ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 15:36:20 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

gnu: icedove: Update to 102.10.0 [security fixes].

Browse source 
Fixes CVE-2023-0547 and CVE-2023-29479.

* gnu/packages/gnuzilla.scm (%icedove-version): Update to 102.10.0.
(%icedove-build-id, thunderbird-comm-l10n): Update accordingly.
(icecat-102.9.0-source): Remove.
This commit is contained in:
Jonathan Brielmaier 2023-04-12 00:12:21 +02:00
parent 99c468b064
commit a741b554cb
No known key found for this signature in database
GPG key ID: ECFC83988B4E4B9F
1 changed files with 5 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

180
gnu/packages/gnuzilla.scm
View file

@ -1114,178 +1114,8 @@ (define %icecat-locales
"ru" "sco" "si" "sk" "sl" "son" "sq" "sr" "sv-SE" "szl" "ta" "te" "th" "tl"
"tr" "trs" "uk" "ur" "uz" "vi" "xh" "zh-CN" "zh-TW"))
(define icecat-102.9.0-source
(let* ((base-version "102.9.0")
(version "102.9.0-guix0-preview1")
(major-version (first (string-split base-version #\.)))
(minor-version (second (string-split base-version #\.)))
(sub-version (third (string-split base-version #\.)))
(upstream-firefox-version (string-append base-version "esr"))
(upstream-firefox-source
(origin
(method url-fetch)
(uri (string-append
"https://ftp.mozilla.org/pub/firefox/releases/"
upstream-firefox-version "/source/"
"firefox-" upstream-firefox-version ".source.tar.xz"))
(sha256
(base32
"1l8xlbba8sa9dg132k96ch8mz97i5lyhpvkxi8d85jh97xi79c1i"))))
;; The upstream-icecat-base-version may be older than the
;; base-version.
(upstream-icecat-base-version base-version)
(gnuzilla-commit "f55ede39713d1533734f37e39927cbb78abe1604")
(gnuzilla-source
(origin
(method git-fetch)
(uri (git-reference
(url "git://git.savannah.gnu.org/gnuzilla.git")
(commit gnuzilla-commit)))
(file-name (git-file-name "gnuzilla"
;;upstream-icecat-base-version
(string-take gnuzilla-commit 8)))
(sha256
(base32
"0z15h3lxfn9pmj5bj62qim3h320dcd2v69xrg1phb7lh5gq0bylf"))))
;; 'search-patch' returns either a valid file name or #f, so wrap it
;; in 'assume-valid-file-name' to avoid 'local-file' warnings.
(makeicecat-patch
(local-file (assume-valid-file-name
(search-patch "icecat-makeicecat.patch")))))
(origin
(method computed-origin-method)
(file-name (string-append "icecat-" version ".tar.xz"))
(sha256 #f)
(uri
(delay
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(let ((firefox-dir
(string-append "firefox-" #$base-version))
(icecat-dir
(string-append "icecat-" #$version)))
(set-path-environment-variable
"PATH" '("bin")
(list #+python
#+(canonical-package bash)
#+(canonical-package coreutils)
#+(canonical-package findutils)
#+(canonical-package patch)
#+(canonical-package xz)
#+(canonical-package sed)
#+(canonical-package grep)
#+(canonical-package bzip2)
#+(canonical-package gzip)
#+(canonical-package tar)))
(set-path-environment-variable
"PYTHONPATH"
(list #+(format #f "lib/python~a/site-packages"
(version-major+minor
(package-version python))))
'#+(cons python-jsonschema
(map second
(package-transitive-propagated-inputs
python-jsonschema))))
;; Needed by the 'makeicecat' script.
(setenv "RENAME_CMD" "rename")
;; We copy the gnuzilla source directory because it is
;; read-only in 'gnuzilla-source', and the makeicecat script
;; uses "cp -a" to copy parts of it and assumes that the
;; copies will be writable.
(copy-recursively #+gnuzilla-source "/tmp/gnuzilla"
#:log (%make-void-port "w"))
(with-directory-excursion "/tmp/gnuzilla"
(make-file-writable "makeicecat")
(invoke "patch" "--force" "--no-backup-if-mismatch"
"-p1" "--input" #+makeicecat-patch)
(patch-shebang "makeicecat")
