[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security f
|
From: |
Andrew Tropin |
|
Subject: |
[bug#73429] [PATCH 2/3] gnu: librewolf: Update to 130.0.1-1. [security fixes] |
|
Date: |
Tue, 24 Sep 2024 12:17:50 +0400 |
On 2024-09-22 13:53, Ian Eure wrote:
> This patch:
>
> - Updates LibreWolf to the latest version
> - Removes the code which disabled encoding_rs.patch from upstream. It’s no
> longer in the repo, so the code did nothing, and the underlying issue (Guix
> being stuck with an old Rust version) has been fixed.
> - Integrates changes from #72265 with some slight tweaks. This should allow
> LibreWolf to use accelerated video decoding on supported hardware.
> - Neuters the GenAI chat feature, which direcly integrates with non-free
> services, by excluding it from the build and locking the preferences which
> would enable it.
>
> Fixes:
> CVE-2024-8385: WASM type confusion involving ArrayTypes
> CVE-2024-8381: Type confusion when looking up a property name in a "with"
> block
> CVE-2024-8388: Fullscreen notice on Android could be hidden under various
> panels and OS prompts
> CVE-2024-8382: Internal event interfaces were exposed to web content when
> browser EventHandler listener callbacks ran
> CVE-2024-8383: Firefox did not ask before openings news: links in an external
> application
> CVE-2024-8384: Garbage collection could mis-color cross-compartment objects
> in OOM conditions
> CVE-2024-8386: SelectElements could be shown over another site if popups are
> allowed
> CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2,
> and Thunderbird 128.2
> CVE-2024-8389: Memory safety bugs fixed in Firefox 130
>
> * gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
>
> Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
> ---
> gnu/packages/librewolf.scm | 55 ++++++++++++++++++++------------------
> 1 file changed, 29 insertions(+), 26 deletions(-)
>
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 21f73f799d..bade479656 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -117,9 +117,11 @@ (define (librewolf-source-origin version hash)
> (define computed-origin-method (@@ (guix packages) computed-origin-method))
>
> (define librewolf-source
> - (let* ((ff-src (firefox-source-origin "129.0.1"
> "0wy0fn0pavlhlkdybr59hhbn5ng0zn56mxa7gsknf8f2whiyipwx"))
> - (version "129.0.1-1")
> - (lw-src (librewolf-source-origin version
> "0pvv3v23q31hdjvqi1f3cqfyjrb8dbrrbfwxj2wacak1g0mzbxf4")))
> + (let* ((ff-src (firefox-source-origin "130.0"
> + "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"))
> + (lw-src (librewolf-source-origin
> + "130.0.1-1"
> + "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")))
>
> (origin
> (method computed-origin-method)
> @@ -164,11 +166,6 @@ (define librewolf-source
> (("^ff_source_tarball:=.*")
> (string-append "ff_source_tarball:=" #+ff-src)))
>
> - ;; Remove encoding_rs patch, it doesn't build with Rust 1.75.
> - (substitute* '("assets/patches.txt")
> - (("patches/encoding_rs.patch\\\n$")
> - ""))
> -
> ;; Stage locales.
> (begin
> (format #t "Staging locales...~%")
> @@ -215,13 +212,17 @@ (define rust-librewolf rust) ; 1.75 is the default in
> Guix, 1.65 is the minimum.
> ;; Update this id with every update to its release date.
> ;; It's used for cache validation and therefore can lead to strange bugs.
> ;; ex: date '+%Y%m%d%H%M%S'
> -(define %librewolf-build-id "20240817075827")
> +(define %librewolf-build-id "20240922110507")
>
> (define-public librewolf
> (package
> (name "librewolf")
> - (version "129.0.1-1")
> - (source librewolf-source)
> + (version "130.0.1-1")
> + (source
> + (origin
> + (inherit librewolf-source)
> + (patches
> + (search-patches "librewolf-add-paths-to-rdd-allowlist.patch"))))
It seems I was too hasty, the patch adding /gnu/store and
/run/current-system/profile/lib to whitelist is not in the guix repo
yet.
Will add it in a few minutes.
> (build-system gnu-build-system)
> (arguments
> (list
> @@ -318,6 +319,22 @@ (define (write-setting key value)
> (substitute*
> "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
> (("libavcodec\\.so")
> libavcodec)))))
> + (add-after 'unpack 'neuter-genai
> + (lambda* _
> + ;; Don't compile the code in.
> + (substitute* "browser/components/moz.build"
> + (("\"genai\",") ""))
> + ;; Lock the preferences so they can't be enabled.
> + (substitute* "lw/librewolf.cfg"
> + (("defaultPref\\(\"browser\\.ml\\.")
> + "lockPref(\"browser.ml."))
> + ;; Correct a preference typo
> + ;; see
> https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954
> + ;; Remove this in the next update.
> + (substitute* "lw/librewolf.cfg"
> + (("browser\\.ml\\.enabled")
> + "browser.ml.enable"))
> + ))
> (add-after 'patch-source-shebangs 'patch-cargo-checksums
> (lambda _
> (use-modules (guix build cargo-utils))
> @@ -575,26 +592,12 @@ (define (runpaths-of-input label)
> ;; For U2F and WebAuthn
> "eudev")))
>
> - ;; VA-API is run in the RDD (Remote Data
> Decoder) sandbox
> - ;; and must be explicitly given access to
> files it needs.
> - ;; Rather than adding the whole store (as Nix
> had
> - ;; upstream do, see
> - ;;
> <https://github.com/NixOS/nixpkgs/pull/165964> and
> - ;; linked upstream patches), we can just
> follow the
> - ;; runpaths of the needed libraries to add
> everything to
> - ;; LD_LIBRARY_PATH. These will then be
> accessible in the
> - ;; RDD sandbox.
> - (rdd-whitelist (map (cut string-append <> "/")
> - (delete-duplicates
> (append-map
> -
> runpaths-of-input
> -
> '("mesa"
> -
> "ffmpeg")))))
> (gtk-share (string-append (assoc-ref inputs
> "gtk+")
> "/share")))
> (wrap-program (car (find-files lib "^librewolf$"))
> `("LD_LIBRARY_PATH" prefix
> - (,@libs ,@rdd-whitelist))
> + ,libs)
> `("XDG_DATA_DIRS" prefix
> (,gtk-share))
> `("MOZ_LEGACY_PROFILES" =
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature