109") + (version "3.110") (source (origin (inherit (package-source nss)) (uri (let ((version-with-underscores @@ -358,11 +358,19 @@ (define-public nss-rapid "nss-" version ".tar.gz"))) (sha256 (base32 - "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y")))) + "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw")))) (arguments (substitute-keyword-arguments (package-arguments nss) ((#:phases phases) #~(modify-phases #$phases + (add-after 'unpack 'neutralize-network-test + ;; Test tries to resolve `wrong.host.badssl.com' which fails due + ;; to no networking in the build environment. + ;; Behavior changed as of 3.110. + (lambda _ + (substitute* "nss/tests/ssl/ssl.sh" + ((" ssl_policy_pkix_ocsp" all) + (string-append "#" all))))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (if tests? @@ -390,8 +398,11 @@ (define-public nss-rapid ;; leading to test failures: ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To ;; work around that, set the time to roughly the release date. - (invoke "faketime" "2025-03-01" "./nss/tests/all.sh")) + (invoke "faketime" "2025-03-28" "./nss/tests/all.sh")) (format #t "test suite not run~%")))))))) + (propagated-inputs + (modify-inputs (package-propagated-inputs nss) + (replace "nspr" nspr-4.36))) (synopsis "Network Security Services (Rapid Release)") (description "Network Security Services (@dfn{NSS}) is a set of libraries designed to -- 2.49.0
guix-patches <at> gnu.org
:bug#78249
; Package guix-patches
.
(Thu, 15 May 2025 05:12:02 GMT) Full text and rfc822 format available.Message #44 received at 78249 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 78249 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v4 3/3] gnu: librewolf: Update to 138.0.3-1 [security fixes]. Date: Wed, 14 May 2025 22:11:13 -0700
Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1. * gnu/packages/patches/librewolf-compare-paths.patch: New file. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 14 +++++++------- .../patches/librewolf-compare-paths.patch | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd15..063a89420fe 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -191,7 +191,7 @@ (define* (make-librewolf-source #:key version firefox-hash librewolf-hash l10n) #$output))))) (patches (search-patches - "torbrowser-compare-paths.patch" + "librewolf-compare-paths.patch" "librewolf-use-system-wide-dir.patch" "librewolf-add-store-to-rdd-allowlist.patch"))))) @@ -207,17 +207,17 @@ (define rust-librewolf rust-1.82) ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.3-1") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2" + #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ (define (runpaths-of-input label) libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ (define (runpaths-of-input label) pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch new file mode 100644 index 00000000000..8e880bf3908 --- /dev/null +++ b/gnu/packages/patches/librewolf-compare-paths.patch @@ -0,0 +1,15 @@ +See comment in gnu/build/icecat-extension.scm. +This is only needed while icecat and torbrowser remain on +different ESR versions as the patched file has changed its +name. + +--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs ++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +@@ -3753,6 +3753,7 @@ + if ( + newAddon || + oldAddon.updateDate != xpiState.mtime || ++ oldAddon.path != xpiState.path || + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing -- 2.49.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.