nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
Andreas Rammhold 246d2848ff
firefox-esr-60: 60.2.1 -> 60.2.2 [critical security fixes]
This update bumps the package to the latest stable version containing a
few security fixes:

- CVE-2018-12386: Type confusion in JavaScript
  A vulnerability in register allocation in JavaScript can lead to type
  confusion, allowing for an arbitrary read and write. This leads to
  remote code execution inside the sandboxed content process when
  triggered.

- CVE-2018-12387
  A vulnerability where the JavaScript JIT compiler inlines
  Array.prototype.push with multiple arguments that results in the stack
  pointer being off by 8 bytes after a bailout. This leaks a memory
  address to the calling function which can be used as part of an
  exploit inside the sandboxed content process.

Source: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/
2018-10-03 09:51:13 +02:00

185 lines
5.6 KiB
Nix

{ lib, callPackage, stdenv, fetchurl, fetchFromGitHub, fetchpatch, python3 }:
let
common = opts: callPackage (import ./common.nix opts);
nixpkgsPatches = [
./env_var_for_system_dir.patch
];
firefox60_aarch64_skia_patch = fetchpatch {
name = "aarch64-skia.patch";
url = https://src.fedoraproject.org/rpms/firefox/raw/8cff86d95da3190272d1beddd45b41de3148f8ef/f/build-aarch64-skia.patch;
sha256 = "11acb0ms4jrswp7268nm2p8g8l4lv8zc666a5bqjbb09x9k6b78k";
};
in
rec {
firefox = common rec {
pname = "firefox";
version = "62.0.3";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "0kvb664s47bmmdq2ppjsnyqy8yaiig1xj81r25s36c3i8igfq3zxvws10k2dlmmmrwyc5k4g9i9imgkxj7r3xwwqxc72dl429wvfys8";
};
patches = nixpkgsPatches ++ [
./no-buildconfig.patch
];
extraNativeBuildInputs = [ python3 ];
meta = {
description = "A web browser built from Firefox source tree";
homepage = http://www.mozilla.com/en-US/firefox/;
maintainers = with lib.maintainers; [ eelco ];
platforms = lib.platforms.unix;
license = lib.licenses.mpl20;
};
updateScript = callPackage ./update.nix {
attrPath = "firefox-unwrapped";
};
} {};
firefox-esr-52 = common rec {
pname = "firefox-esr";
version = "52.9.0esr";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "bfca42668ca78a12a9fb56368f4aae5334b1f7a71966fbba4c32b9c5e6597aac79a6e340ac3966779d2d5563eb47c054ab33cc40bfb7306172138ccbd3adb2b9";
};
patches = nixpkgsPatches ++ [
# this one is actually an omnipresent bug
# https://bugzilla.mozilla.org/show_bug.cgi?id=1444519
./fix-pa-context-connect-retval.patch
];
meta = firefox.meta // {
description = "A web browser built from Firefox Extended Support Release source tree";
knownVulnerabilities = [ "Support ended in August 2018." ];
};
updateScript = callPackage ./update.nix {
attrPath = "firefox-esr-52-unwrapped";
versionSuffix = "esr";
};
} {};
firefox-esr-60 = common rec {
pname = "firefox-esr";
version = "60.2.2esr";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "2h2naaxx4lv90bjpcrsma4sdhl4mvsisx3zi09vakjwv2lad91gy41cmcpqprpcbsmlvpqf8yiv52ah4d02a8d9335xhw2ajw6asjc1";
};
patches = nixpkgsPatches ++ [
./no-buildconfig.patch
# this one is actually an omnipresent bug
# https://bugzilla.mozilla.org/show_bug.cgi?id=1444519
./fix-pa-context-connect-retval.patch
] ++ lib.optional stdenv.isAarch64 firefox60_aarch64_skia_patch;
meta = firefox.meta // {
description = "A web browser built from Firefox Extended Support Release source tree";
};
updateScript = callPackage ./update.nix {
attrPath = "firefox-esr-60-unwrapped";
versionSuffix = "esr";
};
} {};
} // (let
commonAttrs = {
overrides = {
unpackPhase = ''
# fetchFromGitHub produces ro sources, root dir gets a name that
# is too long for shebangs. fixing
cp -a $src tor-browser
chmod -R +w tor-browser
cd tor-browser
# set times for xpi archives
find . -exec touch -d'2010-01-01 00:00' {} \;
'';
};
meta = {
description = "A web browser built from TorBrowser source tree";
longDescription = ''
This is a version of TorBrowser with bundle-related patches
reverted.
I.e. it's a variant of Firefox with less fingerprinting and
some isolation features you can't get with any extensions.
Or, alternatively, a variant of TorBrowser that works like any
other UNIX program and doesn't expect you to run it from a
bundle.
It will use your default Firefox profile if you're not careful
even! Be careful!
It will clash with firefox binary if you install both. But it
should not be a problem because you should run browsers in
separate users/VMs anyway.
Create new profile by starting it as
$ firefox -ProfileManager
and then configure it to use your tor instance.
Or just use `tor-browser-bundle` package that packs this
`tor-browser` back into a sanely-built bundle.
'';
homepage = https://www.torproject.org/projects/torbrowser.html;
platforms = lib.platforms.linux;
license = lib.licenses.bsd3;
};
};
in rec {
tor-browser-7-5 = common (rec {
pname = "tor-browser";
version = "7.5.6";
isTorBrowserLike = true;
# FIXME: fetchFromGitHub is not ideal, unpacked source is >900Mb
src = fetchFromGitHub {
owner = "SLNOS";
repo = "tor-browser";
# branch "tor-browser-52.9.0esr-7.5-2-slnos"
rev = "95bb92d552876a1f4260edf68fda5faa3eb36ad8";
sha256 = "1ykn3yg4s36g2cpzxbz7s995c33ij8kgyvghx38z4i8siaqxdddy";
};
patches = nixpkgsPatches;
} // commonAttrs) {};
tor-browser-8-0 = common (rec {
pname = "tor-browser";
version = "8.0.1";
isTorBrowserLike = true;
# FIXME: fetchFromGitHub is not ideal, unpacked source is >900Mb
src = fetchFromGitHub {
owner = "SLNOS";
repo = "tor-browser";
# branch "tor-browser-52.8.0esr-8.0-1-slnos";
rev = "5d7e9e1cacbf70840f8f1a9aafe99f354f9ad0ca";
sha256 = "0cwxwwc4m7331bbp3id694ffwxar0j5kfpgpn9l1z36rmgv92n21";
};
patches = nixpkgsPatches;
} // commonAttrs) {};
tor-browser = tor-browser-7-5;
})