From 5cb0018cf958cfcc52d44ede9f06dda5208d036b Mon Sep 17 00:00:00 2001 From: emilylange Date: Fri, 18 Oct 2024 01:56:56 +0200 Subject: [PATCH] chromium,chromedriver: 129.0.6668.100 -> 130.0.6723.58 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html This update includes 17 security fixes. CVEs: CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957 CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961 CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965 CVE-2024-9966 (cherry picked from commit b71ae2d9501c687ab40e784d209e813df2259f2d) --- .../networking/browsers/chromium/common.nix | 20 +++++++++++++++++-- .../networking/browsers/chromium/default.nix | 6 ++++++ .../browsers/chromium/upstream-info.nix | 18 ++++++++--------- 3 files changed, 33 insertions(+), 11 deletions(-) diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index d5c4e012ced2e..3e6843950856e 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -72,9 +72,9 @@ let # source tree. extraAttrs = buildFun base; - githubPatch = { commit, hash, revert ? false }: fetchpatch { + githubPatch = { commit, hash, revert ? false, excludes ? [] }: fetchpatch { url = "https://github.com/chromium/chromium/commit/${commit}.patch"; - inherit hash revert; + inherit hash revert excludes; }; mkGnFlags = @@ -283,6 +283,22 @@ let ] ++ lib.optionals (chromiumVersionAtLeast "129") [ # Rebased variant of patch right above to build M129+ with our rust and our clang. ./patches/chromium-129-rust.patch + ] ++ lib.optionals (chromiumVersionAtLeast "130") [ + # Our rustc.llvmPackages is too old for std::hardware_destructive_interference_size + # and std::hardware_constructive_interference_size. + # So let's revert the change for now and hope that our rustc.llvmPackages and + # nixpkgs-stable catch up sooner than later. + # https://groups.google.com/a/chromium.org/g/cxx/c/cwktrFxxUY4 + # https://chromium-review.googlesource.com/c/chromium/src/+/5767325 + # Note: We exclude the changes made to the partition_allocator (PA), as the revert + # would otherwise not apply because upstream reverted those changes to PA already + # in https://chromium-review.googlesource.com/c/chromium/src/+/5841144 + (githubPatch { + commit = "fc838e8cc887adbe95110045d146b9d5885bf2a9"; + hash = "sha256-NNKzIp6NYdeZaqBLWDW/qNxiDB1VFRz7msjMXuMOrZ8="; + excludes = [ "base/allocator/partition_allocator/src/partition_alloc/*" ]; + revert = true; + }) ]; postPatch = '' diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 29515ce7150e0..3cb31126a6c5c 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -63,6 +63,12 @@ let # Relax hardening as otherwise gn unstable 2024-06-06 and later fail with: # cc1plus: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security] hardeningDisable = [ "format" ]; + } // lib.optionalAttrs (chromiumVersionAtLeast "130") { + # At the time of writing, gn is at v2024-05-13 and has a backported patch. + # This patch appears to be already present in v2024-09-09 (from M130), which + # results in the patch not applying and thus failing the build. + # As a work around until gn is updated again, we filter specifically that patch out. + patches = lib.filter (e: lib.getName e != "LFS64.patch") oldAttrs.patches; }); recompressTarball = callPackage ./recompress-tarball.nix { inherit chromiumVersionAtLeast; }; }); diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index 1dae6fdb4a4b0..1e13bee43289d 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -1,22 +1,22 @@ { stable = { chromedriver = { - hash_darwin = "sha256-/0mBZCSNULvZSQ/irsQSgNPsuOSWiRRnJA/6ogHYeGk="; + hash_darwin = "sha256-YndBzhUNmn5tJdCqLmpUrs2WBXXpTxiKCNczWEz6DU4="; hash_darwin_aarch64 = - "sha256-JWcYFYaaXM2KN6oSu7wwxztYPbhql2XYZlvL2ymKgwI="; - hash_linux = "sha256-odFoTWjDa9ilyOrQ0T+0xxedRD7YOe/s7xdAyyku74w="; - version = "129.0.6668.91"; + "sha256-taG58kMgQUD40aGqnyx9O9e9m4qGsTWX57cjD3NeHm4="; + hash_linux = "sha256-raWGzhjqWdm5bRK+Z7Qga8QM9kQYSXxdL5N+wk1hlXI="; + version = "130.0.6723.58"; }; deps = { gn = { - hash = "sha256-8o3rDdojqVHMQCxI2T3MdJOXKlW3XX7lqpy3zWhJiaA="; - rev = "d010e218ca7077928ad7c9e9cc02fe43b5a8a0ad"; + hash = "sha256-iNXRq3Mr8+wmY1SR4sV7yd2fDiIZ94eReelwFI0UhGU="; + rev = "20806f79c6b4ba295274e3a589d85db41a02fdaa"; url = "https://gn.googlesource.com/gn"; - version = "2024-08-19"; + version = "2024-09-09"; }; }; - hash = "sha256-LOZ9EPw7VgBNEV7Wxb8H5WfSYTTWOL8EDP91uCrZAsA="; - version = "129.0.6668.100"; + hash = "sha256-w1xQr+B7ROeCqBRN+M9vmh45YTRqVfjDYSsN5saDuDo="; + version = "130.0.6723.58"; }; ungoogled-chromium = { deps = {