gnu: icecat: Update to 45.3.0-gnu1-beta. Add fixes from Firefox ESR 45.4.0.

Includes fixes for CVE-2016-5250, CVE-2016-5257, CVE-2016-5261, CVE-2016-5270,
CVE-2016-5272, CVE-2016-5274, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278,
CVE-2016-5280, CVE-2016-5281, and CVE-2016-5284.

* gnu/packages/gnuzilla.scm (mozilla-patch): New procedure.
(icecat): Update to 45.3.0-gnu1.
[source]: Add alternate source URI for the beta release.  Update patches.
[inputs]: Replace 'sqlite' input with a customized sqlite with
SQLITE_ENABLE_DBSTAT_VTAB support.
[native-inputs]: Add 'which'.
* gnu/packages/patches/icecat-avoid-bundled-includes.patch: Rename to...
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: ... and adapt
to version 45.
* gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch,
gnu/packages/patches/icecat-CVE-2016-2819.patch,
gnu/packages/patches/icecat-CVE-2016-2821.patch,
gnu/packages/patches/icecat-CVE-2016-2824.patch,
gnu/packages/patches/icecat-CVE-2016-2828.patch,
gnu/packages/patches/icecat-CVE-2016-2831.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Update accordingly.

1 files changed, 84 insertions, 25 deletions

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index e02efa9385..4927a516e2 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -28,6 +28,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
+  #:use-module (gnu packages base)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gstreamer)
@@ -290,38 +291,71 @@ PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
 standards.")
     (license license:mpl2.0)))
 
