From f718e0e5e0c137ca5441de13ea56866d045c983e Mon Sep 17 00:00:00 2001 From: Ian Eure Date: Thu, 15 May 2025 07:16:00 -0700 Subject: [PATCH] gnu: librewolf: Update to 138.0.3-1 [security fixes]. Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1. * gnu/packages/patches/librewolf-compare-paths.patch: New file. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729 --- gnu/packages/librewolf.scm | 14 +++++++------- .../patches/librewolf-compare-paths.patch | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 gnu/packages/patches/librewolf-compare-paths.patch diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index bcacbf8dd1..063a89420f 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -191,7 +191,7 @@ #$output))))) (patches (search-patches - "torbrowser-compare-paths.patch" + "librewolf-compare-paths.patch" "librewolf-use-system-wide-dir.patch" "librewolf-add-store-to-rdd-allowlist.patch"))))) @@ -207,17 +207,17 @@ ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20250416062358") +(define %librewolf-build-id "20250502155055") (define-public librewolf (package (name "librewolf") - (version "137.0.2-1") + (version "138.0.3-1") (source (make-librewolf-source #:version version - #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06" - #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix" + #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2" + #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c" #:l10n firefox-l10n)) (build-system gnu-build-system) (arguments @@ -639,7 +639,7 @@ libxt mesa mit-krb5 - nspr + nspr-4.36 nss-rapid pango pciutils @@ -665,7 +665,7 @@ pkg-config python rust-librewolf - rust-cbindgen-0.26 + rust-cbindgen-0.28 which yasm)) (native-search-paths diff --git a/gnu/packages/patches/librewolf-compare-paths.patch b/gnu/packages/patches/librewolf-compare-paths.patch new file mode 100644 index 0000000000..8e880bf390 --- /dev/null +++ b/gnu/packages/patches/librewolf-compare-paths.patch @@ -0,0 +1,15 @@ +See comment in gnu/build/icecat-extension.scm. +This is only needed while icecat and torbrowser remain on +different ESR versions as the patched file has changed its +name. + +--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs ++++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs +@@ -3753,6 +3753,7 @@ + if ( + newAddon || + oldAddon.updateDate != xpiState.mtime || ++ oldAddon.path != xpiState.path || + (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) || + // update addon metadata if the addon in bundled into + // the omni jar and version or the resource URI pointing