From 2e2a9ae22a775de500cdfafdace9d36c35fe8ac7 Mon Sep 17 00:00:00 2001 From: Ivan Kozik Date: Wed, 18 Sep 2019 21:02:31 +0000 Subject: [PATCH 1/3] chromium: 77.0.3865.75 -> 77.0.3865.90 CVE-2019-13685 CVE-2019-13688 CVE-2019-13687 CVE-2019-13686 --- .../browsers/chromium/upstream-info.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index df2ce798f1fb..b641d1163bc4 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -1,18 +1,18 @@ # This file is autogenerated from update.sh in the same directory. { beta = { - sha256 = "12cp24h93b48pwfywf5b6qvjdlhxrhp87qdaqbfcn6g787r2z5gb"; - sha256bin64 = "0d9w869qqwbmw3qjvxkfm37i7dvrgmrwm5y96sm1dg2jnxqj4bdz"; - version = "77.0.3865.75"; + sha256 = "1hzgzmrn0d6cqvqnqayl048zwlcx0f7azg2rhvm7p13lvyqzsk00"; + sha256bin64 = "0p3275ii8800swlfmljbdrvyqjd5nlw0vgv2my4r8ccszgbhidbd"; + version = "77.0.3865.90"; }; dev = { - sha256 = "0x5r6xqwiggwyzbinm252xc1n3f9r7cmmzj6assi4v1nsispdh2k"; - sha256bin64 = "03yymhbpd1snycmcv7wkg5j6zbydvyc365gy5myp7wgas7cd0mb6"; - version = "78.0.3887.7"; + sha256 = "0zka01ml3hbximswzkkqbqq8wpiz8f4fq4wx5fys002hi69l296l"; + sha256bin64 = "0nrip45s0ylri34vlpf16xlwv3ybmy2jg7dz8l9rvgbdwwdzdb75"; + version = "78.0.3904.17"; }; stable = { - sha256 = "12cp24h93b48pwfywf5b6qvjdlhxrhp87qdaqbfcn6g787r2z5gb"; - sha256bin64 = "1wp5g09czyslkkhw3nhbp39fxfcz0pprsgj8h0aggghpdbvzph3d"; - version = "77.0.3865.75"; + sha256 = "1hzgzmrn0d6cqvqnqayl048zwlcx0f7azg2rhvm7p13lvyqzsk00"; + sha256bin64 = "1npx867j39mdyivf8nlkcfwgq7j34hl7s948vf6h2kqni0y50hzl"; + version = "77.0.3865.90"; }; } From 44957a9f3028edf538d5a70e58a736bc7026d3cb Mon Sep 17 00:00:00 2001 From: Ivan Kozik Date: Wed, 18 Sep 2019 23:24:57 +0000 Subject: [PATCH 2/3] chromiumDev: fix build by disabling jumbo This fixes: FAILED: obj/chrome/browser/ui/ui/ui_jumbo_3.o ../../third_party/llvm-build/Release+Asserts/bin/clang++ -MMD -MF obj/chrome/browser/ui/ui/ui_jumbo_3.o.d -DUSE_DBUS -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -DUSE_X11=1 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -DCR_CLANG_REVISION=\"371202-8455294f-1\" -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D_FORTIFY_SOURCE=2 -D_LIBCPP_ABI_UNSTABLE -D_LIBCPP_DISABLE_VISIBILITY_ANNOTATIONS -D_LIBCXXABI_DISABLE_VISIBILITY_ANNOTATIONS -D_LIBCPP_ENABLE_NODISCARD -DCR_LIBCXX_REVISION=361348 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -DUSE_CUPS -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_32 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -DENABLE_IPC_FUZZER -DTOOLKIT_VIEWS=1 -DVK_NO_PROTOTYPES -DGL_GLEXT_PROTOTYPES -DUSE_GLX -DUSE_EGL -DSYNC_PASSWORD_REUSE_DETECTION_ENABLED -DON_FOCUS_PING_ENABLED -DEXPAT_RELATIVE_PATH -DGOOGLE_PROTOBUF_NO_RTTI -DGOOGLE_PROTOBUF_NO_STATIC_INITIALIZER -DHAVE_PTHREAD -DLEVELDB_PLATFORM_CHROMIUM=1 -DLEVELDB_PLATFORM_CHROMIUM=1 -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DUSE_CHROMIUM_ICU=1 -DU_STATIC_IMPLEMENTATION -DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_FILE -DUCHAR_TYPE=uint16_t -DWEBRTC_NON_STATIC_TRACE_EVENT_HANDLERS=0 -DWEBRTC_CHROMIUM_BUILD -DWEBRTC_POSIX -DWEBRTC_LINUX -DABSL_ALLOCATOR_NOTHROW=1 -DNO_MAIN_THREAD_WRAPPING -DV8_USE_EXTERNAL_STARTUP_DATA -DSK_GL -DSK_HAS_PNG_LIBRARY -DSK_HAS_WEBP_LIBRARY -DSK_USER_CONFIG_HEADER=\"../../skia/config/SkUserConfig.h\" -DSK_HAS_JPEG_LIBRARY -DSK_VULKAN_HEADER=\"../../skia/config/SkVulkanConfig.h\" -DSK_VULKAN=1 -DSK_SUPPORT_GPU=1 -DSK_GPU_WORKAROUNDS_HEADER=\"gpu/config/gpu_driver_bug_workaround_autogen.h\" -DVK_NO_PROTOTYPES -DV8_DEPRECATION_WARNINGS -DI18N_ADDRESS_VALIDATION_DATA_URL=\"https://chromium-i18n.appspot.com/ssl-aggregate-address/\" -DPERFETTO_IMPLEMENTATION -I. -I../.. -Igen -Igen/shim_headers/snappy_shim -I../../third_party/libyuv/include -Igen/shim_headers/libpng_shim -Igen/shim_headers/libwebp_shim -I../../third_party/khronos -I../../gpu -I../../third_party/vulkan/include -Igen/shim_headers/opus_shim -Igen/third_party/dawn -I../../third_party/dawn/src/include -Igen/shim_headers/flac_shim -I../../third_party/protobuf/src -Igen/protoc_out -I../../third_party/protobuf/src -I../../third_party/boringssl/src/include -I../../third_party/cacheinvalidation/overrides -I../../third_party/cacheinvalidation/src -Igen/third_party/metrics_proto -I../../third_party/leveldatabase -I../../third_party/leveldatabase/src -I../../third_party/leveldatabase/src/include -I../../third_party/ced/src -I../../third_party/icu/source/common -I../../third_party/icu/source/i18n -I../../third_party/webrtc_overrides -I../../third_party/webrtc -Igen/third_party/webrtc -I../../third_party/abseil-cpp -I../../third_party/skia -I../../third_party/vulkan/include -I../../third_party/skia/third_party/vulkanmemoryallocator -I../../third_party/vulkan/include -I../../third_party/libwebm/source -I../../v8/include -Igen/v8/include -I../../third_party/perfetto/include -Igen/third_party/perfetto/build_config -Igen/third_party/perfetto -Igen/third_party/perfetto -Igen/third_party/perfetto -Igen/third_party/perfetto -Igen/third_party/perfetto -Igen/third_party/perfetto -I../../third_party/re2/src -I../../third_party/mesa_headers -Igen -Igen -Igen -Igen -I../../third_party/libaddressinput/src/cpp/include -Igen/components/sync/protocol -I../../third_party/flatbuffers/src/include -I../../third_party/perfetto -I../../third_party/perfetto/include -Igen/third_party/perfetto/build_config -I../../third_party/brotli/include -I../../third_party/zlib -I../../third_party/fontconfig/src -Igen -Igen -Igen -Igen -Igen -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -funwind-tables -fPIC -pthread -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tools/clang/crashreports -Xclang -mllvm -Xclang -instcombine-lower-dbg-declare=0 -fcomplete-member-pointers -m64 -march=x86-64 -Wno-builtin-macro-redefined -D__DATE__= -D__TIME__= -D__TIMESTAMP__= -no-canonical-prefixes -Wall -Wextra -Wimplicit-fallthrough -Wthread-safety -Wextra-semi -Wno-missing-field-initializers -Wno-unused-parameter -Wno-c++11-narrowing -Wno-unneeded-internal-declaration -Wno-undefined-var-template -Wno-ignored-pragma-optimize -Wno-implicit-int-float-conversion -Wno-xor-used-as-pow -Wno-c99-designator -Wno-reorder-init-list -Wno-final-dtor-non-final-class -O2 -fno-ident -fdata-sections -ffunction-sections -fno-omit-frame-pointer -g0 -fvisibility=hidden -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -Wexit-time-destructors -I/nix/store/fn0ag3ahbrjjjbsqb2846x321zj4jika-glib-2.60.7-dev/include -I/nix/store/fn0ag3ahbrjjjbsqb2846x321zj4jika-glib-2.60.7-dev/include/glib-2.0 -I/nix/store/ilk1606qj4pqzsplnnzycsxpzl6pjss8-glib-2.60.7/lib/glib-2.0/include -Wno-shorten-64-to-32 -Wno-header-guard -I/nix/store/c3i4il1c0n9mjhzm1dsvcw8h8d973s0b-nspr-4.21-dev/include -I/nix/store/qk3racv0a2967wsk0g9ps9wlbfn17faj-nss-3.46-dev/include/nss -I/nix/store/v85mz845m1hv2xlhp0zvxv36pmsfbc3q-dbus-1.12.16-dev/include/dbus-1.0 -I/nix/store/j3sv2g9s6dnlh672rwx0mmlkcm37v1k8-dbus-1.12.16-lib/lib/dbus-1.0/include -std=c++14 -fno-exceptions -fno-rtti -nostdinc++ -isystem../../buildtools/third_party/libc++/trunk/include -isystem../../buildtools/third_party/libc++abi/trunk/include -fvisibility-inlines-hidden -c gen/chrome/browser/ui/ui_jumbo_3.cc -o obj/chrome/browser/ui/ui/ui_jumbo_3.o warning: unknown warning option '-Wno-implicit-int-float-conversion'; did you mean '-Wno-implicit-float-conversion'? [-Wunknown-warning-option] warning: unknown warning option '-Wno-xor-used-as-pow'; did you mean '-Wno-unused-macros'? [-Wunknown-warning-option] warning: unknown warning option '-Wno-c99-designator'; did you mean '-Wno-gnu-designator'? [-Wunknown-warning-option] warning: unknown warning option '-Wno-reorder-init-list'; did you mean '-Wno-empty-init-stmt'? [-Wunknown-warning-option] warning: unknown warning option '-Wno-final-dtor-non-final-class'; did you mean '-Wno-abstract-final-class'? [-Wunknown-warning-option] In file included from gen/chrome/browser/ui/ui_jumbo_3.cc:24: ./../../chrome/browser/ui/views/profiles/profile_menu_view.cc:68:25: error: redefinition of 'GetProfileAttributesEntry' ProfileAttributesEntry* GetProfileAttributesEntry(Profile* profile) { ^ ./../../chrome/browser/ui/views/profiles/avatar_toolbar_button.cc:49:25: note: previous definition is here ProfileAttributesEntry* GetProfileAttributesEntry(Profile* profile) { ^ 5 warnings and 1 error generated. --- pkgs/applications/networking/browsers/chromium/common.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index 6d43c313cc02..c2434ed858fe 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -227,8 +227,9 @@ let use_gold = true; gold_path = "${stdenv.cc}/bin"; is_debug = false; - # at least 2X compilation speedup - use_jumbo_build = true; + # Use jumbo for a 2x (at least) compilation speedup, except where it is currently broken: + # https://gist.github.com/ivan/6fe7014c1b1cc35dec133fa6de0549d9 + use_jumbo_build = (version != "78.0.3904.17"); proprietary_codecs = false; use_sysroot = false; From 5456def6b33dd215043a8b710ee52384309a3833 Mon Sep 17 00:00:00 2001 From: Ivan Kozik Date: Wed, 18 Sep 2019 21:30:15 +0000 Subject: [PATCH 3/3] chromiumDev: fix widevine support Upstream moved libwidevinecdm.so from ./opt/google/chrome-unstable/libwidevinecdm.so