Contains fixes for:
CVE-2025-6424: Use-after-free in FontFaceSet
CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed
a persistent UUID
CVE-2025-6426: No warning when opening executable terminal files on
macOS
CVE-2025-6427: connect-src Content Security Policy restriction could
be bypassed
CVE-2025-6428: Firefox for Android opened URLs specified in a link
querystring parameter
CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding
of youtube.com
CVE-2025-6430: Content-Disposition header ignored when a file is
included in an embed or object tag
CVE-2025-6431: The prompt in Firefox for Android that asks before
opening a link in an external application could be
bypassed
CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy
CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a
webpage with an invalid TLS certificate
CVE-2025-6434: HTTPS-Only exception screen lacked anti-clickjacking
delay
CVE-2025-6435: Save as in Devtools could download files without
sanitizing the extension
CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird
140
* gnu/packages/librewolf.scm (librewolf): Update to 140.0.2-1.
* gnu/packages/patches/librewolf-use-system-wide-dir.patch: Adjust.
Change-Id: I786706575e04f32054f6a1142d606eb3ba6b22e3
Contains fixes for:
CVE-2025-5263: Error handling for script execution was incorrectly
isolated from web content
CVE-2025-5264: Potential local code execution in “Copy as cURL”
command
CVE-2025-5265: Potential local code execution in “Copy as cURL”
command
CVE-2025-5266: Script element events leaked cross-origin resource
status
CVE-2025-5270: SNI was sometimes unencrypted
CVE-2025-5271: Devtools' preview ignored CSP headers
CVE-2025-5267: Clickjacking vulnerability could have led to leaking
saved payment card details
CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird
139, Firefox ESR 128.11, and Thunderbird 128.11
CVE-2025-5272: Memory safety bugs fixed in Firefox 139 and Thunderbird
139
* gnu/packages/librewolf.scm (librewolf): Update to 139.0-1.
Change-Id: I42b2e98f49a99f0b5259e02726e9f521a19932b8
* gnu/packages/librewolf.scm (make-librewolf-source): Delete
testing/web-platform. This frees more than 800M of RAM during the
build. Removing it seems to be enough to allow build on some
machines.
Signed-off-by: Ian Eure <ian@retrospec.tv>
Contains fixes for:
CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
in cross-origin frames
CVE-2025-4085: Potential information leakage and privilege escalation
in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
138
* gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.
Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
CVE-2025-3608: Race condition in nsHttpTransaction could lead to
memory corruption
* gnu/packages/librewolf.scm (librewolf): Update to 137.0.2-1.
Change-Id: I39023c324058bc369331eb165d34cf388029459f
This patch fixes the video playback issue with librewolf.
From ebe6707d964fca6f47cf778559f6890bf67665dd Mon Sep 17 00:00:00 2001
Message-ID: <ebe6707d964fca6f47cf778559f6890bf67665dd.1744735632.git.jakob.kirsch@web.de>
From: Jakob Kirsch <jakob.kirsch@web.de>
Date: Tue, 15 Apr 2025 18:44:58 +0200
Subject: [PATCH] gnu: librewolf: Fix video playback.
Firefox seems to enable VAAPI starting with version 137, which depends on libpciaccess.
Without it, video playback randomly stops and doesn't work until you restart the browser.
* gnu/packages/librewolf.scm (librewolf): [inputs]: Add libpciaccess.
Change-Id: I87332f53a41ef64639c9770c6dbfcac1eefe2e84
Signed-off-by: Ian Eure <ian@retrospec.tv>
This avoids issues with Native Messaging and non-guix add-ons:
<https://issues.guix.gnu.org/77415>.
* gnu/packages/librewolf.scm (librewolf)[arguments]: Add an
'mkdir-lib-icecat' phase.
