From 3a9f738b6fe57119ebb94d8c128b7f70fe8216a0 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Tue, 28 May 2024 00:24:30 +0200 Subject: [PATCH 1/5] Workaround for build error on pp64le --- chromium.conf | 48 +++++++++++++++++++++++++++++++++++++++++++++++- chromium.spec | 16 +++++++++++----- 2 files changed, 58 insertions(+), 6 deletions(-) diff --git a/chromium.conf b/chromium.conf index 686a277c..cadab280 100644 --- a/chromium.conf +++ b/chromium.conf @@ -1,3 +1,49 @@ # system wide chromium flags + +# GRAPHIC_DRIVER=[amd|intel|nvidia|default] +GRAPHIC_DRIVER=default + +# WEB_DARKMODE=[on|off] +WEB_DARKMODE=off + CHROMIUM_FLAGS="" -CHROMIUM_FLAGS+=" --use-gl=angle --use-angle=gl --enable-features=VaapiVideoEncoder,VaapiVideoDecodeLinuxGL" +CHROMIUM_FLAGS+=" --disable-features=AudioServiceSandbox" +CHROMIUM_FLAGS+=" --enable-native-gpu-memory-buffers" +CHROMIUM_FLAGS+=" --enable-gpu-memory-buffer-video-frames" +CHROMIUM_FLAGS+=" --enable-zero-copy" +CHROMIUM_FLAGS+=" --use-gl=angle" +CHROMIUM_FLAGS+=" --ignore-gpu-blocklist --disable-gpu-driver-bug-workaround" +CHROMIUM_FLAGS+=" --enable-chrome-browser-cloud-management" + +case "$GRAPHIC_DRIVER" in + amd) + # Need new mesa with AMD multi planes support, is not yet supported in fedora + # see https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26165 + CHROMIUM_FLAGS+=" --use-angle=vulkan --enable-accelerated-video-decode" + CHROMIUM_FLAGS+=" --enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan,VaapiIgnoreDriverChecks,VaapiVideoDecoder,UseMultiPlaneFormatForHardwareVideo" + ;; + nvidia) + # The NVIDIA VaAPI drivers are known to not support Chromium + # see https://crbug.com/1492880. This feature switch is + # provided for developers to test VaAPI drivers on NVIDIA GPUs + CHROMIUM_FLAGS+=" --use-angle=gl" + CHROMIUM_FLAGS+=" --enable-features=VaapiVideoDecodeLinuxGL,VaapiVideoEncoder,VaapiOnNvidiaGPUs" + ;; + intel) + CHROMIUM_FLAGS+=" --use-angle=gl" + CHROMIUM_FLAGS+=" --enable-features=VaapiVideoEncoder,VaapiVideoDecodeLinuxGL" + ;; + *) + CHROMIUM_FLAGS="" + ;; +esac + +# Web Dark mode +if [ "$WEB_DARKMODE" == "on" ] ; then + darktype="WebContentsForceDark:inversion_method/cielab_based/image_behavior/none/foreground_lightness_threshold/150/background_lightness_threshold/205" + if [ -z "$CHROMIUM_FLAGS" ] ; then + CHROMIUM_FLAGS+=" --enable-features=$darktype" + else + CHROMIUM_FLAGS+=",$darktype" + fi +fi diff --git a/chromium.spec b/chromium.spec index ec897e74..25a9debd 100644 --- a/chromium.spec +++ b/chromium.spec @@ -36,7 +36,7 @@ # enable|disable headless client build %global build_headless 1 %ifarch ppc64le -%global build_headless 0 +%global cfi 0 %endif # enable|disable chrome-remote-desktop build @@ -179,6 +179,11 @@ %endif %endif +%ifarch ppc64le +# workaround for a bug in new llvm on f40/rawhide (ppc64le) +%global cfi 0 +%endif + # set correct toolchain %if %{clang} %global toolchain clang @@ -307,7 +312,7 @@ Name: chromium%{chromium_channel} Version: 125.0.6422.112 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) @@ -674,9 +679,7 @@ BuildRequires: pkgconfig(Qt6Core) BuildRequires: pkgconfig(Qt6Widgets) %endif -%if %{cfi} BuildRequires: compiler-rt -%endif %if ! %{bundleharfbuzz} BuildRequires: harfbuzz-devel >= 2.4.0 @@ -1471,7 +1474,7 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene CHROMIUM_CORE_GN_DEFINES+=' chrome_pgo_phase=0' %if ! %{cfi} -CHROMIUM_CORE_GN_DEFINES+=' is_cfi=false' +CHROMIUM_CORE_GN_DEFINES+=' is_cfi=false use_thin_lto=false' %endif %if %{useapikey} @@ -2107,6 +2110,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %endif %changelog +* Tue May 28 2024 Than Ngo - 125.0.6422.112-2 +- Workaround for build error on pp64le + * Sun May 26 2024 Than Ngo - 125.0.6422.112-1 - update to 125.0.6422.112 * High CVE-2024-5274: Type Confusion in V8 From ae50b2ee0bad890ae8b874aa6bc89b5d2944eda9 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Tue, 28 May 2024 07:30:04 +0200 Subject: [PATCH 2/5] fix typo --- chromium.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chromium.spec b/chromium.spec index 25a9debd..f9480627 100644 --- a/chromium.spec +++ b/chromium.spec @@ -36,7 +36,7 @@ # enable|disable headless client build %global build_headless 1 %ifarch ppc64le -%global cfi 0 +%global build_headless 0 %endif # enable|disable chrome-remote-desktop build From 16fc415c9d758b6425afa62396ac2824a7b02124 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Thu, 30 May 2024 10:58:09 +0200 Subject: [PATCH 3/5] build against noopenh264 for fedora >=40 --- chromium.spec | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/chromium.spec b/chromium.spec index f9480627..d4c3e97f 100644 --- a/chromium.spec +++ b/chromium.spec @@ -99,6 +99,10 @@ %endif %endif +%if 0%{?fedora} >= 40 +%global noopenh264 1 +%endif + # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2239523 # Disable BTI until this is fixed upstream. %global disable_bti 0 @@ -312,7 +316,7 @@ Name: chromium%{chromium_channel} Version: 125.0.6422.112 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) @@ -651,6 +655,10 @@ Conflicts: ffmpeg-libs%{_isa} < 6.0.1-2 %endif %endif +%if 0%{?noopenh264} +BuildRequires: pkgconfig(openh264) +%endif + # build with system libaom %if ! %{bundlelibaom} BuildRequires: libaom-devel @@ -1542,8 +1550,14 @@ CHROMIUM_BROWSER_GN_DEFINES+=' ffmpeg_branding="Chrome" proprietary_codecs=true %else CHROMIUM_BROWSER_GN_DEFINES+=' ffmpeg_branding="Chromium" proprietary_codecs=false is_component_ffmpeg=false enable_ffmpeg_video_decoders=false media_use_ffmpeg=true' %endif +# link against noopenh264 library +%if 0%{?noopenh264} +CHROMIUM_BROWSER_GN_DEFINES+=' media_use_openh264=true' +CHROMIUM_BROWSER_GN_DEFINES+=' rtc_use_h264=true' +%else CHROMIUM_BROWSER_GN_DEFINES+=' media_use_openh264=false' CHROMIUM_BROWSER_GN_DEFINES+=' rtc_use_h264=false' +%endif CHROMIUM_BROWSER_GN_DEFINES+=' use_kerberos=true' %if %{use_qt} @@ -1702,6 +1716,9 @@ system_libs=() %if ! %{bundleflac} system_libs+=(flac) %endif +%if 0%{?noopenh264} + system_libs+=(openh264) +%endif build/linux/unbundle/replace_gn_files.py --system-libraries ${system_libs[@]} @@ -2110,6 +2127,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %endif %changelog +* Wed May 29 2024 Than Ngo - 125.0.6422.112-3 +- build against noopenh264 + * Tue May 28 2024 Than Ngo - 125.0.6422.112-2 - Workaround for build error on pp64le From 9dc48d848695e90cab58ce2c165e1e8a73da803c Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Thu, 30 May 2024 17:06:37 +0200 Subject: [PATCH 4/5] clean openh264 from proprietary stuffs --- chromium-latest.