From 77c0a35af24f3bc7c3eda7292225a3052f0d2ebd Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 1 Nov 2021 16:52:40 -0400 Subject: gnu: icecat: Add system fonts directory to the sandbox whitelist. Mitigates . * gnu/packages/gnuzilla.scm (icecat)[arguments]: In the 'build-sandbox-whitelist' phase, add "/run/current-system/profile/share/fonts/" to the whitelist. --- gnu/packages/gnuzilla.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/packages/gnuzilla.scm') diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 3aa39bc806..a1f6b5738a 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1138,6 +1138,7 @@ in C/C++.") "/share/mime") ,(string-append (assoc-ref inputs "font-dejavu") "/share/fonts") + "/run/current-system/profile/share/fonts" ,@(append-map runpaths-of-input '("mesa" "ffmpeg")))))) (whitelist-string (string-join whitelist ",")) -- cgit v1.2.3 From f3b3f23493bb106366716eb7ea22c92a31c900a0 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 1 Nov 2021 15:05:34 -0400 Subject: gnu: icecat: Update to 91.3.0-guix0-preview1 [security fixes]. Includes fixes for CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509, MOZ-2021-0007, and MOZ-2021-0008. * gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update. (icecat-source): Update gnuzilla commit, base version, and hashes. --- gnu/packages/gnuzilla.scm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'gnu/packages/gnuzilla.scm') diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index a1f6b5738a..2b176f1dfe 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -690,8 +690,8 @@ in C/C++.") ;; XXXX: Workaround 'snippet' limitations. (define computed-origin-method (@@ (guix packages) computed-origin-method)) -(define %icecat-version "91.2.0-guix0-preview1") -(define %icecat-build-id "20211006000000") ;must be of the form YYYYMMDDhhmmss +(define %icecat-version "91.3.0-guix0-preview1") +(define %icecat-build-id "20211102000000") ;must be of the form YYYYMMDDhhmmss ;; 'icecat-source' is a "computed" origin that generates an IceCat tarball ;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat' @@ -713,11 +713,11 @@ in C/C++.") "firefox-" upstream-firefox-version ".source.tar.xz")) (sha256 (base32 - "1hs2bvzl0d4kfir3gq997kwxm90ygapqn6xlw47cihnh479wzwry")))) + "0v79c435vfbhsx7pqyq4jm5rv8iysig69wwqhvys1n0jy54m72qj")))) - (upstream-icecat-base-version "91.2.0") ; maybe older than base-version + (upstream-icecat-base-version "91.3.0") ; maybe older than base-version ;;(gnuzilla-commit (string-append "v" upstream-icecat-base-version)) - (gnuzilla-commit "1537880dac3087d3779543303f0df83432831166") + (gnuzilla-commit "32631cac00953abbac61dc7ab1a0eafbdd59b53a") (gnuzilla-source (origin (method git-fetch) @@ -729,7 +729,7 @@ in C/C++.") (string-take gnuzilla-commit 8))) (sha256 (base32 - "16r42hp05qmiifw8ym89328w5b4flp3hngpjwbrzgq23q1qmixa9")))) + "13ckga49h5azf0c6q3c6b6wcmahzyywryxgwmwr1dahsjgy0wwrw")))) ;; 'search-patch' returns either a valid file name or #f, so wrap it ;; in 'assume-valid-file-name' to avoid 'local-file' warnings. -- cgit v1.2.3