| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | gnu: librewolf: Update to 134.0.1-1 [security fixes].•••New upstream release. Some minor tweaks needed, like switching from gzip to
pigz, updating icu4c, and ensuring it builds with the correct Rust version.
CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
CVE-2025-0238: Use-after-free when breaking lines in text
CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON
module
CVE-2025-0241: Memory corruption when using JavaScript Text
Segmentation
CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird
115.19, and Thunderbird 128.6
CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 128.6, and Thunderbird 128.6
CVE-2025-0244: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0245: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-0246: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0247: Memory safety bugs fixed in Firefox 134 and Thunderbird
134
* gnu/packages/librewolf.scm (librewolf): Update to 134.0.1-1.
Change-Id: I027bf6f1541b0e7bec9116b2d6b39ab606813b23
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
| Ian Eure | 8 days | 1 | -11/+13 |
| * | gnu: librewolf: Tidy code formatting.•••* gnu/packages/librewolf.scm (librewolf): Tidy code formatting.
Change-Id: I0341da820f170c26888800ea433e539f2a6a2520
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
| Ian Eure | 8 days | 1 | -9/+13 |
| * | gnu: make-librewolf-source: Take l10n package as an arg.•••* gnu/packages/librewolf.scm (make-librewolf-source): Take l10n package as an
arg.
Change-Id: I3c405edc07edb54e27afee16325c93a83d37ad79
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
| Ian Eure | 8 days | 1 | -3/+4 |
| * | gnu: firefox-l10n: Update to d219efa7c64850dfb5904893e17a5431c7058192.•••* gnu/packages/librewolf.scm (firefox-l10n): Update to d219efa7c64850dfb5904893e17a5431c7058192.
Change-Id: Ia4303f13a0cbf7c4908410b735b509a4a5f505cd
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
| Ian Eure | 8 days | 1 | -2/+2 |
| * | gnu: librewolf: Support Guix icecat browser extensions.•••* gnu/packages/patches/librewolf-use-system-wide-dir.patch: New file.
* gnu/local.mk (dist_patch_DATA): Regisiter it.
* gnu/packages/librewolf.scm (make-librewolf-source)[patches]: Add it along with
torbrowser-compare-paths.patch.
(librewolf)[native-search-paths]: Add ICECAT_SYSTEM_DIR.
Change-Id: I8609d25a7e2725ad94ab257d720326639eb06778
| Hilton Chain | 2024-12-18 | 1 | -1/+10 |
| * | gnu: librewolf: Add %u to Exec option to open URLs.•••The context behind this change is that Firefox used to ship a
taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
line like this:
Exec=@MOZ_APP_NAME@ %u
The Guix package would use that file, replacing the token with the path
to the binary. Reported in #74648.
* gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open
URLs.
Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
Reviewed-by: André Batista <nandre@riseup.net>
Reviewed-by: Ian Eure <ian@retrospec.tv>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
| Roman Scherer | 2024-12-11 | 1 | -1/+1 |
| * | gnu: librewolf: Update to 133.0-1 [security fixes].•••New upstream version. Fixes CVEs:
CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation
on Android
CVE-2024-11692: Select list elements could be shown over another site
CVE-2024-11701: Misleading Address Bar State During Navigation
Interruption
CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing
Mode on Android
CVE-2024-11693: Download Protections were bypassed by .library-ms
files on Windows
CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility
Shims
CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and
Whitespace Characters
CVE-2024-11703: Password access without authentication via PIN bypass
on Android
CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
CVE-2024-11697: Improper Keypress Handling in Executable File
Confirmation Dialog
CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7
Decryption Handling
CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts
Transition on macOS
CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
CVE-2024-11708: Data race with PlaybackParams
CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR
128.5, and Thunderbird 128.5
* gnu/packages/librewolf.scm (librewolf): Update to 133.0-1.
Change-Id: I611505daf4d4f0940405190471f443d99102c2b9
Signed-off-by: Hilton Chain <hako@ultrarare.space>
| Ian Eure | 2024-12-02 | 1 | -4/+4 |
| * | gnu: librewolf: Update to 132.0.2-1.•••* gnu/packages/librewolf.scm (librewolf): Update to 132.0.2-1.
Change-Id: Ica7e9c8c02085101060401d72b83fe25a19448d9
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
| Ian Eure | 2024-11-23 | 1 | -4/+4 |
| * | gnu: librewolf: Update to 132.0-1 [security fixes].•••New upstream version. The 132.0-2-1 release switches to the firefox-l10n
repository, necessitating rework of locale handling.