Change-Id: I2e5dc8f599708c414c9266ee3453a6beac08ee66
Signed-off-by: Ian Eure <ian@retrospec.tv>
When 'configure creates the mozconfig used to build the browser, it overwrites
upstream’s configuration, requiring that it repeat the options already set
upstream. It also handles the final two options incorrectly, due to missing
newlines -- the options are concatenated.
Instead of doing that all that, append the Guix-specific options to
upstream’s mozconfig.
* gnu/packages/librewolf.scm (librewolf): Fix mozconfig creation.
[#:configure-flags]: Remove flags already present in upstream mozconfig.
[#:configure-flags]: Disable toolchain bootstrapping.
[phase 'configure]: Remove flags already present in upstream mozconfig.
[phase 'configure]: Append to mozconfig instead of overwriting.
Change-Id: I67070ac1e84747ea4f88c527441ffcea4c2e02f5
With the Mozzarella changes moved to 'use-mozzarella, 'fix-config no longer
reflects what this phase is doing; rename it. Also, move it to run after
'unpack, and modify the file in the source tree, rather than after 'install,
modifying the file in the package output.
* gnu/packages/librewolf.scm (librewolf):
[phase 'patch-config]: Rename to 'expand-extension-scope. Run earlier, and
work on the source tree, not the package output.
Change-Id: If226a70daa780d652b2bb3028c888d029c765444
* gnu/packages/librewolf.scm (librewolf): Move all Mozzarella-related changes
into a new 'use-mozzarella phase, instead of splitting it into two others.
Change-Id: Iba264d26a944bd83ebb31c0a952a757b0ed4e847
New upstream release. Contains fixes for:
CVE-2025-3028: Use-after-free triggered by XSLTProcessor
CVE-2025-3031: JIT optimization bug with different stack slot sizes
CVE-2025-3032: Leaking file descriptors from the fork server
CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
CVE-2025-3033: Opening local .url files could lead to another file
being opened
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird
137, Firefox ESR 128.9, and Thunderbird 128.9
CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird
137
* gnu/packages/librewolf.scm (librewolf): Update to 137.0.1-1.
Change-Id: I418fadabc2375fe85e6d71f0fba198ae5983159c
Contains fixes for:
CVE-2025-3028: Use-after-free triggered by XSLTProcessor
CVE-2025-3031: JIT optimization bug with different stack slot sizes
CVE-2025-3032: Leaking file descriptors from the fork server
CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
CVE-2025-3033: Opening local .url files could lead to another file
being opened
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird
137, Firefox ESR 128.9, and Thunderbird 128.9
CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird
137
* gnu/packages/librewolf.scm (librewolf): Update to 137.0-1.
Change-Id: I23d8cbefc242e57c19b4e98660fd22bd1dda8d6a
Contains a fix for:
CVE-2025-2857: Incorrect handle could lead to sandbox escapes
* gnu/packages/librewolf.scm (librewolf): Update to 136.0.4-1.
Change-Id: I9ff4b61c7dc26fe82b593b0a7eddfc2592b36542
CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in
the Browser process
CVE-2025-1939: Tapjacking in Android Custom Tabs using transition
animations
CVE-2025-1931: Use-after-free in WebTransportChild
CVE-2025-1932: Inconsistent comparator in XSLT sorting led to
out-of-bounds access
CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
CVE-2025-1940: Android Intent confirmation prompt tapjacking using
Select options
CVE-2024-9956: Passkey phishing within Bluetooth range
CVE-2025-1934: Unexpected GC during RegExp bailout processing
CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase()
causes string to get longer
CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed
the interpretation of the contents
CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 115.21, Firefox ESR 128.8, and
Thunderbird 128.8
CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8
CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird
136
* gnu/packages/librewolf.scm (librewolf): Update to 136.0-2.
Change-Id: Ia3b5777478fa8443471bd1e61898128cdeda4bcf
* gnu/packages/librewolf.scm (librewolf)[arguments]<#:phases>:
Honor --cores build argument during the 'build phase.
