From 2dd80cf5d28282854550e6eaa4517daa672f24b5 Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Wed, 17 Apr 2024 13:16:27 +0200
Subject: [PATCH 1/3] chromium: 123.0.6312.122 -> 124.0.6367.60

https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html

This update includes 23 security fixes.

CVEs:
CVE-2024-3832 CVE-2024-3833 CVE-2024-3914 CVE-2024-3834 CVE-2024-3837
CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843
CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847
---
 .../networking/browsers/chromium/upstream-info.nix   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index 2597d293ac63..d75b5df53032 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -9,15 +9,15 @@
     };
     deps = {
       gn = {
-        hash = "sha256-JvilCnnb4laqwq69fay+IdAujYC1EHD7uWpkF/C8tBw=";
-        rev = "d4f94f9a6c25497b2ce0356bb99a8d202c8c1d32";
+        hash = "sha256-aEL1kIhgPAFqdb174dG093HoLhCJ07O1Kpqfu7r14wQ=";
+        rev = "22581fb46c0c0c9530caa67149ee4dd8811063cf";
         url = "https://gn.googlesource.com/gn";
-        version = "2024-02-19";
+        version = "2024-03-14";
       };
     };
-    hash = "sha256-7H7h621AHPyhFYbaVFO892TtS+SP3Qu7cYUVk3ICL14=";
-    hash_deb_amd64 = "sha256-tNkO1mPZg1xltBfoWeNhLekITtZV/WNgu//i2DJb17c=";
-    version = "123.0.6312.122";
+    hash = "sha256-apEniFKhIxPo4nhp9gCU+WpiV/EB40qif4RfE7Uniog=";
+    hash_deb_amd64 = "sha256-rSbigG5/xbL32d1ntOn6gnZyxSpgrg1h7lb/RD4YROI=";
+    version = "124.0.6367.60";
   };
   ungoogled-chromium = {
     deps = {

From d93b17c0d4f3dffd0c3b68d618a453a5f94c3209 Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Wed, 17 Apr 2024 13:16:29 +0200
Subject: [PATCH 2/3] chromium: fix M124+ build by using the vendored libwebp

at least until we figure out how to use our libwebp again.

Works around the following error in the configure phase (pretty quick to
reproduce):

~~~
Running phase: configurePhase
ERROR Unresolved dependencies.
//third_party/libavif:libavif_enc(//build/toolchain/linux/unbundle:default)
  needs //third_party/libwebp:libwebp_sharpyuv(//build/toolchain/linux/unbundle:default)
~~~

The lib.optionals saves us from rebuilding < M124 (ungoogled-chromium at
this HEAD and all of electron-source).
---
 pkgs/applications/networking/browsers/chromium/common.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 54697febefe3..400c61130111 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -102,7 +102,14 @@ let
     "flac"
     "libjpeg"
     "libpng"
+  ] ++ lib.optionals (!chromiumVersionAtLeast "124") [
+    # Use the vendored libwebp for M124+ until we figure out how to solve:
+    # Running phase: configurePhase
+    # ERROR Unresolved dependencies.
+    # //third_party/libavif:libavif_enc(//build/toolchain/linux/unbundle:default)
+    #   needs //third_party/libwebp:libwebp_sharpyuv(//build/toolchain/linux/unbundle:default)
     "libwebp"
+  ] ++ [
     "libxslt"
     # "opus"
   ];

From fb10ea41b2a080cb4ecac34aa12cf056d8d3f90e Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Thu, 18 Apr 2024 19:26:17 +0200
Subject: [PATCH 3/3] chromium: fix `--ozone-platform-hint` flag on wayland

M124 shipped with broken `--ozone-platform-hint` flag handling, which we
rely on NIXOS_OZONE_WL (wayland) environment variable.

This resulted in chromium M124 opening as blank/transparent window under
wayland.

X11 continued to work fine, which is why our X11-only chromium VM test
did not catch this.

See https://issues.chromium.org/issues/329678163 for details.

Fortunately, the fix for that which landed in M125, applies cleanly on
M124, so we do just that and essentially backport that fix to M124.
---
 .../applications/networking/browsers/chromium/common.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 400c61130111..df33a2bbe757 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -248,6 +248,15 @@ let
       # Partial revert of https://github.com/chromium/chromium/commit/3687976b0c6d36cf4157419a24a39f6770098d61
       # allowing us to use our rustc and our clang.
       ./patches/chromium-121-rust.patch
+    ] ++ lib.optionals (chromiumVersionAtLeast "124" && !chromiumVersionAtLeast "125") [
+      # M124 shipped with broken --ozone-platform-hint flag handling, which we rely on
+      # for our NIXOS_OZONE_WL (wayland) environment variable.
+      # See <https://issues.chromium.org/issues/329678163>.
+      # This is the commit for the fix that landed in M125, which applies clean on M124.
+      (githubPatch {
+        commit = "c7f4c58f896a651eba80ad805ebdb49d19ebdbd4";
+        hash = "sha256-6nYWT2zN+j73xAIXLdGYT2eC71vGnGfiLCB0OwT0CAI=";
+      })
     ];
 
     postPatch = ''