+(define (mozilla-patch file-name changeset hash)
+  "Return an origin for CHANGESET from the mozilla-esr45 repository."
+  (origin
+    (method url-fetch)
+    (uri (string-append "https://hg.mozilla.org/releases/mozilla-esr45/raw-rev/"
+                        changeset))
+    (sha256 (base32 hash))
+    (file-name file-name)))
+
 (define-public icecat
   (package
     (name "icecat")
-    (version "38.8.0-gnu2")
+    (version "45.3.0-gnu1-beta")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "mirror://gnu/gnuzilla/"
-                          version "/"
-                          name "-" version ".tar.bz2"))
+      (uri (list (string-append "mirror://gnu/gnuzilla/" version "/"
+                                name "-" version ".tar.bz2")
+                 ;; XXX Temporary URI for 45.3 beta release.
+                 ;;     Remove when no longer needed.
+                 (string-append "http://jenkins.trisquel.info/icecat/binaries/"
+                                "icecat-45.3.0-gnu1.tar.bz2")))
       (sha256
        (base32
-        "1yb7a1zsqpra9cgq8hrzrbm5v31drb9367cwvwiksz0ngqy342hb"))
-      (patches (search-patches
-                "icecat-avoid-bundled-includes.patch"
-                "icecat-CVE-2016-2818-pt1.patch"
-                "icecat-CVE-2016-2818-pt2.patch"
-                "icecat-CVE-2016-2818-pt3.patch"
-                "icecat-CVE-2016-2818-pt4.patch"
-                "icecat-CVE-2016-2818-pt5.patch"
-                "icecat-CVE-2016-2818-pt6.patch"
-                "icecat-CVE-2016-2818-pt7.patch"
-                "icecat-CVE-2016-2818-pt8.patch"
-                "icecat-CVE-2016-2818-pt9.patch"
-                "icecat-CVE-2016-2819.patch"
-                "icecat-CVE-2016-2821.patch"
-                "icecat-CVE-2016-2824.patch"
-                "icecat-CVE-2016-2828.patch"
-                "icecat-CVE-2016-2831.patch"))
+        "1hk5lwaqm8nkfm43sq521mzyrx0x3iiwvlcy62m7cq7grz9wixp6"))
+      (patches
+       `(,(search-patch "icecat-avoid-bundled-libraries.patch")
+         ,(mozilla-patch "icecat-CVE-2016-5250.patch"     "6711ccb0184e" "1p0s91rw1j7ib6hy9gh5p0l33rja32rfgygh29jw4wq1hxfql8rk")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt1.patch" "b08f28db372e" "0fmifimavawbff700rzjibsnr16am6902gp965scvi1iy78754ia")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt2.patch" "a49fd7eb57ba" "1dyh0pjdmf64sjbj1x0mdjwfispacx9yny1kx9nzpf85myryr640")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt3.patch" "9707c3423a1e" "12nn8av0akza4ml1is9mfy8f7368mrkxsl32ly97r4irzh0iryh1")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt4.patch" "9d632865560a" "1msp1wqv0c317wqkm82hd9ajbg4a5mcr8pld5j8cx37ccv7f21g3")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt5.patch" "90697781ec9f" "1h6gcrw5ykf7r59phxqkhpfs7jsgzqn509qm43sj7mbpcvqvk5mg")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt6.patch" "dd9eb81853b9" "1lyqnn40sayziych8gqd5aj7il3zajf318y8ddj8dzz3c8id5dzc")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt7.patch" "d91fc76079e0" "022lhixa8dxa6ny9a4bh2di282i0lhyq0glqr9n4q3r8msfmf0ba")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt8.patch" "3e37ba5e0867" "1w8lncxaayq4xndhyp1hwlv00zggbayljq6rlypb8kdwgzfpi77w")
+         ,(mozilla-patch "icecat-CVE-2016-5257-pt9.patch" "3c4958a98908" "16bc6ai5qddnpm3yw24lry5s7i05xs0ycixzxiir4wmcgwcaayiy")
+         ,(mozilla-patch "icecat-CVE-2016-5261.patch"     "bc2f5467b33d" "0i4b8ydmqg4blx541f56g9qrlm7gp6ih4cs7ixbds724cwk83b9f")
+         ,(mozilla-patch "icecat-CVE-2016-5270.patch"     "7cd50d56bb61" "15nbp5axr59mczxgf37nli37jbw0jdknmxz7z71772pzjd2z07r9")
+         ,(mozilla-patch "icecat-CVE-2016-5272.patch"     "6e43a01fee3c" "025xp1wdnz1gc5l2rsgbrwsh1pbysjiyfgz0g6rvr390r7ag1n74")
+         ,(mozilla-patch "icecat-CVE-2016-5274.patch"     "10c9453407de" "1wqh6hj0dpa7r3hhlyrflcv3r3cg0xq4rb0zvhysi6l7lwb8q51r")
+         ,(mozilla-patch "icecat-CVE-2016-5276.patch"     "fc818ab03f15" "1q64ipl172dcmyy9p8p3l3ljpdh1q1jg48lai0qn2xgknl7sdpks")
+         ,(mozilla-patch "icecat-CVE-2016-5277.patch"     "7b668c5cec92" "1qmchn6qifgjakzac6i4hgnivy062pzgz9p1l11c1m3an1rh0isg")
+         ,(mozilla-patch "icecat-CVE-2016-5278.patch"     "fd5052e343df" "1nzmzlnsz61w9aw4mjvgmlkz88aqv1w858rr0mbv07hwyrljfi84")
+         ,(mozilla-patch "icecat-CVE-2016-5280.patch"     "30673bc9730b" "1qz1684v1rp86ngadcaqd68iqf472flnrnk971ryg4fbsyy8g1za")
+         ,(mozilla-patch "icecat-CVE-2016-5281-pt1.patch" "61405f1fd1df" "1fgmq67arwsl1nrl133fcb5cz6jbbcfjvbv8cd8cadhapin971a7")
