Unverified Commit 906aab3a authored by emilylange's avatar emilylange
Browse files

chromium,chromedriver: 135.0.7049.114 -> 136.0.7103.59 

https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_29.html

This update includes 8 security fixes.

CVEs:
CVE-2025-4096 CVE-2025-4050 CVE-2025-4051 CVE-2025-4052
parent ac959118

pkgs/applications/networking/browsers/chromium/common.nix

+38 −4
Original line number Diff line number Diff line
@@ -446,8 +446,11 @@ let 
        ./patches/cross-compile.patch

        # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed):

        ./patches/no-build-timestamps.patch

      ]

      ++ lib.optionals (!chromiumVersionAtLeast "136") [

        # Fix build with Pipewire 1.4

        # Submitted upstream: https://webrtc-review.googlesource.com/c/src/+/380500

        # Got merged, started shipping with M136+.

        ./patches/webrtc-pipewire-1.4.patch

      ]

      ++ lib.optionals (packageName == "chromium") [
@@ -487,7 +490,12 @@ let 
        # allowing us to use our rustc and our clang.

        ./patches/chromium-129-rust.patch

      ]

      ++ lib.optionals (!ungoogled) [

      ++ lib.optionals (!ungoogled && !chromiumVersionAtLeast "136") [

        # Note: We since use LLVM v19.1+ on unstable *and* release-24.11 for all version and as such

        # no longer need this patch. We opt to arbitrarily limit it to versions prior to M136 just

        # because that's when this revert stopped applying cleanly and defer fully dropping it for

        # the next cleanup to bundle rebuilding all of chromium and electron.

        #

        # Our rustc.llvmPackages is too old for std::hardware_destructive_interference_size

        # and std::hardware_constructive_interference_size.

        # So let's revert the change for now and hope that our rustc.llvmPackages and
@@ -535,9 +543,10 @@ let 
          hash = "sha256-xMqGdu5Q8BGF/OIRdmMzPrrrMGDOSY2xElFfhRsJlDU=";

        })

      ]

      ++ lib.optionals (!isElectron) [

      ++ lib.optionals (!isElectron && !chromiumVersionAtLeast "136") [

        # Backport "Only call format_message when needed" to fix print() crashing with is_cfi = true.

        # We build electron is_cfi = false and as such electron is not affected by this.

        # Started shipping with M136+.

        # https://github.com/NixOS/nixpkgs/issues/401326

        # https://gitlab.archlinux.org/archlinux/packaging/packages/chromium/-/issues/13

        # https://skia-review.googlesource.com/c/skia/+/961356
@@ -549,11 +558,32 @@ let 
          extraPrefix = "third_party/skia/";

          hash = "sha256-aMqDjt/0cowqSm5DqcD3+zX+mtjydk396LD+B5F/3cs=";

        })

      ]

      ++ lib.optionals (chromiumVersionAtLeast "136") [

        # Modify the nodejs version check added in https://chromium-review.googlesource.com/c/chromium/src/+/6334038

        # to look for the minimal version, not the exact version (major.minor.patch). The linked CL makes a case for

        # preventing compilations of chromium with versions below their intended version, not about running the very

        # exact version or even running a newer version.

        ./patches/chromium-136-nodejs-assert-minimal-version-instead-of-exact-match.patch

      ];



    postPatch =

      lib.optionalString (!isElectron) ''

      lib.optionalString (!isElectron)

        # TODO: reuse mkGnFlags for this

        (

          if (chromiumVersionAtLeast "136") then

            ''

              cp ${./files/gclient_args.gni} build/config/gclient_args.gni

              chmod u+w build/config/gclient_args.gni

              echo 'checkout_mutter = false' >> build/config/gclient_args.gni

              echo 'checkout_glic_e2e_tests = false' >> build/config/gclient_args.gni

            ''

          else

            ''

              ln -s ${./files/gclient_args.gni} build/config/gclient_args.gni

            ''

        )

      + lib.optionalString (!isElectron) ''



        echo 'LASTCHANGE=${upstream-info.DEPS."src".rev}-refs/tags/${version}@{#0}' > build/util/LASTCHANGE

        echo "$SOURCE_DATE_EPOCH" > build/util/LASTCHANGE.committime
@@ -766,6 +796,10 @@ let 
            use_qt = false;

          }

      )

      // lib.optionalAttrs (chromiumVersionAtLeast "136") {

        # LLVM < v21 does not support --warning-suppression-mappings yet:

        clang_warning_suppression_file = "";

      }

      // {

        # To fix the build as we don't provide libffi_pic.a

        # (ld.lld: error: unable to find library -l:libffi_pic.a):

pkgs/applications/networking/browsers/chromium/info.json

+153 −143

File changed.

Preview size limit exceeded, changes collapsed.

pkgs/applications/networking/browsers/chromium/patches/chromium-136-nodejs-assert-minimal-version-instead-of-exact-match.patch

0 → 100644
+19 −0
Original line number Diff line number Diff line 
diff --git a/third_party/node/check_version.js b/third_party/node/check_version.js

index 0a037ab449c3b8780e68506993e6281d44cef7dc..e7cba2e457543eb8767c9868d851e5e4f5c32f2a 100644

--- a/third_party/node/check_version.js

+++ b/third_party/node/check_version.js

@@ -29,11 +29,9 @@ async function main() {

   const expectedVersion = extractExpectedVersion(contents);

 

   const errorMessage =

-      `Failed NodeJS version check: Expected version '${expectedVersion}', ` +

-      `but found '${process.version}'. Did you run 'gclient sync'? If the ` +

-      `problem persists try running 'gclient sync -f' instead, or deleting ` +

-      `third_party/node/{linux,win,mac} folders and trying again.`;

+      `Failed NodeJS version check: Expected at least version '${expectedVersion}', ` +

+      `but found '${process.version}'.`;

 

-  assert.equal(expectedVersion, process.version, errorMessage);

+  assert.ok(expectedVersion <= process.version, errorMessage);

 }

 main();