Overview of the updated versions:
beta: 50.0.2661.49 -> 51.0.2704.47
dev: 51.0.2693.2 -> 52.0.2729.3
It has been a while since we had a major Chromium update that compiled
and worked without troubles, but version 52 builds and the VM tests are
successful as well:
https://headcounter.org/hydra/eval/320335
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This addresses the following security fixes:
* High CVE-2016-1667: Same origin bypass in DOM. Credit to
Mariusz Mlynski.
* High CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit
to Mariusz Mlynski.
* High CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han.
* Medium CVE-2016-1670: Race condition in loader. Credit to anonymous.
* Medium CVE-2016-1671: Directory traversal using the file scheme on
Android. Credit to Jann Horn.
See: http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html
Signed-off-by: Scott R. Parish <srparish@gmail.com>
Tested-by: aszlig <aszlig@redmoonstudios.org>
Closes: #15446
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Regression introduced by f28b71023c.
Let's now expose and use the upstream-info attribute via the main
Chromium derivation, so that other packages like the google-chrome
package doesn't need to rely on internals of the Chromium
implementation.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This effectively resets the attributes given at the point the main
<nixpkgs> is imported and thus for example is also reading in stuff like
~/.nixpkgs/config.nix again, which might lead to unexpected results.
We now only import <nixpkgs> now if the updater is auto-called (like in
update.sh), otherwise the required attributes are passed by callPackage
within the Chromium scope.
I remember noting about this a while ago either on IRC or on GitHub, but
I can't find it right now, so thanks to @obadz for reminding me about
this in #15225.
Tested this by running the updater and also using:
NIXPKGS_CONFIG=$(pwd)/broken.nix nix-instantiate --arg config {} -A chromium
The contents of broken.nix were:
EVALERR{
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15225
It's not the job of Nixpkgs to distribute beta versions of upstream
packages. More importantly, building these delays channel updates by
several hours, which is bad for our security fix turnaround time.
Fixes#14695
I'm not entirely sure if including `stdenv.cc.cc` in `makeLibraryPath`
is the correct thing to do here. If it's incorrect, please feel free to
ping me.
Overview of the updated versions:
stable: 49.0.2623.87 -> 49.0.2623.110
beta: 50.0.2661.26 -> 50.0.2661.49
dev: 50.0.2661.18 -> 51.0.2693.2
Most notably, this includes a series of urgent security fixes:
* CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from
Tencent KeenLab.
* CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous.
* CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous.
* CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt
working with HP's Zero Day Initiative / Pwn2Own.
* CVE-2016-1650: Denial of service in PageCaptureSaveAsMHTMLFunction
The official release announcement with details about these fixes can be
found here:
http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html
Beta and stable could be also affected, although I didn't do a detailed
check whether that's the case.
As this introduces Chromium 51 as the dev version, I had to make the
following changes to make it build:
* libexif got removed, so let's do that on our end as well.
See https://codereview.chromium.org/1803883002 for details.
* Chromium doesn't seem to compile with our version of libpng, so let's
resort to the bundled libpng for now.
* site_engagement_ui.cc uses isnan outside of std namespace, so
we're fixing that in postPatch using sed.
I have successfully built all versions on i686-linux and x86_64-linux
and tested it using the VM tests.
Test reports can be found at the following evaluation of my Hydra:
https://headcounter.org/hydra/eval/314584
Thanks to @grahamc for reporting this.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: Graham Christensen <graham@grahamc.com>
Fixes: #14299
I originally wanted to do this a long time (a31301d) but IIRC back then
it didn't compile. Nowadays with the splitup of the gold linking flags
and the binutils integration, it's merely just a switch to flip, so
let's do that.
Only tested it by building against the current Chromium stable version
on 64bit, because right now builds on Hydra seem to time out (because of
this?) anyway so we have nothing to lose here.
The linking time was hereby reduced from >30 minutes (I didn't measure
it exactly but looked half an hour later to the build progress and it
was *still* linking) to about a few seconds, which I guess is even
though the measurement is quite bogus a tremendous improvement
nonetheless.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Commit aa097946d2 only fixed evaluation.
Ssince 37dbd62 however, the fetchurl call is already implied so just
changing the path will still result in fetchurl (fetchurl ...), so let's
drop the outer fetchurl.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @msteen, @benley
As of 6041cfe, the upstream-info.nix (back then it was called
sources.nix) is no longer in the source/ subdirectory, so we need to fix
that comment to say that the file is autogenerated from update.sh in the
*same* directory.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 5979946c41.
