Contains fixes for:
CVE-2025-3028: Use-after-free triggered by XSLTProcessor
CVE-2025-3031: JIT optimization bug with different stack slot sizes
CVE-2025-3032: Leaking file descriptors from the fork server
CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
CVE-2025-3033: Opening local .url files could lead to another file
being opened
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird
137, Firefox ESR 128.9, and Thunderbird 128.9
CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird
137
* gnu/packages/librewolf.scm (librewolf): Update to 137.0-1.
Change-Id: I23d8cbefc242e57c19b4e98660fd22bd1dda8d6a
Contains a fix for:
CVE-2025-2857: Incorrect handle could lead to sandbox escapes
* gnu/packages/librewolf.scm (librewolf): Update to 136.0.4-1.
Change-Id: I9ff4b61c7dc26fe82b593b0a7eddfc2592b36542
CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931: Use-after-free in WebTransportChild
CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940: Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956: Passkey phishing within Bluetooth range
CVE-2025-1934: Unexpected GC during RegExp bailout processing
CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
136
* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.
Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
* gnu/packages/librewolf.scm (librewolf)[arguments]<#:phases>:
Honor --cores build argument during the 'build phase.
Signed-off-by: Ian Eure <ian@retrospec.tv>
New upstream version. Contains fixes for:
CVE-2025-1009: Use-after-free in XSLT
CVE-2025-1010: Use-after-free in Custom Highlight
CVE-2025-1018: Fullscreen notification is not displayed when
fullscreen is re-requested
CVE-2025-1011: A bug in WebAssembly code generation could result in a
crash
CVE-2025-1012: Use-after-free during concurrent delazification
CVE-2025-1019: Fullscreen notification not properly displayed
CVE-2025-1013: Potential opening of private browsing tabs in normal
browsing windows
CVE-2025-1014: Certificate length was not properly checked
CVE-2025-1016: Memory safety bugs fixed in Firefox 135, Thunderbird
135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird
115.20, and Thunderbird 128.7
CVE-2025-1017: Memory safety bugs fixed in Firefox 135, Thunderbird
135, Firefox ESR 128.7, and Thunderbird 128.7
CVE-2025-1020: Memory safety bugs fixed in Firefox 135 and Thunderbird
135
* gnu/packages/librewolf.scm (librewolf): Update to 135.0-1.
Change-Id: I7054fc9df31d59bb0d42e02b1f359cf3e6c1a43d
New upstream release. Some minor tweaks needed, like switching from gzip to
pigz, updating icu4c, and ensuring it builds with the correct Rust version.
CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
CVE-2025-0238: Use-after-free when breaking lines in text
CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON
module
CVE-2025-0241: Memory corruption when using JavaScript Text
Segmentation
CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird
115.19, and Thunderbird 128.6
CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 128.6, and Thunderbird 128.6
CVE-2025-0244: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0245: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-0246: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0247: Memory safety bugs fixed in Firefox 134 and Thunderbird
134
* gnu/packages/librewolf.scm (librewolf): Update to 134.0.1-1.
Change-Id: I027bf6f1541b0e7bec9116b2d6b39ab606813b23
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/librewolf.scm (make-librewolf-source): Take l10n package as an
arg.
Change-Id: I3c405edc07edb54e27afee16325c93a83d37ad79
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/patches/librewolf-use-system-wide-dir.patch: New file.
* gnu/local.mk (dist_patch_DATA): Regisiter it.
* gnu/packages/librewolf.scm (make-librewolf-source)[patches]: Add it along with
torbrowser-compare-paths.patch.
(librewolf)[native-search-paths]: Add ICECAT_SYSTEM_DIR.
Change-Id: I8609d25a7e2725ad94ab257d720326639eb06778
The context behind this change is that Firefox used to ship a
taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
line like this:
Exec=@MOZ_APP_NAME@ %u
The Guix package would use that file, replacing the token with the path
to the binary. Reported in #74648.
* gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open
URLs.
Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
Reviewed-by: André Batista <nandre@riseup.net>
Reviewed-by: Ian Eure <ian@retrospec.tv>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
New upstream version. Fixes CVEs:
CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation
on Android
CVE-2024-11692: Select list elements could be shown over another site
CVE-2024-11701: Misleading Address Bar State During Navigation
Interruption
CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing
Mode on Android
CVE-2024-11693: Download Protections were bypassed by .library-ms
files on Windows
CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility
Shims
CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and
Whitespace Characters
CVE-2024-11703: Password access without authentication via PIN bypass
on Android
CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
CVE-2024-11697: Improper Keypress Handling in Executable File
Confirmation Dialog
CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7
Decryption Handling
CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts
Transition on macOS
CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
CVE-2024-11708: Data race with PlaybackParams
CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR
128.5, and Thunderbird 128.5
* gnu/packages/librewolf.scm (librewolf): Update to 133.0-1.
