diff options
| author | Ian Eure <ian@retrospec.tv> | 2024-09-23 07:47:05 -0700 |
|---|---|---|
| committer | Andrew Tropin <andrew@trop.in> | 2024-09-24 11:03:22 +0400 |
| commit | aa250f071a89a7a06bbb453325240a9d4a59c2a9 (patch) | |
| tree | 830317f5833271ad778b97680f30dfc72e03213d | |
| parent | 35c5a0759355cea007c55594d0575796390c39bb (diff) | |
| download | guix-patches-aa250f071a89a7a06bbb453325240a9d4a59c2a9.tar guix-patches-aa250f071a89a7a06bbb453325240a9d4a59c2a9.tar.gz | |
gnu: librewolf: Update to 130.0.1-1. [security fixes]
This patch:
- Updates LibreWolf to the latest version
- Removes the code which disabled encoding_rs.patch from upstream. It’s no
longer in the repo, so the code did nothing, and the underlying issue (Guix
being stuck with an old Rust version) has been fixed.
- Integrates changes from #72265 with some slight tweaks. This should allow
LibreWolf to use accelerated video decoding on supported hardware.
- Neuters the GenAI chat feature, which direcly integrates with non-free
services, by excluding it from the build and locking the preferences which
would enable it.
Fixes:
CVE-2024-8385: WASM type confusion involving ArrayTypes
CVE-2024-8381: Type confusion when looking up a property name in a "with" block
CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts
CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
CVE-2024-8383: Firefox did not ask before openings news: links in an external application
CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions
CVE-2024-8386: SelectElements could be shown over another site if popups are allowed
CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
CVE-2024-8389: Memory safety bugs fixed in Firefox 130
* gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
Signed-off-by: Andrew Tropin <andrew@trop.in>
| -rw-r--r-- | gnu/packages/librewolf.scm | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index 21f73f799d..bade479656 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -117,9 +117,11 @@ (define computed-origin-method (@@ (guix packages) computed-origin-method)) (define librewolf-source - (let* ((ff-src (firefox-source-origin "129.0.1" "0wy0fn0pavlhlkdybr59hhbn5ng0zn56mxa7gsknf8f2whiyipwx")) - (version "129.0.1-1") - (lw-src (librewolf-source-origin version "0pvv3v23q31hdjvqi1f3cqfyjrb8dbrrbfwxj2wacak1g0mzbxf4"))) + (let* ((ff-src (firefox-source-origin "130.0" + "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2")) + (lw-src (librewolf-source-origin + "130.0.1-1" + "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd"))) (origin (method computed-origin-method) @@ -164,11 +166,6 @@ (("^ff_source_tarball:=.*") (string-append "ff_source_tarball:=" #+ff-src))) - ;; Remove encoding_rs patch, it doesn't build with Rust 1.75. - (substitute* '("assets/patches.txt") - (("patches/encoding_rs.patch\\\n$") - "")) - ;; Stage locales. (begin (format #t "Staging locales...~%") @@ -215,13 +212,17 @@ ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20240817075827") +(define %librewolf-build-id "20240922110507") (define-public librewolf (package (name "librewolf") - (version "129.0.1-1") - (source librewolf-source) + (version "130.0.1-1") + (source + (origin + (inherit librewolf-source) + (patches + (search-patches "librewolf-add-paths-to-rdd-allowlist.patch")))) (build-system gnu-build-system) (arguments (list @@ -318,6 +319,22 @@ (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp" (("libavcodec\\.so") libavcodec))))) + (add-after 'unpack 'neuter-genai + (lambda* _ + ;; Don't compile the code in. + (substitute* "browser/components/moz.build" + (("\"genai\",") "")) + ;; Lock the preferences so they can't be enabled. + (substitute* "lw/librewolf.cfg" + (("defaultPref\\(\"browser\\.ml\\.") + "lockPref(\"browser.ml.")) + ;; Correct a preference typo + ;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954 + ;; Remove this in the next update. + (substitute* "lw/librewolf.cfg" + (("browser\\.ml\\.enabled") + "browser.ml.enable")) + )) (add-after 'patch-source-shebangs 'patch-cargo-checksums (lambda _ (use-modules (guix build cargo-utils)) @@ -575,26 +592,12 @@ ;; For U2F and WebAuthn "eudev"))) - ;; VA-API is run in the RDD (Remote Data Decoder) sandbox - ;; and must be explicitly given access to files it needs. - ;; Rather than adding the whole store (as Nix had - ;; upstream do, see - ;; <https://github.com/NixOS/nixpkgs/pull/165964> and - ;; linked upstream patches), we can just follow the - ;; runpaths of the needed libraries to add everything to - ;; LD_LIBRARY_PATH. These will then be accessible in the - ;; RDD sandbox. - (rdd-whitelist (map (cut string-append <> "/") - (delete-duplicates (append-map - runpaths-of-input - '("mesa" - "ffmpeg"))))) (gtk-share (string-append (assoc-ref inputs "gtk+") "/share"))) (wrap-program (car (find-files lib "^librewolf$")) `("LD_LIBRARY_PATH" prefix - (,@libs ,@rdd-whitelist)) + ,libs) `("XDG_DATA_DIRS" prefix (,gtk-share)) `("MOZ_LEGACY_PROFILES" = |