Signed-off-by: Ian Eure <ian@retrospec.tv>
New upstream version. Contains fixes for:
CVE-2025-1009: Use-after-free in XSLT
CVE-2025-1010: Use-after-free in Custom Highlight
CVE-2025-1018: Fullscreen notification is not displayed when
fullscreen is re-requested
CVE-2025-1011: A bug in WebAssembly code generation could result in a
crash
CVE-2025-1012: Use-after-free during concurrent delazification
CVE-2025-1019: Fullscreen notification not properly displayed
CVE-2025-1013: Potential opening of private browsing tabs in normal
browsing windows
CVE-2025-1014: Certificate length was not properly checked
CVE-2025-1016: Memory safety bugs fixed in Firefox 135, Thunderbird
135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird
115.20, and Thunderbird 128.7
CVE-2025-1017: Memory safety bugs fixed in Firefox 135, Thunderbird
135, Firefox ESR 128.7, and Thunderbird 128.7
CVE-2025-1020: Memory safety bugs fixed in Firefox 135 and Thunderbird
135
* gnu/packages/librewolf.scm (librewolf): Update to 135.0-1.
Change-Id: I7054fc9df31d59bb0d42e02b1f359cf3e6c1a43d
New upstream release. Some minor tweaks needed, like switching from gzip to
pigz, updating icu4c, and ensuring it builds with the correct Rust version.
CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
CVE-2025-0238: Use-after-free when breaking lines in text
CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON
module
CVE-2025-0241: Memory corruption when using JavaScript Text
Segmentation
CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird
115.19, and Thunderbird 128.6
CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird
134, Firefox ESR 128.6, and Thunderbird 128.6
CVE-2025-0244: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0245: Lock screen setting bypass in Firefox Focus for Android
CVE-2025-0246: Address bar spoofing using an invalid protocol scheme
on Firefox for Android
CVE-2025-0247: Memory safety bugs fixed in Firefox 134 and Thunderbird
134
* gnu/packages/librewolf.scm (librewolf): Update to 134.0.1-1.
Change-Id: I027bf6f1541b0e7bec9116b2d6b39ab606813b23
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/librewolf.scm (make-librewolf-source): Take l10n package as an
arg.
Change-Id: I3c405edc07edb54e27afee16325c93a83d37ad79
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/patches/librewolf-use-system-wide-dir.patch: New file.
* gnu/local.mk (dist_patch_DATA): Regisiter it.
* gnu/packages/librewolf.scm (make-librewolf-source)[patches]: Add it along with
torbrowser-compare-paths.patch.
(librewolf)[native-search-paths]: Add ICECAT_SYSTEM_DIR.
Change-Id: I8609d25a7e2725ad94ab257d720326639eb06778
The context behind this change is that Firefox used to ship a
taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
line like this:
Exec=@MOZ_APP_NAME@ %u
The Guix package would use that file, replacing the token with the path
to the binary. Reported in #74648.
* gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open
URLs.
Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
Reviewed-by: André Batista <nandre@riseup.net>
Reviewed-by: Ian Eure <ian@retrospec.tv>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
New upstream version. Fixes CVEs:
CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation
on Android
CVE-2024-11692: Select list elements could be shown over another site
CVE-2024-11701: Misleading Address Bar State During Navigation
Interruption
CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing
Mode on Android
CVE-2024-11693: Download Protections were bypassed by .library-ms
files on Windows
CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility
Shims
CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and
Whitespace Characters
CVE-2024-11703: Password access without authentication via PIN bypass
on Android
CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
CVE-2024-11697: Improper Keypress Handling in Executable File
Confirmation Dialog
CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7
Decryption Handling
CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts
Transition on macOS
CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
CVE-2024-11708: Data race with PlaybackParams
CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR
128.5, and Thunderbird 128.5
* gnu/packages/librewolf.scm (librewolf): Update to 133.0-1.