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chromium-latest.py b/chromium-latest.py index 5864be9f..ad8d2cd5 100755 --- a/chromium-latest.py +++ b/chromium-latest.py @@ -1,5 +1,5 @@ #!/usr/bin/python3 -# Copyright 2021-2023, Than Ngo +# Copyright 2021-2024, Than Ngo # Copyright 2010,2015-2019 Tom Callaway # Copyright 2013-2016 Tomas Popela # Permission is hereby granted, free of charge, to any person obtaining @@ -335,6 +335,8 @@ if __name__ == '__main__': if (args.ffmpegclean): print("Cleaning ffmpeg from proprietary things...") os.system("./clean_ffmpeg.sh %s %d" % (latest_dir, 0 if args.ffmpegarm else 1)) + print("Cleaning openh264 from proprietary things...") + os.system("find %s/third_party/openh264/src -type f -not -name '*.h' -delete " % latest_dir) print("Done!") if (not args.prep): From d8daa47044db65cca212017c7c417bf5c2bfb66a Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Fri, 31 May 2024 11:13:13 +0200 Subject: [PATCH 5/5] - update to 125.0.6422.141 * High CVE-2024-5493: Heap buffer overflow in WebRTC * High CVE-2024-5494: Use after free in Dawn * High CVE-2024-5495: Use after free in Dawn * High CVE-2024-5496: Use after free in Media Session * High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs * High CVE-2024-5498: Use after free in Presentation API * High CVE-2024-5499: Out of bounds write in Streams API - fixed rhbz#2264332 - Chromium is unable to send/receive video on MS Teams - cleanup chromium.conf --- chromium.conf | 27 +++++++++++++-------------- chromium.spec | 16 ++++++++++++++-- sources | 2 +- 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/chromium.conf b/chromium.conf index cadab280..4bf85435 100644 --- a/chromium.conf +++ b/chromium.conf @@ -7,43 +7,42 @@ GRAPHIC_DRIVER=default WEB_DARKMODE=off CHROMIUM_FLAGS="" -CHROMIUM_FLAGS+=" --disable-features=AudioServiceSandbox" CHROMIUM_FLAGS+=" --enable-native-gpu-memory-buffers" CHROMIUM_FLAGS+=" --enable-gpu-memory-buffer-video-frames" CHROMIUM_FLAGS+=" --enable-zero-copy" -CHROMIUM_FLAGS+=" --use-gl=angle" CHROMIUM_FLAGS+=" --ignore-gpu-blocklist --disable-gpu-driver-bug-workaround" CHROMIUM_FLAGS+=" --enable-chrome-browser-cloud-management" +FEATURES="" + case "$GRAPHIC_DRIVER" in amd) # Need new mesa with AMD multi planes support, is not yet supported in fedora # see https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26165 - CHROMIUM_FLAGS+=" --use-angle=vulkan --enable-accelerated-video-decode" - CHROMIUM_FLAGS+=" --enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan,VaapiIgnoreDriverChecks,VaapiVideoDecoder,UseMultiPlaneFormatForHardwareVideo" + CHROMIUM_FLAGS+=" --use-gl=angle --use-angle=vulkan --enable-accelerated-video-decode" + FEATURES+="Vulkan,VulkanFromANGLE,DefaultANGLEVulkan,VaapiIgnoreDriverChecks,VaapiVideoDecoder,UseMultiPlaneFormatForHardwareVideo" ;; nvidia) # The NVIDIA VaAPI drivers are known to not support Chromium # see https://crbug.com/1492880. This feature switch is # provided