Unverified Commit 84952fc2 authored by Vladimír Čunát's avatar Vladimír Čunát
Browse files

Merge #30143: firefox-*: critical security updates

parents 15b7e102 821e3c29

pkgs/applications/networking/browsers/firefox/common.nix

+14 −2
Original line number Diff line number Diff line
@@ -8,8 +8,7 @@ 
, yasm, mesa, sqlite, unzip, makeWrapper

, hunspell, libevent, libstartup_notification, libvpx

, cairo, icu, libpng, jemalloc

, autoconf213, which, gnused, cargo, rustc



, autoconf213, which, gnused, cargo, rustc, llvmPackages

, debugBuild ? false



### optionals
@@ -50,6 +49,7 @@ assert stdenv.cc ? libc && stdenv.cc.libc != null; 


let

  flag = tf: x: [(if tf then "--enable-${x}" else "--disable-${x}")];

  gcc = if stdenv.cc.isGNU then stdenv.cc.cc else stdenv.cc.cc.gcc;

in



stdenv.mkDerivation (rec {
@@ -74,6 +74,8 @@ stdenv.mkDerivation (rec { 
  ++ lib.optionals ffmpegSupport [ gstreamer gst-plugins-base ]

  ++ lib.optional  gtk3Support gtk3;



  NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss";



  nativeBuildInputs =

    [ autoconf213 which gnused pkgconfig perl python cargo rustc ]

    ++ lib.optional gtk3Support wrapGAppsHook;
@@ -88,6 +90,12 @@ stdenv.mkDerivation (rec { 
    make -f client.mk configure-files



    configureScript="$(realpath ./configure)"



    cxxLib=$( echo -n ${gcc}/include/c++/* )

    archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )



    test -f layout/style/ServoBindings.toml && sed -i -e '/"-DMOZ_STYLO"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml



    cd obj-*

  '' + lib.optionalString googleAPISupport ''

    # Google API key used by Chromium and Firefox.
@@ -120,6 +128,10 @@ stdenv.mkDerivation (rec { 
    "--disable-gconf"

    "--enable-default-toolkit=cairo-gtk${if gtk3Support then "3" else "2"}"

  ]

  ++ lib.optionals (stdenv.lib.versionAtLeast version "56") [

    "--with-libclang-path=${llvmPackages.clang-unwrapped}/lib"

    "--with-clang-path=${llvmPackages.clang}/bin/clang"

  ]



  # TorBrowser patches these

  ++ lib.optionals (!isTorBrowserLike) [

pkgs/applications/networking/browsers/firefox/packages.nix

+4 −4
Original line number Diff line number Diff line
@@ -6,10 +6,10 @@ rec { 


  firefox = common rec {

    pname = "firefox";

    version = "55.0.3";

    version = "56.0.1";

    src = fetchurl {

      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";

      sha512 = "3cacc87b97871f3a8c5e97c17ef7025079cb5c81f32377d9402cdad45815ac6c4c4762c79187f1e477910161c2377c42d41de62a50b6741d5d7c1cd70e8c6416";

      sha512 = "6a07de6bfb71ccdef04b0f2ced720e309d037dd89fe983178ac59ea972147360552e2b8e33d8caa476008cabf53a99003807b0e817150b7a39e0bc143d82b88f";

    };



    patches =
@@ -32,10 +32,10 @@ rec { 


  firefox-esr = common rec {

    pname = "firefox-esr";

    version = "52.3.0esr";

    version = "52.4.0esr";

    src = fetchurl {

      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";

      sha512 = "36da8f14b50334e36fca06e09f15583101cadd10e510268255587ea9b09b1fea918da034d6f1d439ab8c34612f6cebc409a0b8d812dddb3f997afebe64d09fe9";

      sha512 = "be3be7f9dbf4bd0344d5d76f26d1a5090bb012154d25833d5cd58e5e707c080515b42ed751e1f7e58b15b96939d7da634cafb6e8aa9bb1627ff420836b802183";

    };



    meta = firefox.meta // {

pkgs/development/libraries/icu/58.nix

0 → 100644
+14 −0
Original line number Diff line number Diff line 
args @ { stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:

let

  keywordFix = fetchurl {

    url = "http://bugs.icu-project.org/trac/changeset/39484?format=diff";

    name = "icu-changeset-39484.diff";

    sha256 = "0hxhpgydalyxacaaxlmaddc1sjwh65rsnpmg0j414mnblq74vmm8";

  };

in

import ./base.nix {

  version = "58.2";

  sha256 = "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib";

  patches = [ keywordFix ];

  patchFlags = "-p4";

} args

pkgs/development/libraries/icu/59.nix

0 → 100644
+4 −0
Original line number Diff line number Diff line 
import ./base.nix {

  version = "59.1";

  sha256 = "1zkmbg2932ggvpgjp8pys0cj6z8bw087y8858009shkrjfpzscki";

}

pkgs/development/libraries/icu/default.nixpkgs/development/libraries/icu/base.nix

+3 −13
Original line number Diff line number Diff line 
{ version, sha256, patches ? [], patchFlags ? "" }:

{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:



let

  pname = "icu4c";

  version = "58.2";



  # this patch should no longer be needed in 58.3

  # https://bugs.gentoo.org/show_bug.cgi?id=599142#c14

  keywordFix = fetchurl {

    url = "http://bugs.icu-project.org/trac/changeset/39484?format=diff";

    name = "icu-changeset-39484.diff";

    sha256 = "0hxhpgydalyxacaaxlmaddc1sjwh65rsnpmg0j414mnblq74vmm8";

  };

in

stdenv.mkDerivation {

  name = pname + "-" + version;
@@ -18,7 +10,7 @@ stdenv.mkDerivation { 
  src = fetchurl {

    url = "http://download.icu-project.org/files/${pname}/${version}/${pname}-"

      + (stdenv.lib.replaceChars ["."] ["_"] version) + "-src.tgz";

    sha256 = "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib";

    inherit sha256;

  };



  outputs = [ "out" "dev" ];
@@ -33,9 +25,7 @@ stdenv.mkDerivation { 
    echo Source root reset to ''${sourceRoot}

  '';



  patchFlags = "-p4";



  patches = [ keywordFix ];

  inherit patchFlags patches;



  preConfigure = ''

    sed -i -e "s|/bin/sh|${stdenv.shell}|" configure