From 2b29e401531306d044f797a5dfaeed86f5394085 Mon Sep 17 00:00:00 2001
From: Herwig Hochleitner <herwig@bendlas.net>
Date: Sat, 21 Apr 2018 13:10:41 +0200
Subject: [PATCH] chromium: 65.0.3325.181 -> 66.0.3359.117

Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28
Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30
High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20
High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15
High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04
High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12
High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05
High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08
Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01
Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01
Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11
Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19
Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26
Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03
Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03
Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11
Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19
Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20
Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24
Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08
Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18
Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25
Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02
Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27
Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10
Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24
Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02
Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29
Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25
Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13
Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07
Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15
Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15
Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15
---
 .../networking/browsers/chromium/common.nix   | 29 ++----
 ...aybackImageProvider-copy-constructor.patch | 89 -------------------
 .../browsers/chromium/upstream-info.nix       | 18 ++--
 3 files changed, 15 insertions(+), 121 deletions(-)
 delete mode 100644 pkgs/applications/networking/browsers/chromium/patches/PlaybackImageProvider-copy-constructor.patch

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 44310b054628..b591d5d7ba0c 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -144,29 +144,7 @@ let
       # https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium
       # for updated patches and hints about build flags
     # (gentooPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000")
-    ]  ++ optionals (versionRange "65" "66") [
-      (gentooPatch "chromium-stdint.patch" "037gjnc8h087g6dpxz53nqvzbpa9mq0z47h25vix9p62s9nhz2a8")
-      (gentooPatch "chromium-webrtc-r0.patch" "0wp4zivbv2wpgiwmiznbq1aw4w98mvwjvdy36cpfmnvr8yw430pd")
-      (gentooPatch "chromium-math.h-r0.patch" "0dlzbdj0lvp9qklgifsvgbn6p1ppxbl3hkwqqqfsw1d9jka9wy8x")
-      # To enable ChromeCast, go to chrome://flags and set "Load Media Router Component Extension" to Enabled
-      # Fixes Chromecast: https://bugs.chromium.org/p/chromium/issues/detail?id=734325
-      (githubPatch "1517db71cccaec48a05cdf30208e0cba7ab9b9a8" "08ac502cwwb05ml3w4wzn66i5c2d1h22xs5rzszwlnhxckxfc0fk")
-      # GCC 7 fixes
-      (githubPatch "f64fadcd79aebe5ed893ecbf258d1123609d28f8" "1h255w1v327r08cnifs19s4bwmkinqjmdmbwihddc5dyl43sjnvv")
-      (githubPatch "4d8468a07f374c11425494271256151fb6fe0c34" "0kqqq8kj0zv5bi1n9mm0vnn8wsgi98mjmj7snpav21fh3pgiqjrm")
-      (githubPatch "ede5178322ccd297b0ad82ae4c59119ceaab9ea5" "0rsal0dy0yhgs4lhn8h1vy1s77xcssy4f5wals7hvrz5m08jqizj")
