Also fix such obsolete flags:
* `use_gconf` was already known to become obsolete with Chromium 65
* `enable_hotwording` has been removed in upstream commit d693f0c7ab
Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28
Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30
High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20
High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15
High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04
High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12
High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05
High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08
Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01
Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01
Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11
Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19
Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26
Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03
Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03
Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11
Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19
Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20
Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24
Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08
Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18
Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25
Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02
Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27
Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10
Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24
Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02
Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29
Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25
Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13
Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07
Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15
Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15
Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15
this introduces a standard approach to playing with patches from the
gentoo repository.
the patches for 64 are a first guess during a build in progress
cc @YorikSar @aszlig
Includes security fixes for CVE-2017-15398 and CVE-2017-15399.
Also fixes builds for beta and dev branches:
- backport https://webrtc-review.googlesource.com/9384 to fix build for
new webrtc revision
- for dev branch fix gn bootstrap, see
https://chromium-review.googlesource.com/758584
- for 63+ manpage now is not generated during ninja build, it is
processed with sed using packagers tools included in sources
also fix beta/dev build - use harfbuzz from sources
Unfortunatelly after [0] chromium doesn't support using harfbuzz provided by
system while using vendored version of freetype.
Disabling usage of separate harfbuzz for now.
[0] https://chromium-review.googlesource.com/c/chromium/src/+/696241
This should allow us to easily add system-wide Chromium extensions via a
NixOS configuration similar to this:
{ pkgs, ... }: {
environment.pathsToLink = [ "/share/chromium/extensions" ];
environment.systemPackages = [ pkgs.my-shiny-extension ];
}
For more details about what Chromium expects within that directory, see:
https://developer.chrome.com/extensions/external_extensions
I've introduced this because of a personal desire to gain more control
about which extensions are installed and what they are able to do. All
of the extensions I use are free software, but despite that it's useful
to either easily patch them and also prevent unwanted automatic updates.
Tested this using the NixOS "chromium.stable" test on x86_64-linux.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @offlinehacker because of #21050
somehow, the build seems to have changed with chromium 58, to not auto
download the node binary. It is needed to generate webui files and we
can substitute our own.
Versions before 56 already had experimental support for Gtk 3 and since
version 56, Gtk 3 _seemed_ to become the default. Although it's now
requiring *both* Gtk 2 and Gtk3, so let's supply the dependency for now
to get it to build.
In the future however we might want to add use_gtk3 to the GN flags and
get rid of Gtk 2 completely.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Before version 54, the WideVine CDM plugin was built unconditionally and
it seems since version 54 this now is dependent upon a GYP/GN flag on
whether to include the CDM shared library or not.
Also, we now use a patch from Gentoo which should hopefully get the CDM
plugin to work properly, at least according to their bugtracker:
https://bugs.gentoo.org/show_bug.cgi?id=547630
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Seems that these libraries aren't the ones Chromium is expecting to be,
so let's switch to use the bundled version of these libraries instead.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Previously I've added the extra file common-gn.nix in addition to
common.nix, so we can possibly have a smooth transition from current
stable to the new version 54.
Unfortunately, version 53 is already EOL and we have to move to version
54 as soon as possible so we can only use GN and thus it doesn't make
sense to provide expressions for GYP anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This should now be the upstream default and there also is no more flag
for GN to set it, so we'll no longer need it on our side as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
