Unverified Commit 92ea7a0b authored by Yureka's avatar Yureka Committed by GitHub
Browse files

electron-source.electron_37: remove, electron_37-bin: mark as insecure (#485007)

parents 48d88205 6a1e96dd

pkgs/applications/networking/browsers/chromium/common.nix

+4 −65
Original line number Diff line number Diff line
@@ -497,14 +497,9 @@ let 
      # Started failing to apply with M142, but this is no longer needed anyway.

      ./patches/chromium-126-llvm-17.patch

    ]

    ++ lib.optionals (!chromiumVersionAtLeast "140") [

    ++ lib.optionals (versionRange "140" "141") [

      # Partial revert of https://github.com/chromium/chromium/commit/3687976b0c6d36cf4157419a24a39f6770098d61

      # allowing us to use our rustc and our clang.

      ./patches/chromium-129-rust.patch

    ]

    ++ lib.optionals (versionRange "140" "141") [

      # Rebased variant of the patch above due to

      # https://chromium-review.googlesource.com/c/chromium/src/+/6665907

      ./patches/chromium-140-rust.patch

    ]

    ++ lib.optionals (chromiumVersionAtLeast "141") [
@@ -535,7 +530,7 @@ let 
      # exact version or even running a newer version.

      ./patches/chromium-136-nodejs-assert-minimal-version-instead-of-exact-match.patch

    ]

    ++ lib.optionals (chromiumVersionAtLeast "138") [

    ++ [

      (fetchpatch {

        # Unbreak building with Rust 1.89+ which introduced

        # a new mismatched_lifetime_syntaxes lint.
@@ -548,33 +543,6 @@ let 
        hash = "sha256-xf1Jq5v3InXkiVH0uT7+h1HPwZse5MDcHKuJNjSLR6k=";

      })

    ]

    ++ lib.optionals (!chromiumVersionAtLeast "138") [

      # Rebased variant of the patch above for

      # electron 35 (M134) and 36 (M136)

      ./patches/chromium-134-rust-1.86-mismatched_lifetime_syntaxes.patch

    ]

    ++ lib.optionals (versionRange "141" "142") [

      (fetchpatch {

        # Fix "invalid application of 'sizeof' to an incomplete type 'blink::CSSStyleSheet'"

        # by reverting https://chromium-review.googlesource.com/c/chromium/src/+/6892157

        name = "chromium-141-Revert-Remove-unnecessary-include-in-tree_scope.h.patch";

        url = "https://chromium.googlesource.com/chromium/src/+/0fc0e71aa1ca0419fae6d14255025543980d2cba^!?format=TEXT";

        decode = "base64 -d";

        revert = true;

        hash = "sha256-pnEus2NHpNWZ6ZSXLgdTn+it7oy1MPZPbD8SOAKLWbw=";

      })

    ]

    ++ lib.optionals (chromiumVersionAtLeast "142" && lib.versionOlder rustcVersion "1.90") [

      (fetchpatch {

        # Fix "ld.lld: error: undefined symbol: __rustc::__rust_alloc_error_handler_should_panic'"

        # with Rust < 1.90 by reverting https://chromium-review.googlesource.com/c/chromium/src/+/6935385

        name = "chromium-142-Revert-rust-Remove-the-old-__rust_alloc_error_handler_should_panic-symbol.patch";

        url = "https://chromium.googlesource.com/chromium/src/+/e33287758f2234d6aabfc5d4e011c4e81e3a47cf^!?format=TEXT";

        decode = "base64 -d";

        revert = true;

        hash = "sha256-0vRDz7wwGCsqm38fVvkLLzOOtEtd8CnqyjDLgGofh/o=";

      })

    ]

    ++ lib.optionals (versionRange "142" "143") [

      (fetchpatch {

        # Fix https://issues.chromium.org/issues/450752866 by backporting
@@ -585,28 +553,6 @@ let 
        hash = "sha256-0ueOCHYheSFHRFzEat3TDhnU3Avf0TcNBBBpTkz+saw=";

      })

    ]

    ++ lib.optionals (chromiumVersionAtLeast "142" && lib.versionOlder rustcVersion "1.91") [

