From f79703e50c645b3193f338d7058d5d8ac8f3cb9a Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Wed, 7 Oct 2020 13:39:57 +0200 Subject: [PATCH 1/2] chromium: 85.0.4183.121 -> 86.0.4240.75 https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html This update includes 35 security fixes. CVEs: CVE-2020-15967 CVE-2020-15968 CVE-2020-15969 CVE-2020-15970 CVE-2020-15971 CVE-2020-15972 CVE-2020-15990 CVE-2020-15991 CVE-2020-15973 CVE-2020-15974 CVE-2020-15975 CVE-2020-15976 CVE-2020-6557 CVE-2020-15977 CVE-2020-15978 CVE-2020-15979 CVE-2020-15980 CVE-2020-15981 CVE-2020-15982 CVE-2020-15983 CVE-2020-15984 CVE-2020-15985 CVE-2020-15986 CVE-2020-15987 CVE-2020-15992 CVE-2020-15988 CVE-2020-15989 --- .../networking/browsers/chromium/common.nix | 24 +++----- .../networking/browsers/chromium/default.nix | 15 +---- .../patches/nix_plugin_paths_68.patch | 61 ------------------- .../browsers/chromium/upstream-info.json | 18 +++--- 4 files changed, 19 insertions(+), 99 deletions(-) delete mode 100644 pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index a79a48fffcc5..af2d27342f85 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -13,7 +13,6 @@ , bison, gperf , glib, gtk3, dbus-glib , glibc -, xorg , libXScrnSaver, libXcursor, libXtst, libGLU, libGL , protobuf, speechd, libXdamage, cups , ffmpeg_3, libxslt, libxml2, at-spi2-core @@ -131,7 +130,6 @@ let ninja which python2Packages.python perl pkgconfig python2Packages.ply python2Packages.jinja2 nodejs gnutar python2Packages.setuptools - (xorg.xcbproto.override { python = python2Packages.python; }) ]; buildInputs = defaultDependencies ++ [ @@ -150,9 +148,7 @@ let ++ optional pulseSupport libpulseaudio ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ]; - patches = optionals (versionRange "68" "86") [ - ./patches/nix_plugin_paths_68.patch - ] ++ [ + patches = [ ./patches/remove-webp-include-69.patch ./patches/no-build-timestamps.patch ./patches/widevine-79.patch @@ -166,18 +162,19 @@ let # # ++ optionals (channel == "dev") [ ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) ] # ++ optional (versionRange "68" "72") ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) - ] ++ optionals (useVaapi && versionRange "68" "86") [ # Improvements for the VA-API build: - ./patches/enable-vdpau-support-for-nvidia.patch # https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi - ./patches/enable-video-acceleration-on-linux.patch # Can be controlled at runtime (i.e. without rebuilding Chromium) - ]; + ]; # TODO: VA-API patches (we should be able to drop enable-video-acceleration-on-linux.patch now): + # ++ optionals (useVaapi && versionRange "68" "86") [ # Improvements for the VA-API build: + # ./patches/enable-vdpau-support-for-nvidia.patch # https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi + # ./patches/enable-video-acceleration-on-linux.patch # Can be controlled at runtime (i.e. without rebuilding Chromium) + # ]; - postPatch = optionalString (!versionRange "0" "86") '' + postPatch = '' # Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.): substituteInPlace native_client/SConstruct \ --replace "#! -*- python -*-" "" substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \ --replace "/usr/bin/env -S make -f" "/usr/bin/make -f" - '' + '' + # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \ --replace \ @@ -195,11 +192,6 @@ let '/usr/share/locale/' \ '${glibc}/share/locale/' - substituteInPlace ui/gfx/x/BUILD.gn \ - --replace \ - '/usr/share/xcb' \ - '${xorg.xcbproto}/share/xcb/' - sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg_utils}/bin/xdg-@' \ chrome/browser/shell_integration_linux.cc diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 7f5378e2b199..d16decfeeda5 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -1,5 +1,5 @@ { newScope, config, stdenv, fetchurl, makeWrapper -, llvmPackages_10, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils +, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils , glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit , libva ? null , pipewire_0_2 @@ -23,7 +23,7 @@ }: