- update to 124.0.6367.118

* High CVE-2024-4331: Use after free in Picture In Picture * High CVE-2024-4368: Use after free in Dawn - use system highway
6 months ago · 37db6b60fe
parent f09d3f6cf3
commit 37db6b60fe
3 changed files with 16 additions and 92 deletions
--- a/chromium-124-wayland-regression.patch
+++ b/chromium-124-wayland-regression.patch
@ -1,88 +0,0 @@
-commit c7f4c58f896a651eba80ad805ebdb49d19ebdbd4
-Author: Tom Anderson <thomasanderson@chromium.org>
-Date:   Wed Mar 20 00:00:12 2024 +0000
-
-    Fix --ozone-platform-hint
-    
-    This fixes a regression after r1269993 which moved ozone platform
-    early initialization before the ozone platform hint flag was
-    processed.  This CL ensures the flag processing happens even earlier.
-    
-    R=sky
-    
-    Change-Id: Icc9649beb0b86753265be2b6cdf3059611eb410f
-    Bug: None
-    Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5375669
-    Reviewed-by: Scott Violet <sky@chromium.org>
-    Auto-Submit: Thomas Anderson <thomasanderson@chromium.org>
-    Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
-    Cr-Commit-Position: refs/heads/main@{#1275306}
-
-diff --git a/chrome/app/chrome_main_delegate.cc b/chrome/app/chrome_main_delegate.cc
-index 73b6ab0934b14..0b4c44be679d0 100644
--- a/chrome/app/chrome_main_delegate.cc
-+++ b/chrome/app/chrome_main_delegate.cc
-@@ -249,6 +249,9 @@
- #include "base/scoped_add_feature_flags.h"
- #include "ui/base/ui_base_features.h"
- #include "ui/ozone/public/ozone_platform.h"
-+#if BUILDFLAG(IS_LINUX)
-+#include "chrome/browser/chrome_browser_main_extra_parts_linux.h"
-+#endif
- #endif  // BUILDFLAG(IS_OZONE)
- 
- base::LazyInstance<ChromeContentGpuClient>::DestructorAtExit
-@@ -959,6 +962,9 @@ std::optional<int> ChromeMainDelegate::PostEarlyInitialization(
-   // Initialize Ozone platform and add required feature flags as per platform's
-   // properties. Must be added before feature list is created otherwise the
-   // added flag won't be picked up.
-+#if BUILDFLAG(IS_LINUX)
-+  ChromeBrowserMainExtraPartsLinux::InitOzonePlatformHint();
-+#endif
-   ui::OzonePlatform::PreEarlyInitialization();
-   AddFeatureFlagsToCommandLine();
- #endif  // BUILDFLAG(IS_OZONE)
-diff --git a/chrome/browser/chrome_browser_main_extra_parts_linux.cc b/chrome/browser/chrome_browser_main_extra_parts_linux.cc
-index dba7b116ecaa0..ea0487022dcdc 100644
--- a/chrome/browser/chrome_browser_main_extra_parts_linux.cc
-+++ b/chrome/browser/chrome_browser_main_extra_parts_linux.cc
-@@ -168,7 +168,13 @@ ChromeBrowserMainExtraPartsLinux::ChromeBrowserMainExtraPartsLinux() = default;
- 
- ChromeBrowserMainExtraPartsLinux::~ChromeBrowserMainExtraPartsLinux() = default;
- 
-void ChromeBrowserMainExtraPartsLinux::PreEarlyInitialization() {
-+void ChromeBrowserMainExtraPartsLinux::PostBrowserStart() {
-+  RecordDisplayServerProtocolSupport();
-+  ChromeBrowserMainExtraPartsOzone::PostBrowserStart();
-+}
-+
-+// static
-+void ChromeBrowserMainExtraPartsLinux::InitOzonePlatformHint() {
- #if BUILDFLAG(IS_LINUX)
-   // On the desktop, we fix the platform name if necessary.
-   // See https://crbug.com/1246928.
-@@ -189,8 +195,3 @@ void ChromeBrowserMainExtraPartsLinux::PreEarlyInitialization() {
-   }
- #endif  // BUILDFLAG(IS_LINUX)
- }
-
-void ChromeBrowserMainExtraPartsLinux::PostBrowserStart() {
-  RecordDisplayServerProtocolSupport();
-  ChromeBrowserMainExtraPartsOzone::PostBrowserStart();
-}
-diff --git a/chrome/browser/chrome_browser_main_extra_parts_linux.h b/chrome/browser/chrome_browser_main_extra_parts_linux.h
-index 3847bd2090e28..4f188a7bdfe38 100644
--- a/chrome/browser/chrome_browser_main_extra_parts_linux.h
-+++ b/chrome/browser/chrome_browser_main_extra_parts_linux.h
-@@ -17,9 +17,10 @@ class ChromeBrowserMainExtraPartsLinux
-       const ChromeBrowserMainExtraPartsLinux&) = delete;
-   ~ChromeBrowserMainExtraPartsLinux() override;
- 
-+  static void InitOzonePlatformHint();
-+
-  private:
-   // ChromeBrowserMainExtraParts overrides.
-  void PreEarlyInitialization() override;
-   void PostBrowserStart() override;
- };
- 
--- a/chromium.spec
+++ b/chromium.spec
@ -245,6 +245,7 @@
 %else
 %global bundlebrotli 1
 %endif
+%global bundlehighway 0
 %global bundledav1d 0
 %global bundleopus 0
 %global bundlelibusbx 0
@ -306,7 +307,7 @@
 %endif