131.0.3-1 fixes CVEs:
CVE-2024-9936: Undefined behavior in selection node cache
132.0-1 fixes CVEs:
CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol
handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long
URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a
Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird
132, Firefox ESR 128.4, and Thunderbird 128.4
* gnu/packages/librewolf.scm (librewolf): Update to 132.0-1.
Change-Id: I4afbcb496a8b0a329254762259cd1598d574761e
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| Ian Eure | 2024-11-06 | 1 | -44/+24 |
| * | gnu: librewolf: Update to 131.0.2-1 [security fixes].•••Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (%librewolf-build-id): Update.
(librewolf): Update to 131.0.2-1.
[arguments]<#:phases>: Adjust 'install-desktop-entry for new .desktop file.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
Modified-by: Hilton Chain <hako@ultrarare.space>
Signed-off-by: Hilton Chain <hako@ultrarare.space>
| Ian Eure | 2024-10-11 | 1 | -22/+13 |
| * | gnu: librewolf: Revert video acceleration fix.•••This patch partly reverts #73429, because that change makes livestreaming
video refuse to play.
* gnu/packages/librewolf.scm (librewolf) [source]: Remove
the librewolf-add-paths-to-rdd-allowlist patch.
[phases] <wrap-program>: Reinstate previous LD_LIBRARY_PATH wrapping.
* gnu/packages/patches/librewolf-add-paths-to-rdd-allowlist.patch: Delete
file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Change-Id: Iaf36c64464cd078538fda677ea4fa7b13e7c110f
| Ian Eure | 2024-10-08 | 1 | -5/+17 |
| * | gnu: librewolf: Fix broken context menu.•••This patch fixes a reported bug where context (right-click) menus contain many
duplicate and incorrect entries.
* gnu/packages/librewolf.scm (librewolf)
[phases] <neuter-genai>: Reinstate the genai browser component.
Change-Id: I288545ce80b9a7e854edfc26a7ffe43433303458
| Ian Eure | 2024-10-08 | 1 | -4/+1 |
| * | gnu: librewolf-source: Turn into a procedure.•••This patch changes the `librewolf-source' variable into the
`make-librewolf-source' prodecure.
This procedure accepts a LibreWolf version, source hash, and Firefox source
hash. The Firefox source version is derived from the provided LibreWolf
version.
This eases package updates, since the hashes are inside the `librewolf'
package, rather than `librewolf-source'; and the version no longer needs to be
specified in three places.
It also removes a blank line between the file header and `define-module'.
* gnu/packages/librewolf.scm (librewolf-source): Turn into a procedure.
Change-Id: I96ab1304acde246c179e7aa5dad9ff621be3de82
Signed-off-by: Andrew Tropin <andrew@trop.in>
| Ian Eure | 2024-09-24 | 1 | -7/+10 |
| * | gnu: librewolf: Update to 130.0.1-1. [security fixes]•••This patch:
- Updates LibreWolf to the latest version
- Removes the code which disabled encoding_rs.patch from upstream. It’s no
longer in the repo, so the code did nothing, and the underlying issue (Guix
being stuck with an old Rust version) has been fixed.
- Integrates changes from #72265 with some slight tweaks. This should allow
LibreWolf to use accelerated video decoding on supported hardware.
- Neuters the GenAI chat feature, which direcly integrates with non-free
services, by excluding it from the build and locking the preferences which
would enable it.
Fixes:
CVE-2024-8385: WASM type confusion involving ArrayTypes
CVE-2024-8381: Type confusion when looking up a property name in a "with" block
CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts
CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
CVE-2024-8383: Firefox did not ask before openings news: links in an external application
CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions
CVE-2024-8386: SelectElements could be shown over another site if popups are allowed
CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
CVE-2024-8389: Memory safety bugs fixed in Firefox 130
* gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
Signed-off-by: Andrew Tropin <andrew@trop.in>
| Ian Eure | 2024-09-24 | 1 | -26/+29 |
| * | build-systems: gnu: Export %default-gnu-imported-modules and %default-gnu-mod...•••Until now users would have to cargo cult or inspect the private
%default-modules variable of (guix build-systems gnu) to discover which
modules to include when extending the used modules via the #:modules argument.
The renaming was automated via the command:
$ git grep -l %gnu-build-system-modules
| xargs sed 's/%gnu-build-system-modules/%default-gnu-imported-modules/' -i
* guix/build-system/gnu.scm (%gnu-build-system-modules): Rename to...
