Contains fixes for:
CVE-2026-6746: Use-after-free in the DOM: Core & HTML component
CVE-2026-6747: Use-after-free in the WebRTC component
CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs
component
CVE-2026-6749: Information disclosure due to uninitialized memory in
the Graphics: Canvas2D component
CVE-2026-6750: Privilege escalation in the Graphics: WebRender
component
CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs
component
CVE-2026-6752: Incorrect boundary conditions in the WebRTC component
CVE-2026-6753: Incorrect boundary conditions in the WebRTC component
CVE-2026-6754: Use-after-free in the JavaScript Engine component
CVE-2026-6755: Mitigation bypass in the DOM: postMessage component
CVE-2026-6756: Mitigation bypass in Firefox for Android
CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly
component
CVE-2026-6758: Use-after-free in the JavaScript: WebAssembly component
CVE-2026-6759: Use-after-free in the Widget: Cocoa component
CVE-2026-6760: Mitigation bypass in the Networking: Cookies component
CVE-2026-6761: Privilege escalation in the Networking component
CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component
CVE-2026-6763: Mitigation bypass in the File Handling component
CVE-2026-6764: Incorrect boundary conditions in the DOM: Device
Interfaces component
CVE-2026-6765: Information disclosure in the Form Autofill component
CVE-2026-6766: Incorrect boundary conditions in the Libraries
component in NSS
CVE-2026-6767: Other issue in the Libraries component in NSS
CVE-2026-6768: Mitigation bypass in the Networking: Cookies component
CVE-2026-6769: Privilege escalation in the Debugger component
CVE-2026-6770: Other issue in the Storage: IndexedDB component
CVE-2026-6771: Mitigation bypass in the DOM: Security component
CVE-2026-6772: Incorrect boundary conditions in the Libraries
component in NSS
CVE-2026-6773: Denial-of-service due to integer overflow in the
Graphics: WebGPU component
CVE-2026-6774: Mitigation bypass in the DOM: Security component
CVE-2026-6775: Incorrect boundary conditions in the WebRTC component
CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking
component
CVE-2026-6777: Other issue in the Networking: DNS component
CVE-2026-6778: Invalid pointer in the Audio/Video: Playback component
CVE-2026-6779: Other issue in the JavaScript Engine component
CVE-2026-6780: Denial-of-service in the Audio/Video: Playback
component
CVE-2026-6781: Denial-of-service in the Audio/Video: Playback
component
CVE-2026-6782: Information disclosure in the IP Protection component
CVE-2026-6783: Incorrect boundary conditions, integer overflow in the
Audio/Video: Playback component
CVE-2026-6784: Memory safety bugs fixed in Firefox 150 and Thunderbird
150
CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox
ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and
Thunderbird 150
CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10,
Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150
* gnu/packages/patches/librewolf-150.0-encoding_rs-rust-fix.patch: New file.
* gnu/local.mk: Add new patch to dist_patch_DATA.
* gnu/packages/librewolf.scm (make-librewolf-source): Apply new patch.
* gnu/packages/librewolf.scm (librewolf): Update to 150.0-1.
[arguments #:phases use-mozzarella]: Update Mozzarella URLs. Fixes#1923.
Change-Id: I7696abc0ac44d689190d9ef1e12704905c11d431
* gnu/packages/codex.scm (codex): Update to 0.120.0.
[source]: Adjust patches.
[arguments]: Adjust cargo-install-paths, cargo-test-flags, and
cargo-package-crates.
[arguments]<#:phases>{patch-git-deps-to-vendor,patch-hardcoded-paths,
set-bubblewrap-source,create-node-version-file,set-home}: Adjust for
the new workspace and test environment.
[native-inputs]: Add bubblewrap, bubblewrap-source, lsof,
nss-certs-for-test, and procps.
[inputs]: Add libcap, oniguruma, and zlib.
[description]: Mention that codex-code-mode's V8 Javascript executor is
disabled.
(codex-acp): Update to 0.11.1.
[source]: Adjust patches and source hash.