-      (githubPatch "7d721f438acb38db556ae9a9e6e8b718bd503216" "13lzvxm63zq3rd8p387ylq4bm9wr4r09vk2w4p81f838pf0v1kbj")
-      # Following commit doesn't apply cleanly to stable branch, replace with handcrafted one
-      #(githubPatch "4f2b52281ce1649ea8347489443965ad33262ecc" "1g59izkicn9cpcphamdgrijs306h5b9i7i4pmy134asn1ifiax5z")
-      ./patches/PlaybackImageProvider-copy-constructor.patch
-      # * base/optional.h
-      (githubPatch "f1c8789c71dbdaeeef98ecd52c9715495824e6b0" "0w3d82s10cl10r6zq9vpsscmdhbdkcy0vbdiqy5pvbr031nfxw5w")
-      (githubPatch "5cae9645215d02cb1f986a181a208f8a4817fc86" "052y0f9nwq6y6jh2gvr1pm8qdcqghyi3jj5svvrp5aqirlkwb7ri")
-      # * ConfigurationPolicyProviders
-      (githubPatch "1ee888aed9f9a6291570ce360bcdd2d06bcc68cb" "1bm34p3bsny44sk60j842ghhhx8qaibwpqnfnyndfj96f7nb2az0")
-      (githubPatch "76da73abaeede740fc97479c09c92a52972bc477" "03rkf514ddj9d32d3zfcnf96kzzdk6cwxvrqj8acyv93vp1hvckr")
-      #(gentooPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000")
-    ] ++ optionals (versionRange "66" "67") [
+    ]  ++ optionals (versionRange "66" "67") [
       (gentooPatch "chromium-webrtc-r0.patch" "0wp4zivbv2wpgiwmiznbq1aw4w98mvwjvdy36cpfmnvr8yw430pd")
       (gentooPatch "chromium-ffmpeg-r1.patch" "1k8agaqsvg0w0s6s5wh346ih02cc86vr0vwyshw2q9vafa0jvmq4")
       # GCC 7 fixes
@@ -176,6 +154,11 @@ let
       (githubPatch "ba4141e451f4e0b1b19410b1b503bd32e150df06" "1cjxw1f9fin6z12b0mcxnxf2mdjb0n3chwz7mgvmp9yij8qhqnxj")
       (githubPatch "b34ed1e6524479d61ee944ebf6ca7389ea47e563" "1s13zw93nsyr259dzck6gbhg4x46qg5sg14djf4bvrrc6hlkiczw")
       (githubPatch "4f2b52281ce1649ea8347489443965ad33262ecc" "1g59izkicn9cpcphamdgrijs306h5b9i7i4pmy134asn1ifiax5z")
+      (fetchpatch {
+        ## see https://groups.google.com/a/chromium.org/forum/#!msg/chromium-packagers/So-ojMYOQdI/K66hndtdCAAJ
+        url = "https://bazaar.launchpad.net/~chromium-team/chromium-browser/bionic-stable/download/head:/addmissingblinktools-20180416203514-02f50sz15c2mn6ei-1/add-missing-blink-tools.patch";
+        sha256 = "0dc4cmd05qjqyihrd4qb34kz0jlapjgah8bzgnvxf9m4791w062z";
+      })
     ] ++ optional enableWideVine ./patches/widevine.patch
       ++ optionals (stdenv.isAarch64 && versionRange "65" "66") [
         ./patches/skia_buildfix.patch
diff --git a/pkgs/applications/networking/browsers/chromium/patches/PlaybackImageProvider-copy-constructor.patch b/pkgs/applications/networking/browsers/chromium/patches/PlaybackImageProvider-copy-constructor.patch
deleted file mode 100644
index a9b70ac50863..000000000000
--- a/pkgs/applications/networking/browsers/chromium/patches/PlaybackImageProvider-copy-constructor.patch
+++ /dev/null
@@ -1,89 +0,0 @@
---- a/cc/raster/playback_image_provider.cc
-+++ b/cc/raster/playback_image_provider.cc
-@@ -20,7 +20,7 @@
- PlaybackImageProvider::PlaybackImageProvider(
-     ImageDecodeCache* cache,
-     const gfx::ColorSpace& target_color_space,
--    base::Optional<Settings> settings)
-+    base::Optional<Settings>&& settings)
-     : cache_(cache),
-       target_color_space_(target_color_space),
-       settings_(std::move(settings)) {
-@@ -70,7 +70,10 @@
- }
- 
- PlaybackImageProvider::Settings::Settings() = default;
--PlaybackImageProvider::Settings::Settings(const Settings& other) = default;
-+PlaybackImageProvider::Settings::Settings(PlaybackImageProvider::Settings&&) =
-+    default;
- PlaybackImageProvider::Settings::~Settings() = default;
-+PlaybackImageProvider::Settings& PlaybackImageProvider::Settings::operator=(
-+    PlaybackImageProvider::Settings&&) = default;
- 
- }  // namespace cc
---- a/cc/raster/playback_image_provider.h
-+++ b/cc/raster/playback_image_provider.h
-@@ -20,8 +20,10 @@
-  public:
-   struct CC_EXPORT Settings {
-     Settings();
--    Settings(const Settings& other);
-+    Settings(const Settings&) = delete;
-+    Settings(Settings&&);
-     ~Settings();
-+    Settings& operator=(Settings&&);
- 
-     // The set of image ids to skip during raster.