I have tested this by building against the stable version of Chromium
and it seems to compile just fine, so it doesn't seem to be needed
anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Only a aesthetics thingy, but also corrects the comment, because we're
essentially precompiling .py files, NOT the .pyc files (the latter are
the results).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This addresses #12794 so that we now have only a single tarball where we
base our build on instead of splitting the source into different outputs
first and then reference the outputs.
The reason I did this in the first place is that we previously built the
sandbox as a different derivation and unpacking the whole source tree
just for building the sandbox was a bit too much.
As we now have namespaces sandbox built in by default we no longer have
that derivation anymore. It still might come up however if we want to
build NaCl as a separate derivation (see #8560), but splitting the
source code into things only NaCl might require is already too much work
and doesn't weight out the benefits.
Another issue with the source splitup is that Hydra now has an output
limit for non-fixed-output derivations which we're already hitting.
Tested the build against the stable channel and it went well, but I
haven't tested running the browser.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We always do something like "fetchurl channelProduct", so let's move it
to getChannel directly so we can avoid those fetchurl calls all over the
place.
Also, we can still access subattributes from the fetchurl call if we
need to, so there really is no need to expose the product's attributes
directly.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Yes, I know I'm a bit nitpicky, but lines >80 chars are very ugly if you
have two windows side-by-side.
Thus no feature changes here.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now should have only the default.nix left in the source directory and
we can start to factor out the pieces into the Chromium main derivation
attributes.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The "sources.nix" also contains information about where to get binary
packages, so calling it "upstream-info.nix" fits better in terms of
naming.
Also, we're moving it away from the sources dir, because the latter will
soon vanish.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're going to reference the patches in the Chromium main build rather
than applying it to the sources. So as a first step, this should keep
the patches away from the "source" subdirectory so we can make it flat.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is just a minor upgrade, even though the commit message says it's
to major version 50. However, the CVEs listed there are for real, see
the following announcement:
http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html
The summary of updated packages:
stable: 49.0.2623.75 -> 49.0.2623.87
beta: 49.0.2623.75 -> 50.0.2661.26
dev: 50.0.2661.11 -> 50.0.2661.18
I've also added two commits, fixing the chdir() in the updater and
shutting up Python precompilation errors during the preBuild phase.
Tested on my Hydra at:
https://headcounter.org/hydra/eval/312166
Changing the working directory to
pkgs/applications/networking/browsers/chromium is a bit annoying, so
let's make sure the script can be called from anywhere.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The errors are completely non-fatal and only cause a particular file to
be not precompiled. Unfortunately this can lead to confusion to whether
these errors are real errors or not, so let's shut it up completely
because they're *not* real errors.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of the updated versions:
stable: 48.0.2564.116 -> 49.0.2623.75
beta: 49.0.2623.63 -> 49.0.2623.75
dev: 50.0.2657.0 -> 50.0.2661.11
Stable and beta are now in par because of the release of a major stable
update.
The release addresses 26 security vulnerabilities, the following with an
assigned CVE:
* CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz
Mlynski.
* CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz
Mlynski.
* CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
* CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
* CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and
Bryant Zadegan.
* CVE-2015-8126: Out-of-bounds access in libpng. Credit to
joerg.bornemann.
* CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
* CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
* CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
* CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan
Herrera.
* CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of
OUSPG.
The full announcement which also includes the link to the bug tracker
can be found here:
http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html
Also, the 32bit Chrome package needed for the Flash and Widevine plugins
doesn't exist anymore, because Google has dropped support for 32bit
distros, see here for the announcement:
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/FoE6sL-p6oU
On our end, we need to fix the patch for the plugin paths to work for
the latest dev channel. The change is very minor, because the
nix_plugin_paths_46.patch only doesn't apply because of an iOS-related
ifdef.
Built and tested on my Hydra at:
https://headcounter.org/hydra/eval/311511
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #13665
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
Comparing the current version with the version in sources list and
accidentally swapping the version arguments isn't going to get very far
because every new version that will come up will then be treated as "we
already have that version".
So we're now using versionOlder and also a check whether the version is
the *same* as the one in sources.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
No changes in functionality, but to make future source updates a bit
easier on the eyes when viewing the diff.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The update.sh shell script now is only a call to nix-build, which does
all the hard work of updating the Chromium source channels and the
plugins. It results in a store path with the new sources.nix that
replaces the already existing sources.nix.
Along the way, this has led to a quite massive workaround, which abuses
MD5 collisions to detect whether an URL is existing, because something
like builtins.tryEval (builtins.fetchurl url) unfortunately doesn't
work. Further explanations and implementation details are documented in
the actual implementation.
The drawback of this is that we don't have nice status messages anymore,
but on the upside we have a more robust generation of the sources.nix
file, which now also should work properly on missing upstream
sources/binaries.
