nongnu: firefox: Update to 127.0 [security fixes].

Fixes CVE-2024-5687, CVE-2024-5688, CVE-2024-5689, CVE-2024-5690, CVE-2024-5691, CVE-2024-5692, CVE-2024-5693, CVE-2024-5694, CVE-2024-5695, CVE-2024-5696, CVE-2024-5697, CVE-2024-5698, CVE-2024-5699, CVE-2024-5700, CVE-2024-5701. Firefox 127 requires rust >= 1.76 which is currently not in upstream Guix. So lets bootstrap one. I took the liberty of adjusting the comment above rust-firefox-esr to use better link and properly explain why `rust' is used, since it did not really match the original wording. * nongnu/packages/mozilla.scm (firefox): Update to 127.0. (firefox-rust-1.76): New variable. (rust-firefox): Re-define to firefox-rust-1.76. Signed-off-by: Jonathan Brielmaier <jonathan.brielmaier@web.de>
2025-01-10 16:03:16 +01:00 · 2024-06-14 23:28:40 +02:00 · 2024-06-14 23:28:40 +02:00 · 8a0e6588ee
commit 8a0e6588ee
parent 82335c1bf5
1 changed files with 23 additions and 9 deletions
--- a/nongnu/packages/mozilla.scm
+++ b/nongnu/packages/mozilla.scm
@ -72,12 +72,26 @@
  #:use-module (gnu packages xdisorg)
  #:use-module (gnu packages xorg))

-;; Define the versions of rust needed to build firefox, trying to match
-;; upstream.  See the file taskcluster/ci/toolchain/rust.yml at
-;; https://searchfox.org under the particular firefox release, like
-;; mozilla-esr102.
-(define-public rust-firefox-esr rust) ; 1.60 is the default in Guix
-(define-public rust-firefox rust) ; 1.65 is the minimum
+(define firefox-rust-1.76
+  (let ((base-rust ((@@ (gnu packages rust) rust-bootstrapped-package)
+                    rust-1.75 "1.76.0"
+                    "08f06shp6l72qrv5fwg1is7yzr6kwj8av0l9h5k243bz781zyp4y")))
+    (package
+      (inherit base-rust)
+      ;; Need llvm >= 16.0
+      (inputs (modify-inputs (package-inputs base-rust)
+                             (replace "llvm" llvm-17))))))
+
+;;; Define the versions of rust needed to build firefox, trying to match
+;;; upstream.  See table at [0], `Uses' column for the specific version.
+;;; Using `rust' will likely lead to a newer version then listed in the table,
+;;; but since in Guix only the latest packaged Rust is officially supported,
+;;; it is a tradeoff worth making.
+;;; 0: https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
+(define-public rust-firefox-esr rust)
+;; The released official binary uses 1.77, but larger changes are required,
+;; and since 1.76 is supported as well, us it.
+(define-public rust-firefox firefox-rust-1.76)

 (define icu4c-73
  (package
@ -532,20 +546,20 @@ MOZ_ENABLE_WAYLAND=1 exec ~a $@\n"

 ;; Update this id with every firefox update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
-(define %firefox-build-id "20240527195430")
+(define %firefox-build-id "20240610130632")

 (define-public firefox
  (package
    (inherit firefox-esr)
    (name "firefox")
-    (version "126.0.1")
+    (version "127.0")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "https://archive.mozilla.org/pub/firefox/releases/"
                           version "/source/firefox-" version ".source.tar.xz"))
       (sha256
-        (base32 "0fr679rcwshwpfxidc55b2xsn4pmrr7p9ix4rr2mv2k7kwsjcc7n"))))
+        (base32 "08a3k7lr6z4gxn5rcjnwpimzcr1w2bm13bzxg0wm1jj6y2ghhsza"))))
    (arguments
     (substitute-keyword-arguments (package-arguments firefox-esr)
       ((#:phases phases)