to ./opt/google/chrome-unstable/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so --- .../networking/browsers/chromium/default.nix | 44 ++++++++++++------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index f099ddbff737..5fb0d67a4809 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -50,6 +50,7 @@ in let widevine = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation { name = "chromium-binary-plugin-widevine"; + # The .deb file for Google Chrome src = upstream-info.binary; nativeBuildInputs = [ patchelfUnstable ]; @@ -57,14 +58,21 @@ in let phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ]; unpackCmd = let - chan = if upstream-info.channel == "dev" then "chrome-unstable" - else if upstream-info.channel == "stable" then "chrome" - else if upstream-info.channel == "beta" then "chrome-beta" - else throw "Unknown chromium channel."; + soPath = + if upstream-info.channel == "stable" then + "./opt/google/chrome/libwidevinecdm.so" + else if upstream-info.channel == "beta" then + "./opt/google/chrome-beta/libwidevinecdm.so" + else if upstream-info.channel == "dev" then + "./opt/google/chrome-unstable/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so" + else + throw "Unknown chromium channel."; in '' mkdir -p plugins - ar p "$src" data.tar.xz | tar xJ -C plugins --strip-components=4 \ - ./opt/google/${chan}/libwidevinecdm.so + # Extract just libwidevinecdm.so from upstream's .deb file + ar p "$src" data.tar.xz | tar xJ -C plugins ${soPath} + mv plugins/${soPath} plugins/ + rm -rf plugins/opt ''; doCheck = true; @@ -83,7 +91,10 @@ in let "$out/lib/libwidevinecdm.so" ''; - meta.platforms = lib.platforms.x86_64; + meta = { + platforms = [ "x86_64-linux" ]; + license = lib.licenses.unfree; + }; }; suffix = if channel != "stable" then "-" + channel else ""; @@ -92,18 +103,21 @@ in let version = chromium.browser.version; - # This is here because we want to add the widevine shared object at the last - # minute in order to avoid a full rebuild of chromium. Additionally, this - # isn't in `browser.nix` so we can avoid having to re-expose attributes of - # the chromium derivation (see above: we introspect `sandboxExecutableName`). + # We want users to be able to enableWideVine without rebuilding all of + # chromium, so we have a separate derivation here that copies chromium + # and adds the unfree libwidevinecdm.so. chromiumWV = let browser = chromium.browser; in if enableWideVine then runCommand (browser.name + "-wv") { version = browser.version; } '' mkdir -p $out - cp -R ${browser}/* $out/ - chmod u+w $out/libexec/chromium* - cp ${widevine}/lib/libwidevinecdm.so $out/libexec/chromium/ - # patchelf? + cp -a ${browser}/* $out/ + chmod u+w $out/libexec/chromium + if [[ ${channel} != "dev" ]]; then + cp ${widevine}/lib/libwidevinecdm.so $out/libexec/chromium/ + else + mkdir -p $out/libexec/chromium/WidevineCdm/_platform_specific/linux_x64 + cp ${widevine}/lib/libwidevinecdm.so $out/libexec/chromium/WidevineCdm/_platform_specific/linux_x64/ + fi '' else browser; in stdenv.mkDerivation {