gnu: icecat: Update to 140.3.0-gnu1 [security fixes].

For Firefox/IceCat, this fixes at least CVE-2025-6427, CVE-2025-6428, CVE-2025-6431, CVE-2025-6432, CVE-2025-6433, CVE-2025-6434, CVE-2025-6435 and CVE-2025-6436. For Thunderbird/Icedove, this fixes too many CVEs to be named here. Consult <https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird> to read the details. * gnu/packages/image.scm (libpng-apng-for-librewolf): Rename to... (libpng-apng-next): ... this. * gnu/packages/librewolf.scm (librewolf) [inputs]: Adjust accordingly. * gnu/packages/gnuzilla.scm (icecat-minimal): Update to 140.3.0. [#:configure-flags]: Add --disable-fhs. Remove --enable-official-branding. [#:phases] {apply-guix-specific-patches}: Apply icecat-fhs-configure-option.patch. {remove-cargo-frozen-flag}: Remove --frozen from rust.mk. {install}: Also install a policies.json file to disable the Sync feature. {install-desktop-entry}: Adjust and streamline. {install-icons}: Use the 'unofficial' branding directory. [inputs]: Replace libpng-apng with libpng-apng-next. Replace icu4c with icu4c-77. [native-search-paths]: Replace ICECAT_SYSTEM_DIR with MOZILLA_SYSTEM_DIR. (icecat-source): Remove obsolete cleanups. Switch tarball compression to zstd. (make-l10n-package): No longer set GUIX_PYTHONPATH. [#:phases] {build}: Register the "tb_common" mach site. [native-inputs]: Replace python-wrapper with python. Add python-aiohttp, python-async-timeout and python-dateutil. (mozilla-115-compare-locales, mozilla-115-locale, mozilla-115-locales) (update-mozilla-115-locales, all-mozilla-115-locales, %icecat-115-base-version) (%icecat-115-version, %icecat-115-build-id (icecat-115-source): Delete variables. (mozilla-l10n): Update to correct changeset. (format-locales): New procedure. (%icecat-locales): Update. (%icecat-base-version): Set to the version of mozjs. (%icecat-build-id): Bump. (%icedove-build-id): Bump. (%icedove-version): Set to 140.3.0. (thunderbird-comm-source): Update accordingly. [patches]: New field. (comm-source->locales+changeset): Delete variable. (%icedove-locales): Regenerate. (thunderbird-comm-l10n): Adjust URI, and switch to a git-fetch, to be able to use pre-releases (the official release tarballs lag behind those of Firefox). (icedove-source): Compress resulting tarball via zstd. Adjust patching based on changed file names and content. Make "comm" files writable. Patch MOZ_APP_NAME in "devtools/startup/DevToolsStartup.sys.mjs". Adjust services.settings.server value to avoid a warning. Adjust l10n copying, given we're now using a checkout again. (icedove-minimal) [#:phases] {configure}: Do not set PYTHON. Add 'ac_add_options --enable-rust-simd' flag. {do-not-verify-vendored-rust-dependencies}: New phase. {patch-cargo-checksums}: Sync with IceCat, add "comm" directory. {remove-cargo-frozen-flag}: Sync phase with that of IceCat. [inputs]: Sort. Add ffmpeg. Remove gtk+-2. Replace nss with nss-rapid. Replace icu4c with icu4c-77. [native-inputs]: Replace clang-15 with clang-20, llvm-15 with llvm-20. Replace rust-cbindgen-0.24 with rust-cbindgen. * gnu/packages/patches/icedove-observer-fix.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/patches/icecat-compare-paths.patch: Update. * gnu/packages/patches/icecat-use-system-wide-dir.patch: Rework, with the goal to of upstreaming it. Change-Id: Ib420388b9e7c7b59baa74920951afbda99cfe5a2
2025-10-02 02:15:12 +00:00 · 2025-08-26 22:31:26 +09:00 · 2025-08-26 22:31:26 +09:00 · ba2f9748f7
commit ba2f9748f7
parent 91188fc691
8 changed files with 507 additions and 523 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1598,9 +1598,11 @@ dist_patch_DATA =						\
  %D%/packages/patches/icecat-makeicecat.patch			\
  %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
  %D%/packages/patches/icecat-compare-paths.patch		\
+  %D%/packages/patches/icecat-fhs-configure-option.patch        \
  %D%/packages/patches/icecat-use-system-graphite2+harfbuzz.patch	\
  %D%/packages/patches/icecat-use-system-media-libs.patch	\
  %D%/packages/patches/icecat-use-system-wide-dir.patch		\
+  %D%/packages/patches/icedove-observer-fix.patch               \
  %D%/packages/patches/icedtea-7-hotspot-aarch64-use-c++98.patch	\
  %D%/packages/patches/icedtea-7-hotspot-pointer-comparison.patch	\
  %D%/packages/patches/icu4c-icu-22132-fix-vtimezone.patch	\
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@ -332,8 +332,7 @@ APNG patch provides APNG support to libpng.")