Change-Id: I611505daf4d4f0940405190471f443d99102c2b9
Signed-off-by: Hilton Chain <hako@ultrarare.space>
New upstream version. The 132.0-2-1 release switches to the firefox-l10n
repository, necessitating rework of locale handling.
131.0.3-1 fixes CVEs:
CVE-2024-9936: Undefined behavior in selection node cache
132.0-1 fixes CVEs:
CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol
handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long
URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a
Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird
132, Firefox ESR 128.4, and Thunderbird 128.4
* gnu/packages/librewolf.scm (librewolf): Update to 132.0-1.
Change-Id: I4afbcb496a8b0a329254762259cd1598d574761e
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Updates the package and changes how the .desktop file is generated. The
.desktop file the package had been using was removed upstream.
Fixes:
CVE-2024-9391: Prevent users from exiting full-screen mode in Firefox Focus
for Android
CVE-2024-9392: Compromised content process can bypass site isolation
CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
CVE-2024-9394: Cross-origin access to JSON contents through multipart
responses
CVE-2024-9395: Specially crafted filename could be used to obscure download
type
CVE-2024-9396: Potential memory corruption may occur when cloning certain
objects
CVE-2024-9397: Potential directory upload bypass via clickjacking
CVE-2024-9398: External protocol handlers could be enumerated via popups
CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of
service
CVE-2024-9400: Potential memory corruption during JIT compilation
CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
CVE-2024-9403: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
CVE-2024-9680: Use-after-free in Animation timeline
* gnu/packages/librewolf.scm (%librewolf-build-id): Update.
(librewolf): Update to 131.0.2-1.
[arguments]<#:phases>: Adjust 'install-desktop-entry for new .desktop file.
Change-Id: I03f8a405c454a5bc3c8a1fc9f94d0ec9b41e92ec
Modified-by: Hilton Chain <hako@ultrarare.space>
Signed-off-by: Hilton Chain <hako@ultrarare.space>
This patch fixes a reported bug where context (right-click) menus contain many
duplicate and incorrect entries.
* gnu/packages/librewolf.scm (librewolf)
[phases] <neuter-genai>: Reinstate the genai browser component.
Change-Id: I288545ce80b9a7e854edfc26a7ffe43433303458
This patch changes the `librewolf-source' variable into the
`make-librewolf-source' prodecure.
This procedure accepts a LibreWolf version, source hash, and Firefox source
hash. The Firefox source version is derived from the provided LibreWolf
version.
This eases package updates, since the hashes are inside the `librewolf'
package, rather than `librewolf-source'; and the version no longer needs to be
specified in three places.
It also removes a blank line between the file header and `define-module'.
* gnu/packages/librewolf.scm (librewolf-source): Turn into a procedure.
Change-Id: I96ab1304acde246c179e7aa5dad9ff621be3de82
Signed-off-by: Andrew Tropin <andrew@trop.in>
This patch:
- Updates LibreWolf to the latest version
- Removes the code which disabled encoding_rs.patch from upstream. It’s no
longer in the repo, so the code did nothing, and the underlying issue (Guix
being stuck with an old Rust version) has been fixed.
- Integrates changes from #72265 with some slight tweaks. This should allow
LibreWolf to use accelerated video decoding on supported hardware.
- Neuters the GenAI chat feature, which direcly integrates with non-free
services, by excluding it from the build and locking the preferences which
would enable it.
Fixes:
CVE-2024-8385: WASM type confusion involving ArrayTypes
CVE-2024-8381: Type confusion when looking up a property name in a "with" block
CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts
CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
CVE-2024-8383: Firefox did not ask before openings news: links in an external application
CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions
CVE-2024-8386: SelectElements could be shown over another site if popups are allowed
CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
CVE-2024-8389: Memory safety bugs fixed in Firefox 130
* gnu/packages/librewolf.scm (librewolf): Update to 130.0.1-1.
Change-Id: I764e6e66c5bfdc14a87b7ea59c29780a1f16769a
Signed-off-by: Andrew Tropin <andrew@trop.in>