      # Fix the following error when compiling CrabbyAvif with Rust < 1.91 due to

      # https://github.com/rust-lang/rust/pull/142681 by reverting

      # https://github.com/webmproject/CrabbyAvif/pull/663 and

      # https://github.com/webmproject/CrabbyAvif/pull/654 and

      # https://chromium-review.googlesource.com/c/chromium/src/+/6960510

      #

      #  error: cannot find attribute `sanitize` in this scope

      #    --> ../../third_party/crabbyavif/src/src/capi/io.rs:210:41

      #      |

      #  210 |     #[cfg_attr(feature = "disable_cfi", sanitize(cfi = "off"))]

      #      |                                         ^^^^^^^^

      #

      ./patches/chromium-142-crabbyavif-rust-no_sanitize.patch

      (fetchpatch {

        name = "chromium-142-crabbyavif-Revert-Enable-disable_cfi-feature.patch";

        url = "https://chromium.googlesource.com/chromium/src/+/9415f40bc6f853547f791e633be638c71368ce56^!?format=TEXT";

        decode = "base64 -d";

        revert = true;

        hash = "sha256-bYcJqPMbE7hMvhZVnzqHok1crUAdqrzqxr+4IHNzAtg=";

      })

    ]

    ++ lib.optionals (chromiumVersionAtLeast "144") [

      # Patch rustc_nightly_capability to eval to false instead of true.

      # https://chromium-review.googlesource.com/c/chromium/src/+/7022369
@@ -640,9 +586,7 @@ let 
        /* Generated by lastchange.py, do not edit.*/

        #ifndef SKIA_EXT_SKIA_COMMIT_HASH_H_

        #define SKIA_EXT_SKIA_COMMIT_HASH_H_

        #define SKIA_COMMIT_HASH "${upstream-info.DEPS."src/third_party/skia".rev}${

          lib.optionalString (!chromiumVersionAtLeast "142") "-"

        }"

        #define SKIA_COMMIT_HASH "${upstream-info.DEPS."src/third_party/skia".rev}"

        #endif  // SKIA_EXT_SKIA_COMMIT_HASH_H_

        EOF
@@ -650,7 +594,7 @@ let 


        mkdir -p third_party/jdk/current/bin

      ''

      + lib.optionalString (!isElectron && chromiumVersionAtLeast "142") ''

      + lib.optionalString (!isElectron) ''

        cat << EOF > gpu/webgpu/dawn_commit_hash.h

        /* Generated by lastchange.py, do not edit.*/

        #ifndef GPU_WEBGPU_DAWN_COMMIT_HASH_H_
@@ -815,11 +759,6 @@ let 
        use_gio = true;

        use_cups = cupsSupport;

      }

      // lib.optionalAttrs (!chromiumVersionAtLeast "139") {

        # Feature overrides:

        # Native Client support was deprecated in 2020 and support will end in June 2021:

        enable_nacl = false;

      }

      // lib.optionalAttrs (packageName == "chromium") {

        # Enabling the Widevine here doesn't affect whether we can redistribute the chromium package.

        # Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above.

pkgs/applications/networking/browsers/chromium/patches/chromium-129-rust.patch

deleted100644 → 0
+0 −21
Original line number Diff line number Diff line 
diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn

index 45086d6838cac..81132ad8ecb31 100644

--- a/build/config/compiler/BUILD.gn

+++ b/build/config/compiler/BUILD.gn

@@ -1727,16 +1727,6 @@ config("runtime_library") {

     configs += [ "//build/config/c++:runtime_library" ]

   }

 

-  # Rust and C++ both provide intrinsics for LLVM to call for math operations. We

-  # want to use the C++ intrinsics, not the ones in the Rust compiler_builtins

-  # library. The Rust symbols are marked as weak, so that they can be replaced by

-  # the C++ symbols. This config ensures the C++ symbols exist and are strong in

-  # order to cause that replacement to occur by explicitly linking in clang's

-  # compiler-rt library.

-  if (is_clang && !is_nacl && !is_cronet_build) {

-    configs += [ "//build/config/clang:compiler_builtins" ]

-  }

-

   # TODO(crbug.com/40570904): Come up with a better name for is POSIX + Fuchsia

   # configuration.

   if (is_posix || is_fuchsia) {

pkgs/applications/networking/browsers/chromium/patches/chromium-142-crabbyavif-rust-no_sanitize.patch

deleted100644 → 0
+0 −48
Original line number Diff line number Diff line 
diff --git a/third_party/crabbyavif/src/src/capi/io.rs b/third_party/crabbyavif/src/src/capi/io.rs

index e7994ce3129c4d7f46553f527bf8f10376ff9ed8..60a3c13b788a560e9669db013e3b8e88e5f9947b 100644

--- a/third_party/crabbyavif/src/src/capi/io.rs

+++ b/third_party/crabbyavif/src/src/capi/io.rs

@@ -207,7 +207,7 @@ impl Drop for avifIOWrapper {

 }

 

 impl crate::decoder::IO for avifIOWrapper {

-    #[cfg_attr(feature = "disable_cfi", sanitize(cfi = "off"))]

