mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: librewolf: Update to 130.0.1-1. [security fixes]
This patch: - Updates LibreWolf to the latest version - Removes the code which disabled encoding_rs.patch from upstream. It’s no longer in the repo, so the code did nothing, and the underlying issue (Guix being stuck with an old Rust version) has been fixed. - Integrates changes from #72265 with some slight tweaks. This should allow LibreWolf to use accelerated video decoding on supported hardware. - Neuters the GenAI chat feature, which direcly integrates with non-free services, by excluding it from the build and locking the preferences which would enable it. Fixes: CVE-2024-8385: WASM type confusion involving ArrayTypes CVE-2024-8381: Type confusion when looking up a property name in a "with" block CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran CVE-2024-8383: Firefox did not ask before openings news: links in an external application CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions CVE-2024-8386: SelectElements could be shown over another site if popups are allowed CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2 CVE-2024-8389: Memory safety bugs fixed in Firefox 130 * gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1. Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a Signed-off-by: Andrew Tropin <andrew@trop.in>
This commit is contained in:
parent
35c5a07593
commit
aa250f071a
1 changed files with 29 additions and 26 deletions
|
@ -117,9 +117,11 @@ (define (librewolf-source-origin version hash)
|
|||
(define computed-origin-method (@@ (guix packages) computed-origin-method))
|
||||
|
||||
(define librewolf-source
|
||||
(let* ((ff-src (firefox-source-origin "129.0.1" "0wy0fn0pavlhlkdybr59hhbn5ng0zn56mxa7gsknf8f2whiyipwx"))
|
||||
(version "129.0.1-1")
|
||||
(lw-src (librewolf-source-origin version "0pvv3v23q31hdjvqi1f3cqfyjrb8dbrrbfwxj2wacak1g0mzbxf4")))
|
||||
(let* ((ff-src (firefox-source-origin "130.0"
|
||||
"0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2"))
|
||||
(lw-src (librewolf-source-origin
|
||||
"130.0.1-1"
|
||||
"0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")))
|
||||
|
||||
(origin
|
||||
(method computed-origin-method)
|
||||
|
@ -164,11 +166,6 @@ (define librewolf-source
|
|||
(("^ff_source_tarball:=.*")
|
||||
(string-append "ff_source_tarball:=" #+ff-src)))
|
||||
|
||||
;; Remove encoding_rs patch, it doesn't build with Rust 1.75.
|
||||
(substitute* '("assets/patches.txt")
|
||||
(("patches/encoding_rs.patch\\\n$")
|
||||
""))
|
||||
|
||||
;; Stage locales.
|
||||
(begin
|
||||
(format #t "Staging locales...~%")
|
||||
|
@ -215,13 +212,17 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum.
|
|||
;; Update this id with every update to its release date.
|
||||
;; It's used for cache validation and therefore can lead to strange bugs.
|
||||
;; ex: date '+%Y%m%d%H%M%S'
|
||||
(define %librewolf-build-id "20240817075827")
|
||||
(define %librewolf-build-id "20240922110507")
|
||||
|
||||
(define-public librewolf
|
||||
(package
|
||||
(name "librewolf")
|
||||
(version "129.0.1-1")
|
||||
(source librewolf-source)
|
||||
(version "130.0.1-1")
|
||||
(source
|
||||
(origin
|
||||
(inherit librewolf-source)
|
||||
(patches
|
||||
(search-patches "librewolf-add-paths-to-rdd-allowlist.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
(list
|
||||
|
@ -318,6 +319,22 @@ (define (write-setting key value)
|
|||
(substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
|
||||
(("libavcodec\\.so")
|
||||
libavcodec)))))
|
||||
(add-after 'unpack 'neuter-genai
|
||||
(lambda* _
|
||||
;; Don't compile the code in.
|
||||
(substitute* "browser/components/moz.build"
|
||||
(("\"genai\",") ""))
|
||||
;; Lock the preferences so they can't be enabled.
|
||||
(substitute* "lw/librewolf.cfg"
|
||||
(("defaultPref\\(\"browser\\.ml\\.")
|
||||
"lockPref(\"browser.ml."))
|
||||
;; Correct a preference typo
|
||||
;; see https://codeberg.org/librewolf/issues/issues/1919#issuecomment-2325954
|
||||
;; Remove this in the next update.
|
||||
(substitute* "lw/librewolf.cfg"
|
||||
(("browser\\.ml\\.enabled")
|
||||
"browser.ml.enable"))
|
||||
))
|
||||
(add-after 'patch-source-shebangs 'patch-cargo-checksums
|
||||
(lambda _
|
||||
(use-modules (guix build cargo-utils))
|
||||
|
@ -575,26 +592,12 @@ (define (runpaths-of-input label)
|
|||
;; For U2F and WebAuthn
|
||||
"eudev")))
|
||||
|
||||
;; VA-API is run in the RDD (Remote Data Decoder) sandbox
|
||||
;; and must be explicitly given access to files it needs.
|
||||
;; Rather than adding the whole store (as Nix had
|
||||
;; upstream do, see
|
||||
;; <https://github.com/NixOS/nixpkgs/pull/165964> and
|
||||
;; linked upstream patches), we can just follow the
|
||||
;; runpaths of the needed libraries to add everything to
|
||||
;; LD_LIBRARY_PATH. These will then be accessible in the
|
||||
;; RDD sandbox.
|
||||
(rdd-whitelist (map (cut string-append <> "/")
|
||||
(delete-duplicates (append-map
|
||||
runpaths-of-input
|
||||
'("mesa"
|
||||
"ffmpeg")))))
|
||||
(gtk-share (string-append (assoc-ref inputs
|
||||
"gtk+")
|
||||
"/share")))
|
||||
(wrap-program (car (find-files lib "^librewolf$"))
|
||||
`("LD_LIBRARY_PATH" prefix
|
||||
(,@libs ,@rdd-whitelist))
|
||||
,libs)
|
||||
`("XDG_DATA_DIRS" prefix
|
||||
(,gtk-share))
|
||||
`("MOZ_LEGACY_PROFILES" =
|
||||
|
|
Loading…
Reference in a new issue