[arguments]<#:phases>{patch-codex-deps}: Rewrite the codex dependency
for rust-v0.117.0, disable codex-code-mode's V8 runtime, and set
CODEX_BWRAP_SOURCE_DIR.
[arguments]<#:phases>{set-home}: Set HOME and USER.
[arguments]<#:phases>{create-node-version-file}: Create node-version.txt.
[native-inputs]: Add cmake-minimal, clang, and bubblewrap-source.
[inputs]: Add libcap and zlib.
* gnu/packages/rust-sources.scm (rust-deunicode-1.6.2.cfb8552): New
variable.
(rust-codex-0.117.0, rust-codex-0.120.0): New variables.
* gnu/packages/rust-crates.scm (rust-deunicode-1.6.2,
rust-deunicode-1.6.2.cfb8552): Define aliases for the new workspace
package.
(lookup-cargo-inputs): Update entries for codex, codex-acp, and
rust-codex-0.0.0.785c0c43. Add rust-deunicode-1.6.2.cfb8552.
* gnu/packages/patches/codex-acp-0.11.1-disable-code-mode.patch,
gnu/packages/patches/codex-acp-0.11.1-remove-patch-sections.patch,
gnu/packages/patches/rust-codex-0.117.0-core-remove-self-dep.patch,
gnu/packages/patches/rust-codex-0.117.0-remove-patch-sections.patch,
gnu/packages/patches/rust-codex-0.120.0-connectors-cache-test-race.patch,
gnu/packages/patches/rust-codex-0.120.0-core-remove-self-dep.patch,
gnu/packages/patches/rust-codex-0.120.0-remove-libwebrtc.patch,
gnu/packages/patches/rust-codex-0.120.0-test-timeout.patch: New files.
* gnu/packages/patches/codex-acp-0.9.2-remove-patch-sections.patch,
gnu/packages/patches/codex-acp-0.9.2-replace-result-flatten.patch:
Delete files.
* gnu/local.mk (dist_patch_DATA): Register the new patches.
Change-Id: I280a752507f40e525243dcb869c264da96605bd7
An API breakage occurred some place between 8.x and 9.x series of kmscon.
Because of it, our custom patch kmscon-8-runtime-keymap-switch.patch (needed
by Guix System installer) no longer applies cleanly. Until a new patch is
developed, let's recover the older package and keep it side-by-side in Guix.
* gnu/packages/terminals.scm (kmscon-8): New variable.
Document its dependency with Guix System installer.
* gnu/packages/patches/kmscon-runtime-keymap-switch.patch: Rename to...
* gnu/packages/patches/kmscon-8-runtime-keymap-switch.patch: ...this file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
Change-Id: I88cb9ea39b3801ea96dd663e2995597c060f41db
Signed-off-by: Hilton Chain <hako@ultrarare.space>
Fixes various CVEs, too many to list.
* gnu/packages/chromium.scm (%preserved-third-party-files): Add
base/third_party/nspr,
buildtools/third_party/libc++,
buildtools/third_party/libc++abi,
third_party/catapult/third_party/beautifulsoup4-4.9.3,
third_party/catapult/third_party/html5lib-1.1,
third_party/catapult/third_party/typ,
third_party/dawn/third_party/renderdoc,
third_party/dawn/third_party/webgpu-headers,
third_party/devscripts,
third_party/devtools-frontend/src/front_end/third_party/csp_evaluator,
third_party/devtools-frontend/src/front_end/third_party/legacy-javascript,
third_party/devtools-frontend/src/front_end/third_party/source-map-scopes-codec,
third_party/federated_compute/chromium/fcp/confidentialcompute,
third_party/freetype,
third_party/fxdiv,
third_party/hyphenation-patterns,
third_party/icu,
third_party/libc++,
third_party/libpfm4,
third_party/libpng,
third_party/libx11,
third_party/libxcb-keysyms,
third_party/llvm-libc,
third_party/neon_2_sse,
third_party/opus,
third_party/pdfium/third_party/lcms,
third_party/pdfium/third_party/libopenjpeg,
third_party/perfetto/protos/third_party/pprof,
third_party/perfetto/protos/third_party/primes,
third_party/perfetto/protos/third_party/simpleperf,
third_party/pyyaml,
third_party/sentencepiece,
third_party/sentencepiece/src/third_party/darts_clone,
third_party/six and
third_party/skia/include/third_party/vulkan.