(substitute* "makeicecat"
(("^readonly FFMAJOR=(.*)" all ffmajor)
(unless (string=? #$major-version
(string-trim-both ffmajor))
;; The makeicecat script cannot be expected to work
;; properly on a different version of Firefox, even if
;; no errors occur during execution.
(error "makeicecat major version mismatch"))
(string-append "readonly FFMAJOR=" #$major-version "\n"))
(("^readonly FFMINOR=.*")
(string-append "readonly FFMINOR=" #$minor-version "\n"))
(("^readonly FFSUB=.*")
(string-append "readonly FFSUB=" #$sub-version "\n"))
(("^readonly DATADIR=.*")
"readonly DATADIR=/tmp/gnuzilla/data\n")
(("^readonly SOURCEDIR=.*")
(string-append "readonly SOURCEDIR=" icecat-dir "\n"))
(("/bin/sed")
#+(file-append (canonical-package sed) "/bin/sed"))))
(format #t "Unpacking upstream firefox tarball...~%")
(force-output)
(invoke "tar" "xf" #+upstream-firefox-source)
(rename-file firefox-dir icecat-dir)
(with-directory-excursion icecat-dir
(format #t "Populating l10n directory...~%")
(force-output)
(mkdir "l10n")
(with-directory-excursion "l10n"
(for-each
(lambda (locale-dir)
(let ((locale
(string-drop (basename locale-dir)
(+ 32 ; length of hash
(string-length "-mozilla-locale-")))))
(format #t " ~a~%" locale)
(force-output)
(copy-recursively locale-dir locale
#:log (%make-void-port "w"))
(for-each make-file-writable (find-files locale))
(with-directory-excursion locale
(when (file-exists? ".hgtags")
(delete-file ".hgtags"))
(mkdir-p "browser/chrome/browser/preferences")
(call-with-output-file
"browser/chrome/browser/preferences/advanced-scripts.dtd"
(lambda (port) #f)))))
'#+all-mozilla-locales)
(copy-recursively #+mozilla-compare-locales
"compare-locales"
#:log (%make-void-port "w"))
(delete-file "compare-locales/.gitignore")
(delete-file "compare-locales/.hgignore")
(delete-file "compare-locales/.hgtags")))
(format #t "Running makeicecat script...~%")
(force-output)
(invoke "bash" "/tmp/gnuzilla/makeicecat")
(format #t "Packing IceCat source tarball...~%")
(force-output)
(setenv "XZ_DEFAULTS" (string-join (%xz-parallel-args)))
(invoke "tar" "cfa" #$output
;; Avoid non-determinism in the archive. We set the
;; mtime of files in the archive to early 1980 because
;; the build process fails if the mtime of source
;; files is pre-1980, due to the creation of zip
;; archives.
"--mtime=@315619200" ; 1980-01-02 UTC
"--owner=root:0"
"--group=root:0"
"--sort=name"
icecat-dir)))))))))
(define %icedove-build-id "20230328000000") ;must be of the form YYYYMMDDhhmmss
(define %icedove-version "102.9.1")
(define %icedove-build-id "20230411000000") ;must be of the form YYYYMMDDhhmmss
(define %icedove-version "102.10.0")
;; Provides the "comm" folder which is inserted into the icecat source.
;; Avoids the duplication of Icecat's source tarball.
@ -1294,11 +1124,11 @@ (define thunderbird-comm-source
(method hg-fetch)
(uri (hg-reference
(url "https://hg.mozilla.org/releases/comm-esr102")
(changeset "a8965ef0b30705f497df3df718db60d9dc2c304f")))
(changeset "d8df3bebc4b529388b62b9cb4df152f13910fbe3")))
(file-name (string-append "thunderbird-" %icedove-version "-checkout"))
(sha256
(base32
"14lj30a9hmiwxpriyfls245y1wj2j3hfwrsbf7s5d9ligjqldjag"))))
"1m46nxnq4jpp4p6qqw68pphhccxlz4zzbyyb8iq26zvp42x7ic8f"))))
(define (comm-source->locales+changeset source)
"Given SOURCE, a checkout of the Thunderbird 'comm' component, return the
@ -1359,7 +1189,7 @@ (define icedove-source
;; Extract the base Icecat tarball, renaming its top-level
;; directory.
(invoke "tar" "--transform" (string-append "s,[^/]*," #$name ",")
"-xf" #$icecat-102.9.0-source)
"-xf" #$icecat-source)
(chdir #$name)
;; Merge the Thunderdbird localization data.