04/04: gnu: librewolf: Update to 148.0-1 [security-fixes].

Sat, 28 Feb 2026 19:29:06 -0800 

guix_mirror_bot pushed a commit to branch master
in repository guix.

commit cf27ff3da3c9da11f8fe5f242165e7e8030a644f
Author: moksh <[email protected]>
AuthorDate: Wed Feb 25 02:13:49 2026 +0530

    gnu: librewolf: Update to 148.0-1 [security-fixes].
    
    * gnu/packages/librewolf.scm (librewolf): Update to 148.0-1.
    [native-inputs]: Use clang-21 and llvm-21.
    
    Containes fixes for:
    CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video 
component
    CVE-2026-2794: Information disclosure due to uninitialized memory in 
Firefox and Firefox Focus for Android
    CVE-2026-2758: Use-after-free in the JavaScript: GC component
    CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib 
component
    CVE-2026-2795: Use-after-free in the JavaScript: GC component
    CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the 
Graphics: WebRender component
    CVE-2026-2761: Sandbox escape in the Graphics: WebRender component
    CVE-2026-2762: Integer overflow in the JavaScript: Standard Library 
component
    CVE-2026-2763: Use-after-free in the JavaScript Engine component
    CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: 
JIT component
    CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component
    CVE-2026-2797: Use-after-free in the JavaScript: GC component
    CVE-2026-2765: Use-after-free in the JavaScript Engine component
    CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
    CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
    CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component
    CVE-2026-2798: Use-after-free in the DOM: Core & HTML component
    CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
    CVE-2026-2799: Use-after-free in the DOM: Core & HTML component
    CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
    CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component
    CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
    CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
    CVE-2026-2774: Integer overflow in the Audio/Video component
    CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component
    CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the 
Telemetry component in External Software
    CVE-2026-2777: Privilege escalation in the Messaging System component
    CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the 
DOM: Core & HTML component
    CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR 
component
    CVE-2026-2800: Spoofing issue in the WebAuthn component in Firefox for 
Android
    CVE-2026-2780: Privilege escalation in the Netmonitor component
    CVE-2026-2781: Integer overflow in the Libraries component in NSS
    CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly 
component
    CVE-2026-2782: Privilege escalation in the Netmonitor component
    CVE-2026-2783: Information disclosure due to JIT miscompilation in the 
JavaScript Engine: JIT component
    CVE-2026-2802: Race condition in the JavaScript: GC component
    CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI 
component
    CVE-2026-2784: Mitigation bypass in the DOM: Security component
    CVE-2026-2785: Invalid pointer in the JavaScript Engine component
    CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component
    CVE-2026-2786: Use-after-free in the JavaScript Engine component
    CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component
    CVE-2026-2787: Use-after-free in the DOM: Window and Location component
    CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP 
component
    CVE-2026-2789: Use-after-free in the Graphics: ImageLib component
    CVE-2026-2806: Uninitialized memory in the Graphics: Text component
    CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component
    CVE-2026-2791: Mitigation bypass in the Networking: Cache component
    CVE-2026-2807: Memory safety bugs fixed in Firefox 148 and Thunderbird 148
    CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird 
ESR 140.8, Firefox 148 and Thunderbird
    CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 
140.8, Thunderbird ESR 140.8, Firefox
    
    Change-Id: I3baa7dee1c8667e8a6fc04e0112c1fddb8ed7d81
    Signed-off-by: Ian Eure <[email protected]>
---
 gnu/packages/librewolf.scm | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 088dad679e..8e1cbc19ef 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -24,6 +24,7 @@
 ;;; Copyright © 2023, 2024, 2025 Ian Eure <[email protected]>
 ;;; Copyright © 2024 Remco van 't Veer <[email protected]>
 ;;; Copyright © 2024 Ashvith Shetty <[email protected]>
+;;; Copyright © 2025, 2026 Untrusem <[email protected]>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -220,6 +221,7 @@
                      "media/libwebp"
                      "modules/zlib"))))))
 
+;; Needed for the .desktop.in file used in librewolf's 'install-desktop-entry
 (define librewolf-bsys6
   (let ((commit "274e39ee40592f8bc6ca5d4ee699ec74aeeab983"))
     (origin
@@ -230,29 +232,29 @@
       (file-name (git-file-name "librewolf-bsys6" commit))
       (sha256 (base32 
"15a2j1r5xrxvb9vr55138canwaj44nswzsfjsvsjspwnirgrn91z")))))
 
-;;; Define the versions of rust needed to build firefox, trying to match
+;;; Define the versions of rust needed to build Firefox, trying to match
 ;;; upstream.  See table at [0], `Uses' column for the specific version.
 ;;; Using `rust' will likely lead to a newer version then listed in the table,
 ;;; but since in Guix only the latest packaged Rust is officially supported,
 ;;; it is a tradeoff worth making.
 ;;; 0: 
https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html
-(define rust-librewolf rust)
+(define rust-librewolf rust-1.92)
 
 ;; Update this id with every update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
 ;; ex: date '+%Y%m%d%H%M%S'
 ;; or: (format-time-string "%Y%m%d%H%M%S")
-(define %librewolf-build-id "20260217231334")
+(define %librewolf-build-id "20260228165433")
 
 (define-public librewolf
   (package
     (name "librewolf")
-    (version "147.0.4-1")
+    (version "148.0-1")
     (source
      (make-librewolf-source
       #:version version
-      #:firefox-hash "1xwl5vc7504gx15yj0kvrxn3k250sja22d8j6dyrhxxican441xw"
-      #:librewolf-hash "079i6xhsyimvrp302zy0h2phfykg881nvwri0wwi9hkk7p49imy5"
+      #:firefox-hash "0vybaiiknrzk2zvg46w5sxb0i0m9rmy4msvpxklxpdr3182fb4zc"
+      #:librewolf-hash "02sraza4xy4cp559nlc51m1vwhi52l58i3zz2h95lwymyvc5hv17"
       #:l10n firefox-l10n))
     (build-system gnu-build-system)
     (arguments
@@ -675,18 +677,18 @@
      (list
       alsa-lib
       autoconf-2.13
-      `(,rust-librewolf "cargo")
-      clang-18
+      clang-21
       librewolf-bsys6
-      llvm-18
+      llvm-21
       m4
       nasm
       node-lts
       perl
       pkg-config
       python
-      rust-librewolf
       rust-cbindgen-0.29
+      rust-librewolf
+      `(,rust-librewolf "cargo")
       which
       yasm))
     (native-search-paths

Reply via email to