Overview of the updated versions:
stable: 48.0.2564.116 -> 49.0.2623.75
beta: 49.0.2623.63 -> 49.0.2623.75
dev: 50.0.2657.0 -> 50.0.2661.11
Stable and beta are now in par because of the release of a major stable
update.
The release addresses 26 security vulnerabilities, the following with an
assigned CVE:
* CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz
Mlynski.
* CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz
Mlynski.
* CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
* CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
* CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and
Bryant Zadegan.
* CVE-2015-8126: Out-of-bounds access in libpng. Credit to
joerg.bornemann.
* CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
* CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
* CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
* CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan
Herrera.
* CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of
OUSPG.
The full announcement which also includes the link to the bug tracker
can be found here:
http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html
Also, the 32bit Chrome package needed for the Flash and Widevine plugins
doesn't exist anymore, because Google has dropped support for 32bit
distros, see here for the announcement:
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/FoE6sL-p6oU
On our end, we need to fix the patch for the plugin paths to work for
the latest dev channel. The change is very minor, because the
nix_plugin_paths_46.patch only doesn't apply because of an iOS-related
ifdef.
Built and tested on my Hydra at:
https://headcounter.org/hydra/eval/311511
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #13665
Comparing the current version with the version in sources list and
accidentally swapping the version arguments isn't going to get very far
because every new version that will come up will then be treated as "we
already have that version".
So we're now using versionOlder and also a check whether the version is
the *same* as the one in sources.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
No changes in functionality, but to make future source updates a bit
easier on the eyes when viewing the diff.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The update.sh shell script now is only a call to nix-build, which does
all the hard work of updating the Chromium source channels and the
plugins. It results in a store path with the new sources.nix that
replaces the already existing sources.nix.
Along the way, this has led to a quite massive workaround, which abuses
MD5 collisions to detect whether an URL is existing, because something
like builtins.tryEval (builtins.fetchurl url) unfortunately doesn't
work. Further explanations and implementation details are documented in
the actual implementation.
The drawback of this is that we don't have nice status messages anymore,
but on the upside we have a more robust generation of the sources.nix
file, which now also should work properly on missing upstream
sources/binaries.
This also makes it much easier to implement fetching non-GNU/Linux
versions of Chromium and we have all values from omahaproxy available as
an attribute set (see the csv2nix and channels attributes in the update
attribute).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
As stated in the parent commit, the 32bit Chrome package is not
available upstream, so let's at least provide the SHA256 hash for the
64bit package.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Until now, if we have a failure to fetch either the 32bit Debian package
or the 64bit Debian package, neither of these will be put into
sources.nix.
Unfortunately the beta/dev channels do not have a 32bit Debian package,
so even though there is a 64bit Debian package available we don't get
plugins *at* *all*.
This also introduces a nicer error message rather than just failing with
an assertion in fetchurl because we did not provide url/urls.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
They're still enabled by default, but now can be disabled.
Python has not been made optional due to the additional complexity of:
- python2 vs python3
- pync support on Darwin
Making Python support optional should be revisited at another time.
Fixes: #12840
Related to: 61042a561042a5 changes the replaced token from $something to @something@. This
commit repeats that change in one additional location used by the
WideVine plugin
Extract the rsync source fetching into its own expression and use that
expression to fetch the same source for rsync and rrsync.
rrsync is just copied from the support folder of rsync, no configure or build
needed. Also none of the rsync patches are needed. Only the path to rsync needs
to be patched into rrsync.
