mirror of
https://https.git.savannah.gnu.org/git/guix.git/
synced 2025-07-12 01:50:46 +02:00
f718e0e5e0
Contains fixes for:
CVE-2025-2817: Privilege escalation in Firefox Updater
CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for
macOS
CVE-2025-4083: Process isolation bypass using "javascript:" URI links
in cross-origin frames
CVE-2025-4085: Potential information leakage and privilege escalation
in UITour actor
CVE-2025-4086: Specially crafted filename could be used to obscure
download type
CVE-2025-4087: Unsafe attribute access during XPath parsing
CVE-2025-4088: Cross-site request forgery via storage access API
redirects
CVE-2025-4089: Potential local code execution in "copy as cURL"
command
CVE-2025-4090: Leaked library paths in Firefox for Android
CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10
CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird
138
* gnu/packages/librewolf.scm (librewolf): Update to 138.0.3-1.
* gnu/packages/patches/librewolf-compare-paths.patch: New file.
Change-Id: I2cc11b758dbc77f7ec3451faa89918b08c890729
15 lines
639 B
Diff
15 lines
639 B
Diff
See comment in gnu/build/icecat-extension.scm.
|
|
This is only needed while icecat and torbrowser remain on
|
|
different ESR versions as the patched file has changed its
|
|
name.
|
|
|
|
--- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
|
|
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
|
|
@@ -3753,6 +3753,7 @@
|
|
if (
|
|
newAddon ||
|
|
oldAddon.updateDate != xpiState.mtime ||
|
|
+ oldAddon.path != xpiState.path ||
|
|
(aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
|
|
// update addon metadata if the addon in bundled into
|
|
// the omni jar and version or the resource URI pointing
|