let - llvmPackages = llvmPackages_10; + llvmPackages = llvmPackages_11; stdenv = llvmPackages.stdenv; callPackage = newScope chromium; @@ -37,16 +37,6 @@ let inherit channel gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport useOzone; # TODO: Remove after we can update gn for the stable channel (backward incompatible changes): - gnChromium = gn.overrideAttrs (oldAttrs: { - version = "2020-05-19"; - src = fetchgit { - url = "https://gn.googlesource.com/gn"; - rev = "d0a6f072070988e7b038496c4e7d6c562b649732"; - sha256 = "0197msabskgfbxvhzq73gc3wlr3n9cr4bzrhy5z5irbvy05lxk17"; - }; - }); - } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "86") { - llvmPackages = llvmPackages_11; gnChromium = gn.overrideAttrs (oldAttrs: { version = "2020-07-20"; src = fetchgit { @@ -56,7 +46,6 @@ let }; }); } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "87") { - llvmPackages = llvmPackages_11; useOzone = true; # YAY: https://chromium-review.googlesource.com/c/chromium/src/+/2382834 \o/ gnChromium = gn.overrideAttrs (oldAttrs: { version = "2020-08-17"; diff --git a/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch b/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch deleted file mode 100644 index da6a4c92b460..000000000000 --- a/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc -index f4e119d..d9775bd 100644 ---- a/chrome/common/chrome_paths.cc -+++ b/chrome/common/chrome_paths.cc -@@ -68,21 +68,14 @@ static base::LazyInstance - g_invalid_specified_user_data_dir = LAZY_INSTANCE_INITIALIZER; - - // Gets the path for internal plugins. --bool GetInternalPluginsDirectory(base::FilePath* result) { --#if defined(OS_MACOSX) -- // If called from Chrome, get internal plugins from a subdirectory of the -- // framework. -- if (base::mac::AmIBundled()) { -- *result = chrome::GetFrameworkBundlePath(); -- DCHECK(!result->empty()); -- *result = result->Append("Internet Plug-Ins"); -- return true; -- } -- // In tests, just look in the module directory (below). --#endif -- -- // The rest of the world expects plugins in the module directory. -- return base::PathService::Get(base::DIR_MODULE, result); -+bool GetInternalPluginsDirectory(base::FilePath* result, -+ const std::string& ident) { -+ std::string full_env = std::string("NIX_CHROMIUM_PLUGIN_PATH_") + ident; -+ const char* value = getenv(full_env.c_str()); -+ if (value == NULL) -+ return base::PathService::Get(base::DIR_MODULE, result); -+ else -+ *result = base::FilePath(value); - } - - // Gets the path for bundled implementations of components. Note that these -@@ -272,7 +265,7 @@ bool PathProvider(int key, base::FilePath* result) { - create_dir = true; - break; - case chrome::DIR_INTERNAL_PLUGINS: -- if (!GetInternalPluginsDirectory(&cur)) -+ if (!GetInternalPluginsDirectory(&cur, "ALL")) - return false; - break; - case chrome::DIR_COMPONENTS: -@@ -280,7 +273,7 @@ bool PathProvider(int key, base::FilePath* result) { - return false; - break; - case chrome::DIR_PEPPER_FLASH_PLUGIN: -- if (!GetInternalPluginsDirectory(&cur)) -+ if (!GetInternalPluginsDirectory(&cur, "PEPPERFLASH")) - return false; - cur = cur.Append(kPepperFlashBaseDirectory); - break; -@@ -358,7 +351,7 @@ bool PathProvider(int key, base::FilePath* result) { - cur = cur.DirName(); - } - #else -- if (!GetInternalPluginsDirectory(&cur)) -+ if (!GetInternalPluginsDirectory(&cur, "PNACL")) - return false; - #endif - cur = cur.Append(FILE_PATH_LITERAL("pnacl")); diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.json b/pkgs/applications/networking/browsers/chromium/upstream-info.json index ec8fc3407d25..9ea7182b96dc 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.json +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json @@ -1,17 +1,17 @@ { "stable": { - "version": "85.0.4183.121", - "sha256": "0a1xn39kmvyfpal6pgnylpy30z0322p3v7sx6vxi0r2naiz58670", - "sha256bin64": "08vqf1v91703aik47344bl409rsl4myar9bsd2lsvzqncncwsaca" + "version": "86.0.4240.75", + "sha256": "1ddw4p9zfdzhi5hrd8x14k4w326znljzprnpfi2f917rlpnl2ynx", + "sha256bin64": "17isxkd80rccqim6izzl08vw4yr52qsk6djp1rmhhijzg9rsvghz" }, "beta": { - "version": "86.0.4240.42", - "sha256": "06cfhiym9xmz2q86v6b6xcicrrp2pmr7karavylzz4fqvwd2v6fa", - "sha256bin64": "1z5zmdc2i31iimps7p5z43vv4qi83c8ljb7x68zc1rvf8x62p7xj" + "version": "86.0.4240.75", + "sha256": "1ddw4p9zfdzhi5hrd8x14k4w326znljzprnpfi2f917rlpnl2ynx", + "sha256bin64": "16snxdka5bkbvybx6x0dzgfbfaifv0jcc1dcny6vlqqp2fmb2v39" }, "dev": { - "version": "87.0.4263.3", - "sha256": "1ybfrlm4417lpbg5qcwhq5p6nnxrw68wzyy5zvb1sg1ma8s9hhkk", - "sha256bin64": "1f7a272kalglmdwmrrzb4iw3crvvpv3mhxca5jh75qpldn4gby6m" + "version": "87.0.4278.0", + "sha256": "1ywmv4iwn2as7vk2n0pslnmr300fl5y809ynxiw5xqcx9j6i8w85", + "sha256bin64": "15dvwvk6l6n7l04085hr48hlvsijypasyk7d8iq3s6cxai3wx4cl" } } From 757bbdd948234710f6eabd58c80af1e7cd9bac14 Mon Sep 17 00:00:00 2001 From: TredwellGit Date: Thu, 1 Oct 2020 23:22:57 +0000 Subject: [PATCH 2/2] chromium: Fix and enable our ANGLE support This will additionally install the following files: libEGL.so libGLESv2.so libVkICD_mock_icd.so libvk_swiftshader.so libvulkan.so libEGL.so and libGLESv2.so are required to fix our ANGLE support. The rest should help with the Vulkan support (currently an experimental feature that is disabled by default). --- .../networking/browsers/chromium/browser.nix | 2 +- .../networking/browsers/chromium/common.nix | 1 - .../patches/dont-use-ANGLE-by-default.patch | 26 ------------------- 3 files changed, 1 insertion(+), 28 deletions(-) delete mode 100644 pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch diff --git a/pkgs/applications/networking/browsers/chromium/browser.nix b/pkgs/applications/networking/browsers/chromium/browser.nix index 7c0609730c24..3d87325984b4 100644 --- a/pkgs/applications/networking/browsers/chromium/browser.nix +++ b/pkgs/applications/networking/browsers/chromium/browser.nix @@ -13,7 +13,7 @@ mkChromiumDerivation (base: rec { installPhase = '' mkdir -p "$libExecPath" - cp -v "$buildPath/"*.pak "$buildPath/"*.bin "$libExecPath/" + cp -v "$buildPath/"*.so "$buildPath/"*.pak "$buildPath/"*.bin "$libExecPath/" cp -v "$buildPath/icudtl.dat" "$libExecPath/" cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/" cp -v "$buildPath/chrome" "$libExecPath/$packageName" diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index af2d27342f85..b9f6ef4a4b9e 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -152,7 +152,6 @@ let ./patches/remove-webp-include-69.patch ./patches/no-build-timestamps.patch ./patches/widevine-79.patch - ./patches/dont-use-ANGLE-by-default.patch # Unfortunately, chromium regularly breaks on major updates and # then needs various patches backported in order to be compiled with GCC. # Good sources for such patches and other hints: diff --git a/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch b/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch deleted file mode 100644 index 9f14a304eb34..000000000000 --- a/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch +++ /dev/null @@ -1,26 +0,0 @@ -A field trial currently enables the passthrough command decoder, which causes -gl_factory.cc to try kGLImplementationEGLANGLE first, which causes Chromium to fail -to load libGLESv2.so on NixOS. It somehow does not try kGLImplementationDesktopGL, -and so there is no GL support at all. - -Revert to using the validating command decoder, which prevents gl_factory.cc -from touching allowed_impls, allowing it to successfully use kGLImplementationDesktopGL. - -diff --git a/ui/gl/gl_utils.cc b/ui/gl/gl_utils.cc -index 697cbed5fe2d..8419bdb21a2f 100644 ---- a/ui/gl/gl_utils.cc -+++ b/ui/gl/gl_utils.cc -@@ -71,9 +71,10 @@ bool UsePassthroughCommandDecoder(const base::CommandLine* command_line) { - } else if (switch_value == kCmdDecoderValidatingName) { - return false; - } else { -- // Unrecognized or missing switch, use the default. -- return base::FeatureList::IsEnabled( -- features::kDefaultPassthroughCommandDecoder); -+ // Ignore the field trial that enables it; disable it until -+ // gl_factory.cc kGLImplementationEGLANGLE issues are sorted -+ // out on NixOS. -+ return false; - } - } - }