+         ,(mozilla-patch "icecat-CVE-2016-5281-pt2.patch" "7776b6ec7b92" "1f7k8f4lk7nyghwajsxf6nb7yvzsaw3jwpa3316znsva12m548mn")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt1.patch" "55e768767416" "1gg7m12njbkn1jqf2gp2y7zd9ik3xhqkjb7znczna4l438h7ki83")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt2.patch" "3c42249975a5" "0gnanndkmhsp49rldv4kh0smkdcs7616v46hn567kfw8yfwqvnli")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt3.patch" "126e5d574811" "13gr08bzqy23adz0ciihb7cy9wdnkcn71i77a3y5b5apm6k54mwi")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt4.patch" "7b8bd7aae1a8" "0mq5gpq6ni8czfcs1rif4is0igh0054aw41ga0jqkq58g7lavkrf")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt5.patch" "0799490f4e6f" "1ypv6i48nabbhcqbach8fbgz9bmnhm7q5z9dnfid44z8g54l3f33")
+         ,(mozilla-patch "icecat-CVE-2016-5284-pt6.patch" "fc990e4ae8bc" "1s2cj505ajwwiy4xvn5zlmyzqpgahxmqqvis0a6xm6mjbjh02gm4")
+         ,(mozilla-patch "icecat-bug-1251088.patch"       "5ffa912ed83e" "0v5lpv3c89c2d4y5acn0kyijv096axdnrvaj5ya5yypzfcaqxv24")
+         ,(mozilla-patch "icecat-bug-1292590.patch"       "d4b5b8f3e373" "0w8cxn6ryhgxryy8k8i06yw4mknv509ns9ff1avd0hmgxa83mcdp")
+         ,(mozilla-patch "icecat-bug-1298169.patch"       "adce603ae36d" "0mgs85cwx61bk17r7npl311l4m8yn4667wyhgjmm2ajiys6nn0yl")
+         ,(mozilla-patch "icecat-bug-1301496.patch"       "97268426bb6f" "1z7hg796cgag025gm9pp2szz7w870s7naagdri1dlsilj797v8hr")
+         ,(mozilla-patch "icecat-bug-1299519.patch"       "fc055950b6b8" "05iml5k3rzc653jk4imd111sh18625jxfxkcj12kjdihl0gdr4x4")
+         ,(mozilla-patch "icecat-bug-1303710.patch"       "6f845c23565b" "01dlbnmpsnwr448fajs276y62gl03r74k1hxnwsg6ihwhnfdvn5a")
+         ,(mozilla-patch "icecat-bug-1301343.patch"       "e5d51ca7a3c0" "0hshcz24hc6pkz5pcqxhajm17ibwrlfn1s00frfnpjjy56vacfz0")
+         ,(mozilla-patch "icecat-bug-1299686.patch"       "576f1725a57e" "1lic9d3r8r1vcniw1g3ca71390lw3dmwjsw55dp6z96hyjbcq3fd")))
       (modules '((guix build utils)))
       (snippet
        '(begin
+          (use-modules (ice-9 ftw))
           ;; Remove bundled libraries that we don't use, since they may
           ;; contain unpatched security flaws, they waste disk space and
           ;; network bandwidth, and may cause confusion.
@@ -358,6 +392,12 @@ standards.")
                       "gfx/cairo"
                       "js/src/ctypes/libffi"
                       "db/sqlite3"))
+          ;; Delete .pyc files, typically present in icecat source tarballs
+          (for-each delete-file (find-files "." "\\.pyc$"))
+          ;; Delete obj-* directories, found in icecat-45.3.0-gnu1-beta
+          (for-each delete-file-recursively
+                    (scandir "." (lambda (name)
+                                   (string-prefix? "obj-" name))))
           #t))))
     (build-system gnu-build-system)
     (inputs
@@ -391,7 +431,21 @@ standards.")
        ("mit-krb5" ,mit-krb5)
        ("nspr" ,nspr)
        ("nss" ,nss)
-       ("sqlite" ,sqlite)
+
+       ;; XXX Work around the fact that our 'sqlite' package was not built
+       ;;     with -DSQLITE_ENABLE_DBSTAT_VTAB.
+       ("sqlite" ,(package
+                    (inherit sqlite)
+                    (arguments
+                     `(#:configure-flags
+                       ;; Add -DSQLITE_SECURE_DELETE, -DSQLITE_ENABLE_UNLOCK_NOTIFY and
+                       ;; -DSQLITE_ENABLE_DBSTAT_VTAB to CFLAGS.  GNU Icecat will refuse
+                       ;; to use the system SQLite unless these options are enabled.
+                       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
+                                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
+                                            "-DSQLITE_ENABLE_DBSTAT_VTAB"))))))
+       ;;("sqlite" ,sqlite)
+
        ("startup-notification" ,startup-notification)
        ("unzip" ,unzip)
        ("yasm" ,yasm)
@@ -401,7 +455,8 @@ standards.")
      `(("perl" ,perl)
        ("python" ,python-2) ; Python 3 not supported
        ("python2-pysqlite" ,python2-pysqlite)
-       ("pkg-config" ,pkg-config)))
+       ("pkg-config" ,pkg-config)
+       ("which" ,which)))
     (arguments
      `(#:tests? #f          ; no check target
        #:out-of-source? #t  ; must be built outside of the source directory
@@ -432,6 +487,11 @@ standards.")
                            "--disable-debug"
                            "--disable-debug-symbols"
 
+                           ;; Temporary hack to work around missing
+                           ;; "unofficial" branding in
+                           ;; icecat-45.3.0-gnu1-beta.
+                           "--enable-official-branding"
+
                            ;; Avoid bundled libraries.
                            "--with-system-zlib"
                            "--with-system-bz2"
@@ -597,5 +657,4 @@ features built-in privacy-protecting features.")
     (properties
      `((ftp-directory . "/gnu/gnuzilla")
        (cpe-name . "firefox_esr")
-       (cpe-version . ,(string-drop-right version
-                                          (string-length "-gnu1")))))))
+       (cpe-version . ,(first (string-split version #\-)))))))