Remove:
net/third_party/nss,
third_party/compiler-rt/src/lib,
third_party/libaom/source/libaom/third_party/SVT-AV1,
third_party/skia/third_party/vulkanmemoryallocator and
third_party/webrtc/rtc_base/third_party/sigslot.
(%chromium-version): Update to 147.0.7727.55.
(%ungoogled-origin, %debian-origin): Update hashes.
(%debian-patches): Add debianization/safe-libcxx.patch,
disable/enterprise-tests.patch,
disable/rustc-allow-features.patch,
fixes/bytemuck.patch,
fixes/libpng-testonly.patch,
llvm-19/clang19.patch (move from bookwork),
llvm-19/clone-traits.patch,
llvm-19/keyfactory.patch,
llvm-19/value-or.patch,
llvm-22/ignore-for-ubsan.patch,
trixie/cookie-string-view.patch and
trixie/nodejs-main.patch.
Remove trixie/rust-no-alloc-shim.patch.
(%guix-patches): Add ungoogled-chromium-custom-compiler.patch and
ungoogled-chromium-empty-parsed-rustc-args.patch. Remove
ungoogled-chromium-unbundle-icu-target.patch which was merged upstream.
(ungoogled-chromium-snippet): Remove icu from replace_gn_files args. Our
icu does not have ucmndata.h, umapfile.h and putilimp.h which are required
to build now.
(ungoogled-chromium) [arguments] <#:configure-flags>: Add is_component_build,
webnn_use_tflite, fatal_linker_warnings, enable_perfetto_unittests,
skia_enable_skshapper_tests, tint_build_unittests, enable_nocompile_tests,
enable_screen_ai_browsertests flags and set them to false. Set
use_system_icu to false. Remove enable_glic, enable_js_type_check and
removed_rust_stdlib_libs. The first two were removed and the last one is
not necessary any longer. Add blink_symbol_level and v8_symbol_level and
set them to zero.
[arguments] <#:phases> {patch-stuff}: Remove compiler substitution which
is not needed anymore. Adjust rustfmt_path to guix.
{include-pthreadpool}: New phase.
{adjust-CPLUS_INCLUDE_PATH}: Help clang find gcc's bits/c++config.h.
[inputs]: icu-77 is required now, even though we're not using it this time.
* gnu/packages/patches/ungoogled-chromium-custom-compiler.patch: Add it.
* gnu/packages/patches/ungoogled-chromium-empty-parsed-rustc-args.patch: Same.
* gnu/packages/patches/ungoogled-chromium-unbundle-icu-target.patch: Remove it.
* gnu/local.mk: (Un)register the above patches.
Change-Id: I597b69b15368e9b410fa3d29342700d9ea0b0d82
Signed-off-by: Andreas Enge <andreas@enge.fr>
Neovim 0.12.0 changed the error message for invalid cursor positions
from "Cursor position outside buffer" to "Invalid cursor line: out of
range", causing test_command_error to fail.
This applies the upstream patch temporarily until a new pynvim release
is created.
Merges guix/guix!7755
* gnu/packages/patches/python-pynvim-fix-test-command-error.patch: New
patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/vim.scm (python-pynvim)[source]: Use it.
Change-Id: Ibff0545a60948c946c420fe7118a37d161d93a30
Signed-off-by: Cayetano Santos <csantosb@inventati.org>
All these packages are being maintained by Coreboot and they are also
present in the Coreboot source code.
Merge guix/guix!7065
* gnu/packages/flashing-tools.scm (bincfg, ifdtool, intelmetool):
Move from here ...