for developers to test VaAPI drivers on NVIDIA GPUs - CHROMIUM_FLAGS+=" --use-angle=gl" - CHROMIUM_FLAGS+=" --enable-features=VaapiVideoDecodeLinuxGL,VaapiVideoEncoder,VaapiOnNvidiaGPUs" + CHROMIUM_FLAGS+=" --use-gl=angle --use-angle=gl" + FEATURES+="VaapiVideoDecodeLinuxGL,VaapiVideoEncoder,VaapiOnNvidiaGPUs" ;; intel) - CHROMIUM_FLAGS+=" --use-angle=gl" - CHROMIUM_FLAGS+=" --enable-features=VaapiVideoEncoder,VaapiVideoDecodeLinuxGL" + CHROMIUM_FLAGS+=" --use-gl=angle --use-angle=gl" + FEATURES+="VaapiVideoEncoder,VaapiVideoDecodeLinuxGL" ;; *) - CHROMIUM_FLAGS="" + CHROMIUM_FLAGS+=" --use-gl=angle --use-angle=gl" + FEATURES+="VaapiVideoEncoder,VaapiVideoDecodeLinuxGL" ;; esac # Web Dark mode if [ "$WEB_DARKMODE" == "on" ] ; then darktype="WebContentsForceDark:inversion_method/cielab_based/image_behavior/none/foreground_lightness_threshold/150/background_lightness_threshold/205" - if [ -z "$CHROMIUM_FLAGS" ] ; then - CHROMIUM_FLAGS+=" --enable-features=$darktype" - else - CHROMIUM_FLAGS+=",$darktype" - fi + FEATURES+=",$darktype" fi + +CHROMIUM_FLAGS+=" --enable-features=$FEATURES" diff --git a/chromium.spec b/chromium.spec index d4c3e97f..f52d2c48 100644 --- a/chromium.spec +++ b/chromium.spec @@ -315,8 +315,8 @@ %endif Name: chromium%{chromium_channel} -Version: 125.0.6422.112 -Release: 3%{?dist} +Version: 125.0.6422.141 +Release: 1%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) @@ -2127,6 +2127,18 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %endif %changelog +* Fri May 31 2024 Than Ngo - 125.0.6422.141-1 +- update to 125.0.6422.141 + * High CVE-2024-5493: Heap buffer overflow in WebRTC + * High CVE-2024-5494: Use after free in Dawn + * High CVE-2024-5495: Use after free in Dawn + * High CVE-2024-5496: Use after free in Media Session + * High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs + * High CVE-2024-5498: Use after free in Presentation API + * High CVE-2024-5499: Out of bounds write in Streams API +- fixed rhbz#2264332 - Chromium is unable to send/receive video on MS Teams +- cleanup chromium.conf + * Wed May 29 2024 Than Ngo - 125.0.6422.112-3 - build against noopenh264 diff --git a/sources b/sources index 61b5529c..4a1f6a31 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ SHA512 (node-v20.6.1-linux-arm64.tar.xz) = adfcaf2c22614797fd69fb46d94c1cbf64dea SHA512 (node-v20.6.1-linux-x64.tar.xz) = 7e15c05041a9a50f0046266aadb2e092a5aefbec19be1c7c809471add520cb57c7df3c47d88b1888b29bf2979dca3c92adddfd965370fa2a9da4ea02186464fd SHA512 (linux-arm64-0.19.2.tgz) = 8a0d8fec6786fffcd6954d00820037a55d61e60762c74300df0801f8db27057562c221a063bedfb8df56af9ba80abb366336987e881782c5996e6f871abd3dc6 SHA512 (linux-x64-0.19.2.tgz) = a31cc74c4bfa54f9b75d735a1cfc944d3b5efb7c06bfba9542da9a642ae0b2d235ea00ae84d3ad0572c406405110fe7b61377af0fd15803806ef78d20fc6f05d -SHA512 (chromium-125.0.6422.112-clean.tar.xz) = e10413e1c07195b2702c44f3c867d1b3d2c1993584dd41e1ffbbd7f09e416a6678f9bd225a25ed6e244e2b5f9b607156631f35481cd085e3db11218db5ce5d52 +SHA512 (chromium-125.0.6422.141-clean.tar.xz) = d3933731cad4ca2ce32e5343709dcff6c60769b43ccc0bdb982f846477a6439974aaeeafac740ddbdc4132e92e3510e4663d9095cc9a02d4a7cad63269adebdb