This also makes it much easier to implement fetching non-GNU/Linux
versions of Chromium and we have all values from omahaproxy available as
an attribute set (see the csv2nix and channels attributes in the update
attribute).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
As stated in the parent commit, the 32bit Chrome package is not
available upstream, so let's at least provide the SHA256 hash for the
64bit package.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Until now, if we have a failure to fetch either the 32bit Debian package
or the 64bit Debian package, neither of these will be put into
sources.nix.
Unfortunately the beta/dev channels do not have a 32bit Debian package,
so even though there is a 64bit Debian package available we don't get
plugins *at* *all*.
This also introduces a nicer error message rather than just failing with
an assertion in fetchurl because we did not provide url/urls.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
Fixes: #12840
Related to: 61042a561042a5 changes the replaced token from $something to @something@. This
commit repeats that change in one additional location used by the
WideVine plugin
There is already a pull request from @colemickens, who has just reversed
the variable references $flash and $flashVersion but the fix is kinda
fragile as he points out himself in #12713.
The reason the wrong substition was made is that both variables begin
with the same name and we do a simple replace instead of a more
complicated one using builtins.match.
So staying simple but to still not raising issues with other variables
that begin with the same name I'm now using @var@ instead, like we use
in substituteAll and other substituters (like the ones in CMake or
autotools) deal with it.
Note that I'm not using $var$ here to make sure it doesn't get confused
with real shell variables.
So with this fix in place, the wrapper now has the following flags:
--ppapi-flash-path=/nix/store/.../lib/libpepflashplayer.so
--ppapi-flash-version=20.0.0.294
Previously we had (#12710):
--ppapi-flash-path=/nix/store/.../lib/libpepflashplayer.so
--ppapi-flash-version=/nix/store/...-binary-plugins-flashVersion
Thanks to @colemickens for reporting and putting up a pull request.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #12710Fixes: #12713
This reverts commit f7af2272a2.
We're going to fix#12710 properly by reintroducing 38c77bb and fixing
the shell variable substitution.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
- Fixes CVE-2016-1612 CVE-2016-1613 CVE-2016-1614 CVE-2016-1615
CVE-2016-1616 CVE-2016-1617 CVE-2016-1618 CVE-2016-1619 CVE-2016-1620.
- Moves chromium stable and beta channels up one version major.
vcunat made dev channel stay for now, as it wouldn't download otherwise.
This is most of PR #12717.
This package is deprecated and superseeded by links2 which also provides the
links binary this maintaining backwards-compatibility.
Debian removed links back in 2008:
https://packages.qa.debian.org/l/links.htmlFixes#12623.
Working on Chromium really drives me nuts due to its build time, also I
really don't have quite a lot of time these days to properly maintain it
anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This has been introduced by me in 690a845 and discovered by @vcunat in
his comment over at:
690a845de9 (commitcomment-14209868)
It's really a bit ugly to have builds running during evaluation, but
back when I made that commit the reason was to avoid having to shell
quote the hell out of it (see the comment in mkPluginInfo for the
reason).
Now we propagate plugin flags and environment variables as a list of
arguments in a plain file that's appended verbatim to makeWrapper, so
it shouldn't do any builds anymore during instantiation.
I have tested this with both just WideVine and just Flash enabled as
well as both in combination and none of the plugins and the output seems
correct. However I didn't test to run Chromium with the new
implementation.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: Vladimír Čunát <vcunat@gmail.com>
I'm not certain about this, so I'm trying for firefox only.
Rationale: it might be confusing to see two firefox-${version} instances
in logs or paths, so I wanted to differentiate them.
- I chose to keep `browser-unwrapped` attributes so that it's much
easier to override parameters for the browser (through `packageOverrides`).
- Aliases `browserWrapper` are retained for now, as usual.
The official repository has last been updated in 2013,
meanwhile there are a lot of issues like non-existant
certificate verification. The debian repository is actively
maintained and already includes most of our custom patches,
so we use it instead.
Fixes#12257, closes#12259.
vcunat appended commit date to version.
- I don't think that amount of code belonged into all-packages.nix.
- Now the default name of the wrapped package is identical
with the command that runs the browser.
- Other defaults were changed according to how the wrapper is
(almost always) used.
- `meta` is improved: mostly inherited with priority above
the unwrapped package.
http://hydra.nixos.org/eval/1234895
The mass errors on Hydra seem transient; I verified ghc on i686-linux.
Only darwin jobs are queued ATM. There's a libpng security update
included in this merge, so I don't want to wait too long.
It is a little weird that chromium has chromium, chromiumBeta,
chromiumDev but this one is google-chrome, google-chrome-beta,
google-chrome-dev. Not quite sure what the best resolution is, if any.