nongnu: firefox: Update to 138.0 [security fixes].

Fixes CVE-2025-2817, CVE-2025-4082, CVE-2025-4083, CVE-2025-4085, CVE-2025-4086, CVE-2025-4087, CVE-2025-4088, CVE-2025-4089, CVE-2025-4090, CVE-2025-4091, CVE-2025-4092. * nongnu/packages/patches/firefox-ge-138-compare-paths.patch: New file. * nongnu/packages/mozilla.scm (firefox): Update to 138.0. [source]: Use the new patch. [native-inputs]: Replace rust-cbindgen with rust-cbindgen-0.28. Signed-off-by: Hilton Chain <hako@ultrarare.space>
2025-10-02 02:14:59 +00:00 · 2025-04-29 22:15:55 +02:00 · 2025-04-29 22:15:55 +02:00 · b9d3169772
commit b9d3169772
parent 99c64f1ab8
2 changed files with 26 additions and 4 deletions
--- a/nongnu/packages/mozilla.scm
+++ b/nongnu/packages/mozilla.scm
@ -524,13 +524,13 @@ Release (ESR) version.")

 ;; Update this id with every firefox update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
-(define %firefox-build-id "20250414143137")
+(define %firefox-build-id "20250428114547")

 (define-public firefox
  (package
    (inherit firefox-esr)
    (name "firefox")
-    (version "137.0.2")
+    (version "138.0")
    (source
     (origin
       (method url-fetch)
@ -543,10 +543,10 @@ Release (ESR) version.")
                     %load-path)
                patch))
             '("firefox-restore-desktop-files.patch"
-               "firefox-esr-compare-paths.patch"
+               "firefox-ge-138-compare-paths.patch"
               "firefox-use-system-wide-dir.patch")))
       (sha256
-        (base32 "01yd5cq6qgww6w2kq1bchy9j81blim15kdz7bvx8n512m2x3mz06"))))
+        (base32 "08wvy530pqscldi6afw05klgw60bsk2am8fw51i4a6wcx1z3sqh4"))))
    (arguments
     (substitute-keyword-arguments (package-arguments firefox-esr)
       ((#:phases phases)
@ -571,6 +571,7 @@ Release (ESR) version.")
    (native-inputs
     (modify-inputs (package-native-inputs firefox-esr)
       (replace "rust" rust-firefox)
+       (replace "rust-cbindgen" rust-cbindgen-0.28)
       (replace "rust:cargo" `(,rust-firefox "cargo"))))
    (description
     "Full-featured browser client built from Firefox source tree, without
--- a/nongnu/packages/patches/firefox-ge-138-compare-paths.patch
+++ b/nongnu/packages/patches/firefox-ge-138-compare-paths.patch
@ -0,0 +1,21 @@
+diff --git a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+index 1b01851e2fff..7f3b8c200c2f 100644
+--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
+@@ -3753,6 +3753,7 @@ export const XPIDatabaseReconcile = {
+     if (
+       newAddon ||
+       oldAddon.updateDate != xpiState.mtime ||
+      oldAddon.path != xpiState.path ||
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
+       // update addon metadata if the addon in bundled into
+       // the omni jar and version or the resource URI pointing
+@@ -3767,8 +3768,6 @@ export const XPIDatabaseReconcile = {
+         xpiState,
+         newAddon
+       );
+-    } else if (oldAddon.path != xpiState.path) {
+-      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
+     } else if (aUpdateCompatibility || aSchemaChange) {
+       newAddon = this.updateCompatibility(
+         installLocation,