Change-Id: I611505daf4d4f0940405190471f443d99102c2b9
Signed-off-by: Hilton Chain <hako@ultrarare.space>
New upstream version. The 132.0-2-1 release switches to the firefox-l10n
repository, necessitating rework of locale handling.
131.0.3-1 fixes CVEs:
CVE-2024-9936: Undefined behavior in selection node cache
132.0-1 fixes CVEs:
CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol
handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long
URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a
Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird
132, Firefox ESR 128.4, and Thunderbird 128.4
* gnu/packages/librewolf.scm (librewolf): Update to 132.0-1.
Change-Id: I4afbcb496a8b0a329254762259cd1598d574761e
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (%librewolf-build-id): Update.
(librewolf): Update to 131.0.2-1.
[arguments]<#:phases>: Adjust 'install-desktop-entry for new .desktop file.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
Modified-by: Hilton Chain <hako@ultrarare.space>
Signed-off-by: Hilton Chain <hako@ultrarare.space>
This patch fixes a reported bug where context (right-click) menus contain many
duplicate and incorrect entries.
* gnu/packages/librewolf.scm (librewolf)
[phases] <neuter-genai>: Reinstate the genai browser component.
Change-Id: I288545ce80b9a7e854edfc26a7ffe43433303458
This patch changes the `librewolf-source' variable into the
`make-librewolf-source' prodecure.
This procedure accepts a LibreWolf version, source hash, and Firefox source
hash. The Firefox source version is derived from the provided LibreWolf
version.
This eases package updates, since the hashes are inside the `librewolf'
package, rather than `librewolf-source'; and the version no longer needs to be
specified in three places.
It also removes a blank line between the file header and `define-module'.
* gnu/packages/librewolf.scm (librewolf-source): Turn into a procedure.
Change-Id: I96ab1304acde246c179e7aa5dad9ff621be3de82
Signed-off-by: Andrew Tropin <andrew@trop.in>
This patch:
- Updates LibreWolf to the latest version
- Removes the code which disabled encoding_rs.patch from upstream. It’s no
longer in the repo, so the code did nothing, and the underlying issue (Guix
being stuck with an old Rust version) has been fixed.
- Integrates changes from #72265 with some slight tweaks. This should allow
LibreWolf to use accelerated video decoding on supported hardware.
- Neuters the GenAI chat feature, which direcly integrates with non-free
services, by excluding it from the build and locking the preferences which
would enable it.
Fixes:
CVE-2024-8385: WASM type confusion involving ArrayTypes
CVE-2024-8381: Type confusion when looking up a property name in a "with" block
CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts
CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
CVE-2024-8383: Firefox did not ask before openings news: links in an external application
CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions
CVE-2024-8386: SelectElements could be shown over another site if popups are allowed
CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
CVE-2024-8389: Memory safety bugs fixed in Firefox 130
* gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
Signed-off-by: Andrew Tropin <andrew@trop.in>
Until now users would have to cargo cult or inspect the private
%default-modules variable of (guix build-systems gnu) to discover which
modules to include when extending the used modules via the #:modules argument.
The renaming was automated via the command:
$ git grep -l %gnu-build-system-modules
| xargs sed 's/%gnu-build-system-modules/%default-gnu-imported-modules/' -i
* guix/build-system/gnu.scm (%gnu-build-system-modules): Rename to...
(%default-gnu-imported-modules): ... this.
(%default-modules): Rename to...
(%default-gnu-modules): ... this. Export.
(dist-package, gnu-build, gnu-cross-build): Adjust accordingly.
Change-Id: Idef307fff13cb76f3182d782b26e1cd3a5c757ee
Make desktop environments properly render the icon and not conflate
LibreWolf with other browsers with the "Navigator" class.
A similar fix to IceCat was pushed as commit
be1d05c107.
* gnu/packages/librewolf.scm (librewolf)[arguments]: Set both
the MOZ_APP_REMOTINGNAME environment variable and librewolf.desktop's
StartupWMClass to "LibreWolf".
Change-Id: I3e117f99ee25321fe3a40ad67450460971579d71
* gnu/packages/librewolf.scm (librewolf)[arguments]: On non-x86-linux
systems the "--disable-eme" switch is not available because EME is
not available.
Change-Id: I0f397570249b1bc6a0182d2744a8d3c459c1bafa
Signed-off-by: Andreas Enge <andreas@enge.fr>
This patch removes an intermediate step in the build chain. The upstream
source tarball is created with an automated build process, where Firefox
sources are fetched, patched, and repacked. Rather than download the output
of that process, as the package has been, it’s now replicated within the build
process, similar to how IceCat works.
* gnu/packages/librewolf.scm (firefox-source-origin): New procedure.
(librewolf-source-origin): Likewise.
(computed-origin-method): New variable.
(librewolf-source): Likewise.
(librewolf) [source]: Use it.
Change-Id: I0f1c2a10252cbbff9b3b3140f6ea3a594df0c97b
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.
Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