 Name:	chromium%{chromium_channel}
-Version: 124.0.6367.91
+Version: 124.0.6367.118
 Release: 1%{?dist}
 Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
 Url: http://www.chromium.org/Home
@ -564,7 +565,6 @@ Patch415: fix-clang-selection.patch
 # upstream patches
 # 64kpage support on el8
 Patch500: chromium-124-el8-support-64kpage.patch
-Patch501: chromium-124-wayland-regression.patch

 # Use chromium-latest.py to generate clean tarball from released build tarballs, found here:
 # http://build.chromium.org/buildbot/official/
@ -771,6 +771,10 @@ BuildRequires: woff2-devel
 BuildRequires: libdav1d-devel
 %endif

+%if ! %{bundlehighway}
+BuildRequires: highway-devel
+%endif
+
 %if ! %{bundlelibavif}
 BuildRequires: libavif-devel
 %endif
@ -1322,7 +1326,6 @@ udev.
 %patch -P500 -p1 -b .el8-support-64kpage.patch
 %endif
 %endif
-%patch -P501 -p1 -b .wayland-regression

 # Change shebang in all relevant files in this directory and all subdirectories
 # See `man find` for how the `-exec command {} +` syntax works
@ -1642,6 +1645,9 @@ system_libs=()
 %if ! %{bundledav1d}
 	system_libs+=(dav1d)
 %endif
+%if ! %{bundlehighway}
+	system_libs+=(highway)
+%endif
 %if ! %{bundlefontconfig}
 	system_libs+=(fontconfig)
 %endif
@ -2120,6 +2126,12 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
 %endif

 %changelog
+* Wed May 01 2024 Than Ngo <than@redhat.com> - 124.0.6367.118-1
+- update to 124.0.6367.118
+  * High CVE-2024-4331: Use after free in Picture In Picture
+  * High CVE-2024-4368: Use after free in Dawn
+- use system highway
+
 * Sat Apr 27 2024 Than Ngo <than@redhat.com> - 124.0.6367.91-1
 - update to 124.0.6367.91
 - fixed bz#2277228 - chromium wrapper causes library issues (symbol lookup error)
--- a/2
+++ b/2
@ -2,4 +2,4 @@ SHA512 (node-v20.6.1-linux-arm64.tar.xz) = adfcaf2c22614797fd69fb46d94c1cbf64dea
 SHA512 (node-v20.6.1-linux-x64.tar.xz) = 7e15c05041a9a50f0046266aadb2e092a5aefbec19be1c7c809471add520cb57c7df3c47d88b1888b29bf2979dca3c92adddfd965370fa2a9da4ea02186464fd
 SHA512 (linux-arm64-0.19.2.tgz) = 8a0d8fec6786fffcd6954d00820037a55d61e60762c74300df0801f8db27057562c221a063bedfb8df56af9ba80abb366336987e881782c5996e6f871abd3dc6
 SHA512 (linux-x64-0.19.2.tgz) = a31cc74c4bfa54f9b75d735a1cfc944d3b5efb7c06bfba9542da9a642ae0b2d235ea00ae84d3ad0572c406405110fe7b61377af0fd15803806ef78d20fc6f05d
-SHA512 (chromium-124.0.6367.91-clean.tar.xz) = 183a3af2b639e63bec636e9ad9e6d091993cb63bb4369b9804b8a72d8fb946e6efd9288884bd9698426b0f595cc57ff4e9884ff91fba7ec1ed16d9d96eb046d1
+SHA512 (chromium-124.0.6367.118-clean.tar.xz) = 203d0abe379aceee628f8e38b8e57265d984aba260a319bf9c2c718aa71bc211dc7a38ca443d01d3fb5f0867debb4cc49fcda0b9b8e4b12aef68af2cfba90e06