gnu: librewolf: Update to 138.0.3-1 [security fixes].

Contains fixes for: CVE-2025-2817: Privilege escalation in Firefox Updater CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor CVE-2025-4086: Specially crafted filename could be used to obscure download type CVE-2025-4087: Unsafe attribute access during XPath parsing CVE-2025-4088: Cross-site request forgery via storage access API redirects CVE-2025-4089: Potential local code execution in "copy as cURL" command CVE-2025-4090: Leaked library paths in Firefox for Android CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138 * gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1. * gnu/packages/patches/librewolf-compare-paths.patch: New file. Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
2025-10-02 02:15:12 +00:00 · 2025-05-15 07:16:00 -07:00 · 2025-05-15 07:16:00 -07:00 · f718e0e5e0
commit f718e0e5e0
parent 71da0b37ab
2 changed files with 22 additions and 7 deletions
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@ -191,7 +191,7 @@
                          #$output)))))
      (patches
       (search-patches
-        "torbrowser-compare-paths.patch"
+        "librewolf-compare-paths.patch"
        "librewolf-use-system-wide-dir.patch"
        "librewolf-add-store-to-rdd-allowlist.patch")))))

@ -207,17 +207,17 @@
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
-(define %librewolf-build-id "20250416062358")
+(define %librewolf-build-id "20250502155055")

 (define-public librewolf
  (package
    (name "librewolf")
-    (version "137.0.2-1")
+    (version "138.0.3-1")
    (source
     (make-librewolf-source
      #:version version
-      #:firefox-hash "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"
-      #:librewolf-hash "0vy1xvjwgc4vd9q3laakx6lrsy4ghpdr98vm9lmx86amg9gak5ix"
+      #:firefox-hash "1r0kam26cz5rz39n6zcc2hrbav6dxlfrsa0qhhfjlnv33ns3lzx2"
+      #:librewolf-hash "1bf9sa5radjr7g6ng7kqy2ss13c0q6vkq9dfzj5y998ifxw19s4c"
      #:l10n firefox-l10n))
    (build-system gnu-build-system)
    (arguments
@ -639,7 +639,7 @@
                  libxt
                  mesa
                  mit-krb5
-                  nspr
+                  nspr-4.36
                  nss-rapid
                  pango
                  pciutils
@ -665,7 +665,7 @@
                         pkg-config
                         python
                         rust-librewolf
-                         rust-cbindgen-0.26
+                         rust-cbindgen-0.28
                         which
                         yasm))
    (native-search-paths
--- a/gnu/packages/patches/librewolf-compare-paths.patch
+++ b/gnu/packages/patches/librewolf-compare-paths.patch
@ -0,0 +1,15 @@
+See comment in gnu/build/icecat-extension.scm.
+This is only needed while icecat and torbrowser remain on
+different ESR versions as the patched file has changed its
+name.
+
+--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+@@ -3753,6 +3753,7 @@
+     if (
+       newAddon ||
+       oldAddon.updateDate != xpiState.mtime ||
+      oldAddon.path != xpiState.path ||
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing