From 7513149b098ce0b7fd13740318315a79fef3ee57 Mon Sep 17 00:00:00 2001
From: tigro <tigro@msvsphere-os.ru>
Date: Fri, 14 Feb 2025 21:12:35 +0300
Subject: [PATCH] - Update to 133.0.6943.98   * CVE-2025-0995: Use after free
 in V8   * CVE-2025-0996: Inappropriate implementation in Browser UI   *
 CVE-2025-0997: Use after free in Navigation   * CVE-2025-0998: Out of bounds
 memory access in V8

---
 .chromium.metadata                            |  2 +-
 .gitignore                                    |  2 +-
 SOURCES/chromium-133-pipewire-cast.patch      | 21 ++++++++++
 ...3-workaround-system-ffmpeg-whitelist.patch | 27 ++++++++----
 ...pak-Expose-Widevine-into-the-sandbox.patch | 42 +++++++------------
 SPECS/chromium.spec                           | 22 +++++++++-
 6 files changed, 78 insertions(+), 38 deletions(-)
 create mode 100644 SOURCES/chromium-133-pipewire-cast.patch

diff --git a/.chromium.metadata b/.chromium.metadata
index 6d214543..c4309bb4 100644
--- a/.chromium.metadata
+++ b/.chromium.metadata
@@ -1,4 +1,4 @@
-ea06e9381e5b28a56a1eb3d2d183e4b3ea3c7783  SOURCES/chromium-133.0.6943.53.tar.xz
+6c74fd7c74d7d79e604fb909b8b3fbe34b7858df  SOURCES/chromium-133.0.6943.98.tar.xz
 f0fe87c901fd8d1e44eba483b8f4d8540d780308  SOURCES/Chromium-Gost-37dd7d5b7f087dce6afa0d354f4c1303681dbe8b.tar.xz
 668e0721b89238cf10605bd02db809a9e5c3f9c7  SOURCES/msspi-7f7847892d4c69c454a58093553fa34d1b09c0a0.tar.xz
 dea187019741602d57aaf189a80abba261fbd2aa  SOURCES/linux-x64-0.19.2.tgz
diff --git a/.gitignore b/.gitignore
index 4c28351c..f72bdebf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-SOURCES/chromium-133.0.6943.53.tar.xz
+SOURCES/chromium-133.0.6943.98.tar.xz
 SOURCES/linux-x64-0.19.2.tgz
 SOURCES/linux-arm64-0.19.2.tgz
 SOURCES/node-v20.6.1-linux-x64.tar.xz
diff --git a/SOURCES/chromium-133-pipewire-cast.patch b/SOURCES/chromium-133-pipewire-cast.patch
new file mode 100644
index 00000000..670cb70e
--- /dev/null
+++ b/SOURCES/chromium-133-pipewire-cast.patch
@@ -0,0 +1,21 @@
+diff -up chromium-133.0.6943.53/third_party/webrtc/modules/video_capture/linux/pipewire_session.cc.me chromium-133.0.6943.53/third_party/webrtc/modules/video_capture/linux/pipewire_session.cc
+--- chromium-133.0.6943.53/third_party/webrtc/modules/video_capture/linux/pipewire_session.cc.me	2025-02-12 19:09:54.742875003 +0100
++++ chromium-133.0.6943.53/third_party/webrtc/modules/video_capture/linux/pipewire_session.cc	2025-02-12 19:12:17.492620559 +0100
+@@ -87,7 +87,7 @@ PipeWireNode::PipeWireNode(PipeWireSessi
+       .param = OnNodeParam,
+   };
+ 
+-  pw_node_add_listener(proxy_, &node_listener_, &node_events, this);
++  pw_node_add_listener((struct pw_node*) proxy_, &node_listener_, &node_events, this);
+ }
+ 
+ // static
+@@ -119,7 +119,7 @@ void PipeWireNode::OnNodeInfo(void* data
+       uint32_t id = info->params[i].id;
+       if (id == SPA_PARAM_EnumFormat &&
+           info->params[i].flags & SPA_PARAM_INFO_READ) {
+-        pw_node_enum_params(that->proxy_, 0, id, 0, UINT32_MAX, nullptr);
++        pw_node_enum_params((struct pw_node*)that->proxy_, 0, id, 0, UINT32_MAX, nullptr);
+         break;
+       }
+     }
diff --git a/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch b/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch
index e873023c..d0e56f4e 100644
--- a/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch
+++ b/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch
@@ -1,21 +1,34 @@
-diff -up chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc
---- chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me	2025-02-09 19:57:35.117198035 +0100
-+++ chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc	2025-02-09 22:57:26.429570196 +0100
+diff -up chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc
+--- chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than	2025-02-13 11:59:31.035724118 +0100
++++ chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc	2025-02-14 10:39:07.825746076 +0100
 @@ -76,6 +76,8 @@ const char* GetAllowedVideoDecoders() {
  void ApplyCodecContextSecuritySettings(AVCodecContext* codec_context) {
    // Future versions of ffmpeg may copy the allow list from the format
    // context.
-+// Workaround for codec whitelist with system ffmpeg
++  // Workaround for codec whitelist with system ffmpeg
 +#if 0
    if (!codec_context->codec_whitelist) {
      // Note: FFmpeg will try to free this string, so we must duplicate it.
      codec_context->codec_whitelist =
-@@ -83,7 +85,7 @@ void ApplyCodecContextSecuritySettings(A
+@@ -83,6 +85,7 @@ void ApplyCodecContextSecuritySettings(A
                        ? GetAllowedAudioDecoders()
                        : GetAllowedVideoDecoders());
    }
--
 +#endif
+ 
    // Note: This is security sensitive. FFmpeg may not always continue safely
    // in the presence of errors. See https://crbug.com/379418979
-   if (base::FeatureList::IsEnabled(kStrictFFmpegCodecs)) {
+diff -up chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc
+--- chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than	2025-02-14 10:14:13.360398193 +0100
++++ chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc	2025-02-14 10:36:46.762332912 +0100
+@@ -131,8 +131,10 @@ FFmpegGlue::FFmpegGlue(FFmpegURLProtocol
+   // memory usage.
+   //
+   // Note: FFmpeg will try to free these strings, so we must duplicate them.
++#if 0
+   format_context_->codec_whitelist = av_strdup(GetAllowedAudioDecoders());
+   format_context_->format_whitelist = av_strdup(GetAllowedDemuxers());
++#endif
+ }
+ 
+ bool FFmpegGlue::OpenContext(bool is_local_file) {
diff --git a/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch b/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch
index b6f953dc..e74420db 100644
--- a/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch
+++ b/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch
@@ -3,16 +3,9 @@ From: Ryan Gonzalez <rymg19@gmail.com>
 Date: Tue, 17 Nov 2020 13:00:39 -0600
 Subject: [PATCH] flatpak: Expose Widevine into the sandbox
 
----
- .../zygote_host/zygote_host_impl_linux.cc     | 54 +++++++++++++-
- sandbox/linux/services/flatpak_sandbox.cc     | 74 ++++++++++++++-----
- sandbox/linux/services/flatpak_sandbox.h      | 27 ++++++-
- 3 files changed, 131 insertions(+), 24 deletions(-)
-
-diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
-index 1703fb6ade044..3e8eb87981230 100644
---- a/content/browser/zygote_host/zygote_host_impl_linux.cc
-+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
+diff -up chromium-133.0.6943.98/content/browser/zygote_host/zygote_host_impl_linux.cc.me chromium-133.0.6943.98/content/browser/zygote_host/zygote_host_impl_linux.cc
+--- chromium-133.0.6943.98/content/browser/zygote_host/zygote_host_impl_linux.cc.me	2025-02-13 15:25:34.040044876 +0100
++++ chromium-133.0.6943.98/content/browser/zygote_host/zygote_host_impl_linux.cc	2025-02-13 17:19:22.030423834 +0100
 @@ -9,7 +9,10 @@
  #include <sys/types.h>
  
@@ -24,10 +17,10 @@ index 1703fb6ade044..3e8eb87981230 100644
  #include "base/posix/unix_domain_socket.h"
  #include "base/process/kill.h"
  #include "base/process/launch.h"
-@@ -18,9 +21,12 @@
+@@ -17,9 +20,12 @@
+ #include "base/strings/string_number_conversions.h"
  #include "base/types/fixed_array.h"
  #include "build/build_config.h"
- #include "build/chromeos_buildflags.h"
 +#include "chrome/common/chrome_paths.h"  // nogncheck
  #include "content/common/zygote/zygote_commands_linux.h"
  #include "content/common/zygote/zygote_communication_linux.h"
@@ -37,7 +30,7 @@ index 1703fb6ade044..3e8eb87981230 100644
  #include "content/public/common/zygote/zygote_handle.h"
  #include "sandbox/linux/services/credentials.h"
  #include "sandbox/linux/services/flatpak_sandbox.h"
-@@ -29,6 +35,7 @@
+@@ -28,6 +34,7 @@
  #include "sandbox/linux/suid/common/sandbox.h"
  #include "sandbox/policy/linux/sandbox_linux.h"
  #include "sandbox/policy/switches.h"
@@ -45,7 +38,7 @@ index 1703fb6ade044..3e8eb87981230 100644
  
  #if BUILDFLAG(IS_CHROMEOS)
  #include "content/common/zygote/zygote_communication_linux.h"
-@@ -193,8 +200,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
+@@ -192,8 +199,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
    if (is_sandboxed_zygote && use_namespace_sandbox_) {
      process = sandbox::NamespaceSandbox::LaunchProcess(*cmd_line, options);
    } else if (is_sandboxed_zygote && use_flatpak_sandbox_) {
@@ -99,10 +92,9 @@ index 1703fb6ade044..3e8eb87981230 100644
    } else {
      process = base::LaunchProcess(*cmd_line, options);
    }
-diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
-index 2a915a5b9fa11..ed8d4c0556f63 100644
---- a/sandbox/linux/services/flatpak_sandbox.cc
-+++ b/sandbox/linux/services/flatpak_sandbox.cc
+diff -up chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.cc.me chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.cc
+--- chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.cc.me	2025-02-13 15:25:34.048045104 +0100
++++ chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.cc	2025-02-13 17:14:05.784569012 +0100
 @@ -4,6 +4,7 @@
  
  #include "sandbox/linux/services/flatpak_sandbox.h"
@@ -130,7 +122,7 @@ index 2a915a5b9fa11..ed8d4c0556f63 100644
  FlatpakSandbox::FlatpakSandbox()
      : bus_thread_("FlatpakPortalBus"), process_info_cv_(&process_info_lock_) {}
  
-@@ -168,8 +181,9 @@ bool FlatpakSandbox::IsPidSandboxed(base::ProcessId relative_pid) {
+@@ -168,8 +181,9 @@ bool FlatpakSandbox::IsPidSandboxed(base
  
  base::Process FlatpakSandbox::LaunchProcess(
      const base::CommandLine& cmdline,
@@ -142,7 +134,7 @@ index 2a915a5b9fa11..ed8d4c0556f63 100644
    if (external_pid == base::kNullProcessId) {
      return base::Process();
    }
-@@ -363,9 +377,9 @@ void FlatpakSandbox::OnSpawnExitedSignal(dbus::Signal* signal) {
+@@ -363,9 +377,9 @@ void FlatpakSandbox::OnSpawnExitedSignal
    process_info_cv_.Broadcast();
  }
  
@@ -260,10 +252,9 @@ index 2a915a5b9fa11..ed8d4c0556f63 100644
    if (sandbox_flags != 0) {
      dbus::MessageWriter entry_writer(nullptr);
      options_writer.OpenDictEntry(&entry_writer);
-diff --git a/sandbox/linux/services/flatpak_sandbox.h b/sandbox/linux/services/flatpak_sandbox.h
-index 167bbc85945ad..de8e7165b4573 100644
---- a/sandbox/linux/services/flatpak_sandbox.h
-+++ b/sandbox/linux/services/flatpak_sandbox.h
+diff -up chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.h.me chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.h
+--- chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.h.me	2025-02-13 15:25:34.048045104 +0100
++++ chromium-133.0.6943.98/sandbox/linux/services/flatpak_sandbox.h	2025-02-13 17:14:05.784569012 +0100
 @@ -9,6 +9,8 @@
  #include "base/compiler_specific.h"
  #include "base/containers/flat_map.h"
@@ -321,6 +312,3 @@ index 167bbc85945ad..de8e7165b4573 100644
    void OnSpawnResponse(base::ProcessId* out_external_pid,
                         base::WaitableEvent* event,
                         dbus::Response* response,
--- 
-2.46.1
-
diff --git a/SPECS/chromium.spec b/SPECS/chromium.spec
index 3102a6e5..2485ce7e 100644
--- a/SPECS/chromium.spec
+++ b/SPECS/chromium.spec
@@ -308,7 +308,7 @@
 %endif
 
 Name:	chromium%{chromium_channel}
-Version: 133.0.6943.53
+Version: 133.0.6943.98
 Release: 1%{?dist}.inferit
 Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
 Url: http://www.chromium.org/Home
@@ -391,6 +391,9 @@ Patch353: chromium-127-aarch64-duplicate-case-value.patch
 # remove flag split-threshold-for-reg-with-hint, it's not supported in clang <= 17
 Patch354: chromium-126-split-threshold-for-reg-with-hint.patch
 
+# fix build error with new pipewire in f43
+Patch356: chromium-133-pipewire-cast.patch
+
 # fix build error: no member named 'hardware_destructive_interference_size' in namespace 'std'
 Patch355: chromium-130-hardware_destructive_interference_size.patch
 
@@ -399,7 +402,7 @@ Patch358: chromium-127-rust-clanglib.patch
 
 # PowerPC64 LE support
 # Timothy Pearson's patchset            
-# https://gitlab.solidsilicon.io/public-development/open-source/chromium/openpower-patches/-/tree/chromium-128/patches/ppc64le
+# https://gitlab.raptorengineering.com/raptor-engineering-public/chromium/openpower-patches
 Patch359: add-ppc64-architecture-string.patch
 Patch360: 0001-linux-seccomp-bpf-ppc64-glibc-workaround-in-SIGSYS-h.patch
 Patch361: 0001-sandbox-Enable-seccomp_bpf-for-ppc64.patch
@@ -1203,6 +1206,10 @@ sed -i 's/std::string data_dir_basename = "chromium"/std::string data_dir_basena
 
 %patch -P355 -p1 -b .hardware_destructive_interference_size
 
+%if 0%{?fedora} > 42            
+%patch -P356 -p1 -b .pipewire-cast            
+%endif
+
 %patch -P358 -p1 -b .rust-clang_lib
 %patch -P359 -p1 -b .libavif-deps
 
@@ -1424,7 +1431,11 @@ rust_bindgen_root="%{_prefix}"
 
 # set clang version
 clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)"
+%if 0%{?fedora} > 41
+clang_base_path="/usr"
+%else
 clang_base_path="$(clang --version | grep InstalledDir | cut -d' ' -f2 | sed 's#/bin##')"
+%endif
 
 # Core defines are flags that are true for both the browser and headless.
 CHROMIUM_CORE_GN_DEFINES=""
@@ -1974,6 +1985,13 @@ fi
 %endif
 
 %changelog
+* Fri Feb 14 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 133.0.6943.98-1.inferit
+- Update to 133.0.6943.98
+  * CVE-2025-0995: Use after free in V8
+  * CVE-2025-0996: Inappropriate implementation in Browser UI
+  * CVE-2025-0997: Use after free in Navigation
+  * CVE-2025-0998: Out of bounds memory access in V8
+
 * Fri Feb  7 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 133.0.6943.53-1.inferit
 - Update to 133.0.6943.53
   * CVE-2025-0444: Use after free in Skia