From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
Fixes: #12840
Related to: 61042a561042a5 changes the replaced token from $something to @something@. This
commit repeats that change in one additional location used by the
WideVine plugin
There is already a pull request from @colemickens, who has just reversed
the variable references $flash and $flashVersion but the fix is kinda
fragile as he points out himself in #12713.
The reason the wrong substition was made is that both variables begin
with the same name and we do a simple replace instead of a more
complicated one using builtins.match.
So staying simple but to still not raising issues with other variables
that begin with the same name I'm now using @var@ instead, like we use
in substituteAll and other substituters (like the ones in CMake or
autotools) deal with it.
Note that I'm not using $var$ here to make sure it doesn't get confused
with real shell variables.
So with this fix in place, the wrapper now has the following flags:
--ppapi-flash-path=/nix/store/.../lib/libpepflashplayer.so
--ppapi-flash-version=20.0.0.294
Previously we had (#12710):
--ppapi-flash-path=/nix/store/.../lib/libpepflashplayer.so
--ppapi-flash-version=/nix/store/...-binary-plugins-flashVersion
Thanks to @colemickens for reporting and putting up a pull request.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #12710Fixes: #12713
This reverts commit f7af2272a2.
We're going to fix#12710 properly by reintroducing 38c77bb and fixing
the shell variable substitution.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
- Fixes CVE-2016-1612 CVE-2016-1613 CVE-2016-1614 CVE-2016-1615
CVE-2016-1616 CVE-2016-1617 CVE-2016-1618 CVE-2016-1619 CVE-2016-1620.
- Moves chromium stable and beta channels up one version major.
vcunat made dev channel stay for now, as it wouldn't download otherwise.
This is most of PR #12717.
This package is deprecated and superseeded by links2 which also provides the
links binary this maintaining backwards-compatibility.
Debian removed links back in 2008:
https://packages.qa.debian.org/l/links.htmlFixes#12623.
Working on Chromium really drives me nuts due to its build time, also I
really don't have quite a lot of time these days to properly maintain it
anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This has been introduced by me in 690a845 and discovered by @vcunat in
his comment over at:
690a845de9 (commitcomment-14209868)
It's really a bit ugly to have builds running during evaluation, but
back when I made that commit the reason was to avoid having to shell
quote the hell out of it (see the comment in mkPluginInfo for the
reason).
Now we propagate plugin flags and environment variables as a list of
arguments in a plain file that's appended verbatim to makeWrapper, so
it shouldn't do any builds anymore during instantiation.
I have tested this with both just WideVine and just Flash enabled as
well as both in combination and none of the plugins and the output seems
correct. However I didn't test to run Chromium with the new
implementation.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: Vladimír Čunát <vcunat@gmail.com>
I'm not certain about this, so I'm trying for firefox only.
Rationale: it might be confusing to see two firefox-${version} instances
in logs or paths, so I wanted to differentiate them.
- I chose to keep `browser-unwrapped` attributes so that it's much
easier to override parameters for the browser (through `packageOverrides`).
- Aliases `browserWrapper` are retained for now, as usual.
The official repository has last been updated in 2013,
meanwhile there are a lot of issues like non-existant
certificate verification. The debian repository is actively
maintained and already includes most of our custom patches,
so we use it instead.
Fixes#12257, closes#12259.
vcunat appended commit date to version.
- I don't think that amount of code belonged into all-packages.nix.
- Now the default name of the wrapped package is identical
with the command that runs the browser.
- Other defaults were changed according to how the wrapper is
(almost always) used.
- `meta` is improved: mostly inherited with priority above
the unwrapped package.
http://hydra.nixos.org/eval/1234895
The mass errors on Hydra seem transient; I verified ghc on i686-linux.
Only darwin jobs are queued ATM. There's a libpng security update
included in this merge, so I don't want to wait too long.
It is a little weird that chromium has chromium, chromiumBeta,
chromiumDev but this one is google-chrome, google-chrome-beta,
google-chrome-dev. Not quite sure what the best resolution is, if any.
Built and run Beta and Stable locally. Dev is surrently superseded by Stable so
it doesn't matter much.
- Dev: 47.0.2508.0 -> 48.0.2564.22
- Beta: 46.0.2490.64 -> 48.0.2564.23
- Stable: 45.0.2454.101 -> 47.0.2526.73
Changed the SSL dependencies to the supported configuration on Linux (according
to Torne @Freenode/#chromium-support).
- NSS is a dependency since it is used to access the ceritiface store.
- Dropped system OpenSSL support, the bundled BoringSSL is used.
This probably fixes issue #10555. Note that without this adjustment the build
fails even.
Dropped uneeded old patches.
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
As suggested the Google Chrome .deb file that is used for Chromium's plugins is reused.
vcunat removed lots of newlines, as the style was diverging from the
majority far too much (IHHO).
Close#10444, fixes#8749.
For some reason it's more involved than just setting gyp configuration,
we also have to set some definitions in widevine_cdm_version.h according
to the comments left in the file. Arch Linux does this already and so we
should probably just use the patch they created while getting Netflix to
work:
https://code.google.com/p/chromium/issues/detail?id=429452#c16
- systemd puts all into one output now (except for man),
because I wasn't able to fix all systemd/udev refernces
for NixOS to work well
- libudev is now by default *copied* into another path,
which is what most packages will use as build input :-)
- pkgs.udev = [ libudev.out libudev.dev ]; because there are too many
references that just put `udev` into build inputs (to rewrite them all),
also this made "${udev}/foo" fail at *evaluation* time
so it's easier to catch and change to something more specific
Upstream changes to the build system required adjusting many packages'
dependencies. On the Nixpkgs side, we no longer propagate the dependency
on cmake (to reduce closure size), so downstream dependencies had to be
adjusted for most packages that depend on kdelibs.
The patch only applies for Firefox versions between 37.0 and 40.1.
Because we're on version 41.0 the changes are already included upstream
and thus the patch doesn't apply and is even unnecessary.
As for version 38.3 for ESR, the patch doesn't apply as well if compiled
with enableGTK3. Of course, this is a bit unfortunate but I don't have
the time right now to properly rebase the patch on 38.3.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: devhell <"^"@regexmail.net>
It's another attempt to fix chromium builds.
See http://hydra.nixos.org/build/26086977/nixlog/4/raw
Unpacking sources is actually taking more than 2h so build fails.
Instead, rather build it remotely and then copy over the output as
we don't have limits for download time.
See 089bdce621 for reference
cc @aszlig
(cherry picked from commit cef54e7d67870ff68c9787ff60cd50ca4bf1d8af)
Signed-off-by: Domen Kožar <domen@dev.si>
This seems to have been confusing people, using both xlibs and xorg, etc.
- Avoided renaming local (and different) xlibs binding in gcc*.
- Fixed cases where both xorg and xlibs were used.
Hopefully everything still works as before.