 ;; Temporary, until 76798 merges into core-packages-team, and that merges into
 ;; master.
-(define-public libpng-apng-for-librewolf
-  (hidden-package
+(define-public libpng-apng-next
  (package
    (inherit libpng-apng)
    (version "1.6.46")
@ -361,7 +360,7 @@ APNG patch provides APNG support to libpng.")
                           version "/libpng-" version "-apng.patch.gz"))
           (sha256
            (base32
-              "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
+             "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9"))))))))

 (define-public pngcrush
  (package
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@ -641,7 +641,7 @@
                  libjpeg-turbo
                  libnotify
                  libpciaccess
-                  libpng-apng-for-librewolf
+                  libpng-apng-next
                  libva
                  libvpx
                  libwebp
--- a/gnu/packages/patches/icecat-compare-paths.patch
+++ b/gnu/packages/patches/icecat-compare-paths.patch
@ -2,20 +2,11 @@ See comment in gnu/build/icecat-extension.scm.

 --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
 +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3613,6 +3613,7 @@ const XPIDatabaseReconcile = {
+@@ -3753,6 +3753,7 @@
     if (
       newAddon ||
       oldAddon.updateDate != xpiState.mtime ||
 +      oldAddon.path != xpiState.path ||
-       (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
-     ) {
-       newAddon = this.updateMetadata(
-@@ -3621,8 +3622,6 @@ const XPIDatabaseReconcile = {
-         xpiState,
-         newAddon
-       );
-    } else if (oldAddon.path != xpiState.path) {
-      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
-     } else if (aUpdateCompatibility || aSchemaChange) {
-       newAddon = this.updateCompatibility(
-         installLocation,
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
--- a/gnu/packages/patches/icecat-fhs-configure-option.patch
+++ b/gnu/packages/patches/icecat-fhs-configure-option.patch
@ -0,0 +1,38 @@
+Upstream-status: https://phabricator.services.mozilla.com/D263231
+
+diff --git a/build/moz.configure/init.configure b/build/moz.configure/init.configure
+index 6162d68699dd..193272588caa 100644
+--- a/build/moz.configure/init.configure
+++ b/build/moz.configure/init.configure
+@@ -1351,3 +1351,17 @@ option(
+     help="Object code libraries in DIR",
+ )
+ set_config("libdir", depends("--libdir")(lambda ldir: ldir[0]))
+
+# Support for using platform-specific standard (FHS-like) locations.
+option(
+    "--enable-fhs",
+    default=True,
+    help="Enable the search of standard platform-specific (FHS-like) locations",
+)
+
+@depends("--enable-fhs")
+def use_fhs(value):
+    return bool(value)
+
+set_config("USE_FHS", use_fhs)
+set_define("USE_FHS", use_fhs)
+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 547cc4c255c4..79133c879be4 100644
+--- a/toolkit/xre/nsXREDirProvider.cpp
+++ b/toolkit/xre/nsXREDirProvider.cpp
+@@ -295,6 +295,9 @@ static nsresult GetSystemParentDirectory(nsIFile** aFile) {
+     localDir.forget(aFile);
+     return rv;
+   }
+#  ifndef USE_FHS
+  return rv;
+#  endif
+ 
+   // ... falling back to the conventional fixed location otherwise.
+ #  if defined(XP_MACOSX)
--- a/gnu/packages/patches/icecat-use-system-wide-dir.patch
+++ b/gnu/packages/patches/icecat-use-system-wide-dir.patch
@ -1,36 +1,36 @@
-Replace "/usr/lib/mozilla" (the system-wide directory for extensions and
-native manifests) with "$ICECAT_SYSTEM_DIR".
+Upstream-status: https://bugzilla.mozilla.org/show_bug.cgi?id=1986219