* gnu/packages/coreboot.scm: ... to here.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* po/packages/POTFILES.in: Add it.
Change-Id: I6d802042670fda52adeb85d9e3a4b3f3a23dcb66
Signed-off-by: Cayetano Santos <csantosb@inventati.org>
This is a follow up to 0b8e838208.
* gnu/local.mk: Add gnu/services/configuration/environmen-variables.scm
and gnu/services/configuration/utils.scm
Change-Id: I0abdbc6e579f681001c60d85a8f2a23ca12f3c6c
While at it, also depend on tree-sitters that are builtin into neovim.
Fixes#2269
* packages/patches/neovim-tree-sitter-grammar-path.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/vim.scm (neovim): Support TREE_SITTER_GRAMMAR_PATH.
[source] <patches>: Add patch.
[native-search-paths]: Add TREE_SITTER_GRAMMAR_PATH.
[propagated-inputs]: Add strictly required tree-sitter parsers.
* gnu/packages/patches/cvc5-reproducible-build.patch: New patch.
* gnu/local.mk (dist_patch_DATA) Register it.
* gnu/packages/maths.scm (cvc5)[patches]: Use it.
Change-Id: I03e1b12a1fdaa37c327860c7890ab0f1389f8f87
* gnu/packages/patches/ldc-i686-int128-alignment.patch: New patches.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/dlang.scm (ldc-bootstrap)[patches]: Use it.
Change-Id: I21671c2a54634c284d8832f0627fe28494e1b0b8
Signed-off-by: Liliana Marie Prikler <liliana.prikler@gmail.com>
* gnu/packages/patches/tao-synth-include-string-you-use.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it here.
* gnu/packages/audio.scm (tao-synth)[patches]: Use it here.
[native-inputs]: Drop gcc-7.
Fixes: guix/guix#6849 (tao-synth fails to build)
* gnu/packages/base.scm (%glibc-patches): Merge with patches from glibc/hurd.
(glibc/hurd): Set to glibc.
* gnu/local.mk (dist_patch_DATA): Remove a patch.
Change-Id: I68d9d58a9974368b85d05eb1a30bf812524d5af4
* gnu/packages/patches/ppsspp-disable-upgrade-and-gold.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it here.
* gnu/packages/emulators.scm (aemu-postoffice-source, libchdr-source)
(rcheevos-source): New variables.
(ppsspp): New variable.
Much of the modern Linux video stack depends on using kernel modesetting (KMS)
drivers. Because of this, not much effort has been put into the legacy stuff,
which have grown less supported and more buggy. Unfortunately, the
modesetting Xorg driver didn’t initially have support for tear-free
video (which most legacy drivers did), requiring additional software -- a
compositor -- to fix this. Sadly, there’s no good option for a compositor --
they all require hardware-specific tweaking and tuning, and tend to be quite
buggy.
Support for a "TearFree" option merged in 2022[1], but there hasn’t been an
Xorg release since it was merged.
This PR applies the patch from that MR to the last release. It required a
one-character edit to apply cleanly, necesitating inclusion in the Guix repo.
I tested this on bare metal and it appears to work well.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1006
* gnu/local.mk (dist_patch_DATA): Add patch.
* gnu/packages/patches/xorg-server-tearfree-modesetting.patch: New file.
* gnu/packages/xorg.scm (xorg-server): Apply modesetting tearfree patch.
Change-Id: I60a705b35cb51bfd7de79aba406bc4b7b3934e48
Based on earlier work by AMD in <https://gitlab.inria.fr/guix-hpc/guix-hpc>.
* gnu/packages/rocm-apps.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* gnu/packages/patches/rochpl-supported-distros.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Merges guix/guix!7251
Change-Id: I1542a423faa854f5dfcb8965c4ffa3ab1e17098d
Signed-off-by: Cayetano Santos <csantosb@inventati.org>
* gnu/packages/patches/lufa-fix-incompatible-cast.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/avr-xyz.scm (lufa)[source]: Use it.
Ricardo Wurmus