(%default-gnu-imported-modules): ... this.
(%default-modules): Rename to...
(%default-gnu-modules): ... this. Export.
(dist-package, gnu-build, gnu-cross-build): Adjust accordingly.
Change-Id: Idef307fff13cb76f3182d782b26e1cd3a5c757ee
| Maxim Cournoyer | 2024-08-31 | 1 | -1/+1 |
| * | gnu: librewolf: Update to 129.0.1-1.•••* gnu/packages/librewolf.scm (librewolf): Update to 129.0.1-1.
Change-Id: Iefeff2ea7016e8d55313b55dd97179f80bcead1b
Signed-off-by: Vagrant Cascadian <vagrant@debian.org>
| Ian Eure | 2024-08-19 | 1 | -6/+6 |
| * | gnu: librewolf: Use distinct WM Class.•••Make desktop environments properly render the icon and not conflate
LibreWolf with other browsers with the "Navigator" class.
A similar fix to IceCat was pushed as commit
be1d05c10766a979dd0720b677889ed950d3b895.
* gnu/packages/librewolf.scm (librewolf)[arguments]: Set both
the MOZ_APP_REMOTINGNAME environment variable and librewolf.desktop's
StartupWMClass to "LibreWolf".
Change-Id: I3e117f99ee25321fe3a40ad67450460971579d71
| Ashvith Shetty | 2024-08-11 | 1 | -2/+3 |
| * | gnu: librewolf: Fix building on aarch64-linux.•••* gnu/packages/librewolf.scm (librewolf)[arguments]: On non-x86-linux
systems the "--disable-eme" switch is not available because EME is
not available.
Change-Id: I0f397570249b1bc6a0182d2744a8d3c459c1bafa
Signed-off-by: Andreas Enge <andreas@enge.fr>
| Remco van 't Veer | 2024-07-08 | 1 | -1/+5 |
| * | gnu: librewolf: Update to 126.0.1-1.•••* gnu/packages/librewolf.scm (librewolf): Update to 126.0.1-1.
Change-Id: Ie2cda543b3de76226d1d6959711b955d22c74fef
Signed-off-by: Christopher Baines <mail@cbaines.net>
| Ian Eure | 2024-06-11 | 1 | -5/+5 |
| * | gnu: librewolf: Update to 126.0-1 [security fixes].•••* gnu/packages/librewolf.scm (librewolf): Update to 126.0-1. Fixes
CVE-2024-4367, CVE-2024-4764, CVE-2024-4765, CVE-2024-4766, CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4771, CVE-2024-4772,
CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777,
CVE-2024-4778.
Change-Id: Iec010e516651588da389f747074cbd10f8c14377
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
| Ian Eure | 2024-05-31 | 1 | -5/+5 |
| * | gnu: librewolf: Generate source tarball.•••This patch removes an intermediate step in the build chain. The upstream
source tarball is created with an automated build process, where Firefox
sources are fetched, patched, and repacked. Rather than download the output
of that process, as the package has been, it’s now replicated within the build
process, similar to how IceCat works.
* gnu/packages/librewolf.scm (firefox-source-origin): New procedure.
(librewolf-source-origin): Likewise.
(computed-origin-method): New variable.
(librewolf-source): Likewise.
(librewolf) [source]: Use it.
Change-Id: I0f1c2a10252cbbff9b3b3140f6ea3a594df0c97b
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
| Ian Eure | 2024-05-31 | 1 | -12/+116 |
| * | gnu: librewolf: Update to 125.0.2-1.•••* gnu/packages/librewolf.scm (librewolf): Update to 125.0.2-1. Build with
LLVM/Clang 18; LLVM 13 (the default) segfaults on build. Minor style tweaks.
Change-Id: Ib515f1596b3ce2dd192baebf1a877b3c2dc8d7e2
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
| Ian Eure | 2024-04-28 | 1 | -7/+8 |
| * | gnu: nss: Graft with version 3.98 [security fixes].•••This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.
Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
| Maxim Cournoyer | 2024-04-26 | 1 | -1/+1 |
| * | gnu: Add librewolf.•••* gnu/packages/librewolf.scm (librewolf): New variable.
* gnu/local.mk (dist_patch_DATA): Add it.
Change-Id: I98b6410582b856ede83b79637a58e66d6e5832e6
Signed-off-by: Andrew Tropin <andrew@trop.in>
| Ian Eure | 2024-04-12 | 1 | -0/+621 |