+    #[cfg_attr(feature = "disable_cfi", no_sanitize(cfi))]

     fn read(&mut self, offset: u64, size: usize) -> AvifResult<&[u8]> {

         // SAFETY: Calling into a C function.

         let res = unsafe {

diff --git a/third_party/crabbyavif/src/src/lib.rs b/third_party/crabbyavif/src/src/lib.rs

index 90fa41188905a8aaf7b74594937b3a335ceed18d..a05f0a5e8b6cbffbf6e1a0f5fefc8a1e1480273f 100644

--- a/third_party/crabbyavif/src/src/lib.rs

+++ b/third_party/crabbyavif/src/src/lib.rs

@@ -13,7 +13,7 @@

 // limitations under the License.

 

 #![deny(unsafe_op_in_unsafe_fn)]

-#![cfg_attr(feature = "disable_cfi", feature(sanitize))]

+#![cfg_attr(feature = "disable_cfi", feature(no_sanitize))]

 

 #[macro_use]

 mod internal_utils;

diff --git a/third_party/crabbyavif/src/src/reformat/libyuv.rs b/third_party/crabbyavif/src/src/reformat/libyuv.rs

index 9df874ccf7b6a943c6dcebe495ce15b7a7e9cd66..3f68c16f2b2e8e22b3edfd0dcedbb95fe34887f9 100644

--- a/third_party/crabbyavif/src/src/reformat/libyuv.rs

+++ b/third_party/crabbyavif/src/src/reformat/libyuv.rs

@@ -372,7 +372,7 @@ fn find_conversion_function(

 // Returns Ok(Some(false)) if only YUV was converted and alpha

 // needs to be imported separately.

 // Returns Ok(None) if the conversion is not implemented.

-#[cfg_attr(feature = "disable_cfi", sanitize(cfi = "off"))]

+#[cfg_attr(feature = "disable_cfi", no_sanitize(cfi))]

 pub(crate) fn yuv_to_rgb(image: &image::Image, rgb: &mut rgb::Image) -> AvifResult<Option<bool>> {

     if (rgb.depth != 8 && rgb.depth != 10) || !image.depth_valid() {

         return Ok(None); // Not implemented.

@@ -833,7 +833,7 @@ fn rgb_to_yuv_conversion_function(

     }

 }

 

-#[cfg_attr(feature = "disable_cfi", sanitize(cfi = "off"))]

+#[cfg_attr(feature = "disable_cfi", no_sanitize(cfi))]

 pub(crate) fn rgb_to_yuv(rgb: &rgb::Image, image: &mut image::Image) -> AvifResult<Option<()>> {

     let conversion_function = match rgb_to_yuv_conversion_function(rgb, image) {

         Some(conversion_function) => conversion_function,

pkgs/development/tools/electron/binary/generic.nix

+1 −1
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ let 
    ];

    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];

    # https://www.electronjs.org/docs/latest/tutorial/electron-timelines

    knownVulnerabilities = lib.optional (lib.versionOlder version "37.0.0") "Electron version ${version} is EOL";

    knownVulnerabilities = lib.optional (lib.versionOlder version "38.0.0") "Electron version ${version} is EOL";

  };



  fetcher =

pkgs/development/tools/electron/binary/info.json

+0 −11
Original line number Diff line number Diff line 
{

    "36": {

        "hashes": {

            "aarch64-darwin": "73eb08fd541e6105d448735f2f820a7e0f63ff07e836ca05462dc2c01028e7df",

            "aarch64-linux": "f7e9a3079f2276b907c39e0bad0ded08d6846274823d4371256a82e7a47fab27",

            "armv7l-linux": "4ec9c4ec03f17b9cb2ac6a2eca7d2bef3e0ab3b70b73ba1a3b9a12baef350e5c",

            "headers": "06na5h0bx4nbb2hv867warr19dgk7ilz0w8j4mmkxmv33x7w65bd",

            "x86_64-darwin": "fce84ddaba4999b83c0501f9e4bbbf811965b76b67ad81452bc918db88c09c61",

            "x86_64-linux": "52d6364aeed68116320f8cd6f7d7b6ad185da011ff212755f18c604696628616"

        },

        "version": "36.9.5"

    },

    "37": {

        "hashes": {

            "aarch64-darwin": "24529be1f2f87c587d06c7474607f1b57d1184b3f45d916cac33791de3a70014",