+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 9c94cb8808aa..dfee051b302f 100644
 --- a/toolkit/xre/nsXREDirProvider.cpp
 +++ b/toolkit/xre/nsXREDirProvider.cpp
-@@ -296,24 +296,12 @@ nsresult nsXREDirProvider::GetBackgroundTasksProfilesRootDir(
+@@ -276,11 +276,27 @@ nsresult nsXREDirProvider::GetBackgroundTasksProfilesRootDir(
+  *
+  * On OSX this is /Library/Application Support/Mozilla
+  * On Linux this is /usr/{lib,lib64}/mozilla
+- *   (for 32- and 64-bit systems respsectively)
+ *   (for 32- and 64-bit systems respectively)
+ *
+ * The MOZILLA_SYSTEM_DIR environment variable can be used to override
+ * the system directory used.
+  */
 static nsresult GetSystemParentDirectory(nsIFile** aFile) {
-   nsresult rv;
+-  nsresult rv;
+  nsresult rv = NS_ERROR_FAILURE;
   nsCOMPtr<nsIFile> localDir;
-#  if defined(XP_MACOSX)
-  rv = GetOSXFolderType(kOnSystemDisk, kApplicationSupportFolderType,
-                        getter_AddRefs(localDir));
-  if (NS_SUCCEEDED(rv)) {
-    rv = localDir->AppendNative("Mozilla"_ns);
-  }
-#  else
-  constexpr auto dirname =
-#    ifdef HAVE_USR_LIB64_DIR
-      "/usr/lib64/mozilla"_ns
-#    elif defined(__OpenBSD__) || defined(__FreeBSD__)
-      "/usr/local/lib/mozilla"_ns
-#    else
-      "/usr/lib/mozilla"_ns
-#    endif
-      ;
-  rv = NS_NewNativeLocalFile(dirname, false, getter_AddRefs(localDir));
-#  endif
 +
-+  const char* systemParentDir = getenv("ICECAT_SYSTEM_DIR");
-+  if (!systemParentDir || !*systemParentDir) return NS_ERROR_FAILURE;
-+
-+  rv = NS_NewNativeLocalFile(nsDependentCString(systemParentDir), false,
+  // Honor a the MOZILLA_SYSTEM_DIR environment variable first...
+  const char* systemParentDir = getenv("MOZILLA_SYSTEM_DIR");
+  if (systemParentDir) {
+    rv = NS_NewNativeLocalFile(nsDependentCString(systemParentDir),
 +                               getter_AddRefs(localDir));
- 
-   if (NS_SUCCEEDED(rv)) {
-     localDir.forget(aFile);
+  }
+  if (NS_SUCCEEDED(rv)) {
+    localDir.forget(aFile);
+    return rv;
+  }
+
+  // ... falling back to the conventional fixed location otherwise.
+ #  if defined(XP_MACOSX)
+   rv = GetOSXFolderType(kOnSystemDisk, kApplicationSupportFolderType,
+                         getter_AddRefs(localDir));
--- a/gnu/packages/patches/icedove-observer-fix.patch
+++ b/gnu/packages/patches/icedove-observer-fix.patch
@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Magnus Melin <mkmelin+mozilla@iki.fi>
+# Date 1757493192 0
+# Node ID 1cc168c9d0a5c55744d2886aa380f5a7bf712ef4
+# Parent  20980bc07105ebb761347e9c99937e572eedf03a
+Bug 1987834 - Don't remove not added observer of AUTO_UPDATE_CHANGED_TOPIC when MOZ_UPDATER is off. r=john.bieling
+
+Differential Revision: https://phabricator.services.mozilla.com/D264376
+
+diff --git a/mail/components/preferences/general.js b/mail/components/preferences/general.js
+--- a/mail/components/preferences/general.js
+++ b/mail/components/preferences/general.js
+@@ -2175,17 +2175,19 @@ var gGeneralPane = {
+     }
+ 
+     return /^https?/.test(uri.scheme) ? uri.resolve("/favicon.ico") : "";
+   },
+ 
+   destroy() {
+     window.removeEventListener("unload", this);
+ 
+-    Services.obs.removeObserver(this, AUTO_UPDATE_CHANGED_TOPIC);
+    if (AppConstants.MOZ_UPDATER) {
+      Services.obs.removeObserver(this, AUTO_UPDATE_CHANGED_TOPIC);
+    }
+     Services.prefs.removeObserver("mailnews.tags.", this);
+   },
+ 
+   // nsISupports
+ 
+   QueryInterface: ChromeUtils.generateQI(["nsIObserver"]),
+ 
+   // nsIObserver
+