From 23f343f1b023c17e7ae5fbd68c9b43d348025c5a Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Tue, 23 Jan 2024 21:35:22 +0100
Subject: [PATCH 1/3] chromium: 120.0.6099.109 -> 121.0.6167.85

https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html

This update includes 17 security fixes.

CVEs:
CVE-2024-0807 CVE-2024-0812 CVE-2024-0808 CVE-2024-0810 CVE-2024-0814
CVE-2024-0813 CVE-2024-0806 CVE-2024-0805 CVE-2024-0804 CVE-2024-0811
CVE-2024-0809
---
 .../browsers/chromium/upstream-info.nix       | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index 9b65636f140b..a976871fdfda 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -1,23 +1,23 @@
 {
   stable = {
     chromedriver = {
-      hash_darwin = "sha256-20OgLWrtw2QwyfoehoU7WjmH3IoOG4k3dAya5U5c7Qc=";
+      hash_darwin = "sha256-IDPdjq3FpLy6Y9xkR15mzbIal8wjeQzzWtWuZ4uKmzA=";
       hash_darwin_aarch64 =
-        "sha256-7aI141Ndtun3HglNKiW4+TTVgOVASnz98Rn1trgUgpo=";
-      hash_linux = "sha256-gJ6xXhW87URDvpFP88KgLKmwoFDlqMN1Vj6L+bDdbSc=";
-      version = "120.0.6099.109";
+        "sha256-3Mol45MrvrSqrpkKy2Trt0JFNfV4ekXTxEveUUGmJm4=";
+      hash_linux = "sha256-O8U4pZ76/N7q9bV7d0A+wlIqqaoz6WyfZQO4cIV2CIM=";
+      version = "121.0.6167.85";
     };
     deps = {
       gn = {
-        hash = "sha256-dwluGOfq05swtBM5gg4a6gY3IpFHaKKkD0TV1XW7c7k=";
-        rev = "e4702d7409069c4f12d45ea7b7f0890717ca3f4b";
+        hash = "sha256-eD3KORYYuIH+94+BgL+yFD5lTQFvj/MqPU9DPiHc98s=";
+        rev = "7367b0df0a0aa25440303998d54045bda73935a5";
         url = "https://gn.googlesource.com/gn";
-        version = "2023-10-23";
+        version = "2023-11-28";
       };
     };
-    hash = "sha256-HFQ7QAL4hcux3jmMmLYFNym3sfWR1o1hWV75bokID4I=";
-    hash_deb_amd64 = "sha256-dFllEHRYH3yAPg3uaaCzdpiZxSLENEwmtIb/gg53/ZU=";
-    version = "120.0.6099.224";
+    hash = "sha256-2TMTLCqoCxdy9PDlZIUa/5oXjmim1T2/LJu+3/Kf4fQ=";
+    hash_deb_amd64 = "sha256-9vPQAiZPw60oILm0He4Iz9lOc+WvtHCBE9CHA1ejc7s=";
+    version = "121.0.6167.85";
   };
   ungoogled-chromium = {
     deps = {

From 1724fc3271f3447b8c741216af9b8c66151032a8 Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Wed, 24 Jan 2024 03:00:06 +0100
Subject: [PATCH 2/3] chromium: work around rust toolchain requirement in M121+

M121 is the first version to require the new rust toolchain, which we
haven't ready yet.
Specifically, there seems to be an issue where clang looks up library
paths (with `clang_version = 17;` added to `gnFlags` (defaults to 18 and
is part of the lookup path)):

```
ninja: error: '../../../../nix/store/q5f07rqsvsxnzwbw97yi8lacksrmy13x-clang-wrapper-17.0.6/lib/clang/17/lib/x86_64-unknown-linux-gnu/libclang_rt.builtins.a', needed by 'obj/third_party/protobuf/libprotoc_lib.a', missing and no known rule to make it
```

Instead of
```
/nix/store/q5f07rqsvsxnzwbw97yi8lacksrmy13x-clang-wrapper-17.0.6/lib/clang/17/lib/x86_64-unknown-linux-gnu/libclang_rt.builtins.a
/nix/store/q5f07rqsvsxnzwbw97yi8lacksrmy13x-clang-wrapper-17.0.6/lib/clang/18/lib/x86_64-unknown-linux-gnu/libclang_rt.builtins.a
```
it should be something like
```
/nix/store/q5f07rqsvsxnzwbw97yi8lacksrmy13x-clang-wrapper-17.0.6/resource-root/lib/linux/libclang_rt.builtins-x86_64.a
```

So to give us ever so slightly more time to figure out and fix the rust
toolchain, we revert the upstream commit, that requires the rust
toolchain.
The c++ version of the QR code generator will be gone in the next few
version bumps, meaning we can no longer work around this by then.
Again, this is only to buy us ever so slightly more time.

This could have been prepared better and ahead of the stable bump, but
we simply don't have enough chromium maintainers right now :(
---
 .../networking/browsers/chromium/common.nix          | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 0798be9372e9..f860edc93a36 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -236,6 +236,18 @@ let
         commit = "b9bef8e9555645fc91fab705bec697214a39dbc1";
         hash = "sha256-CJ1v/qc8+nwaHQR9xsx08EEcuVRbyBfCZCm/G7hRY+4=";
       })
+    ] ++ lib.optionals (chromiumVersionAtLeast "121") [
+      # M121 is the first version to require the new rust toolchain.
+      # But we don't have that ready yet.
+      # So we have to revert the singular commit that requires rust toolchain.
+      # This works, because the code in question, the QR code generator, is present in
+      # two variants: c++ and rust. This workaround will not last.
+      # The c++ variant in question is deemed to be removed in a month (give or take).
+      (githubPatch {
+        revert = true;
+        commit = "bcf739b95713071687ff25010683248de0092f6a";
+        hash = "sha256-1ZPe45cc2bjnErcF3prbLMlYpU7kpuwDVcjewINQr+Q=";
+      })
     ];
 
     postPatch = ''

From 8a3a274c24669c1ecbdafd2aa89dfe809d09898f Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Wed, 24 Jan 2024 16:57:35 +0100
Subject: [PATCH 3/3] google-chrome: unbreak build in M121

This fixes the following error:
```
Running phase: installPhase
patchelf: getting info about '/nix/store/s5dybbabbwn2w7jqdv5fk0cn7jzq54b1-google-chrome-121.0.6167.85/share/google/chrome/nacl_helper': No such file or directory
```

`nacl_helper` is no longer present in the tarball since M121, so this
patch simply removes it from the hardcoded list of paths to patchelf.

I did some very brief and everything seems to work fine.
---
 pkgs/applications/networking/browsers/google-chrome/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/networking/browsers/google-chrome/default.nix b/pkgs/applications/networking/browsers/google-chrome/default.nix
index cd770b18b71a..17b7e288f0a6 100644
--- a/pkgs/applications/networking/browsers/google-chrome/default.nix
+++ b/pkgs/applications/networking/browsers/google-chrome/default.nix
@@ -149,7 +149,7 @@ in stdenv.mkDerivation {
       --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
       --add-flags ${lib.escapeShellArg commandLineArgs}
 
-    for elf in $out/share/google/$appname/{chrome,chrome-sandbox,${crashpadHandlerBinary},nacl_helper}; do
+    for elf in $out/share/google/$appname/{chrome,chrome-sandbox,${crashpadHandlerBinary}}; do
       patchelf --set-rpath $rpath $elf
       patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $elf
     done