-     PaintImageIdFlatSet images_to_skip;
-@@ -34,7 +36,7 @@
-   // If no settings are provided, all images are skipped during rasterization.
-   PlaybackImageProvider(ImageDecodeCache* cache,
-                         const gfx::ColorSpace& target_color_space,
--                        base::Optional<Settings> settings);
-+                        base::Optional<Settings>&& settings);
-   ~PlaybackImageProvider() override;
- 
-   PlaybackImageProvider(PlaybackImageProvider&& other);
---- a/cc/raster/playback_image_provider_unittest.cc
-+++ b/cc/raster/playback_image_provider_unittest.cc
-@@ -84,7 +84,8 @@ TEST(PlaybackImageProviderTest, SkipsSomeImages) {
-   settings.emplace();
-   settings->images_to_skip = {skip_image.stable_id()};
-
--  PlaybackImageProvider provider(&cache, gfx::ColorSpace(), settings);
-+  PlaybackImageProvider provider(&cache, gfx::ColorSpace(),
-+                                 std::move(settings));
-   provider.BeginRaster();
-
-   SkIRect rect = SkIRect::MakeWH(10, 10);
-@@ -100,7 +101,8 @@ TEST(PlaybackImageProviderTest, RefAndUnrefDecode) {
-
-   base::Optional<PlaybackImageProvider::Settings> settings;
-   settings.emplace();
--  PlaybackImageProvider provider(&cache, gfx::ColorSpace(), settings);
-+  PlaybackImageProvider provider(&cache, gfx::ColorSpace(),
-+                                 std::move(settings));
-   provider.BeginRaster();
-
-   {
-@@ -133,7 +135,8 @@ TEST(PlaybackImageProviderTest, AtRasterImages) {
-   settings.emplace();
-   settings->at_raster_images = {draw_image1, draw_image2};
-
--  PlaybackImageProvider provider(&cache, gfx::ColorSpace(), settings);
-+  PlaybackImageProvider provider(&cache, gfx::ColorSpace(),
-+                                 std::move(settings));
-
-   EXPECT_EQ(cache.refed_image_count(), 0);
-   provider.BeginRaster();
-@@ -158,7 +161,8 @@ TEST(PlaybackImageProviderTest, SwapsGivenFrames) {
-   settings.emplace();
-   settings->image_to_current_frame_index = image_to_frame;
-
--  PlaybackImageProvider provider(&cache, gfx::ColorSpace(), settings);
-+  PlaybackImageProvider provider(&cache, gfx::ColorSpace(),
-+                                 std::move(settings));
-   provider.BeginRaster();
-
-   SkIRect rect = SkIRect::MakeWH(10, 10);
-
diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index e30ec4228c8a..d55cc12c165a 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "18dampi62wwvscywvdz8lil0zhxdr4p6bhr4yv08arz029w356lc";
-    sha256bin64 = "129jq8ynj4y81rhzxyyfcfpllq3a6ddhiy766zw28s7d43q4zca2";
-    version = "66.0.3359.45";
+    sha256 = "1mlfavs0m0lf60s42krqxqiyx73hdfd4r1mkjwv31p2gchsa7ibp";
+    sha256bin64 = "067gpmiwnpdaqarkz740plg0ixpp7642xf4qqkq32w9v8flx3y57";
+    version = "66.0.3359.117";
   };
   dev = {
-    sha256 = "09x7p83p188ms0awxj3kl9kdx796ns6m42smqd3jccnljx54jls2";
-    sha256bin64 = "1aa24gvbf9awm59n05jkb4wy6ssr7fns4rl1hd2c66cq2d4mx3d8";
-    version = "67.0.3377.1";
+    sha256 = "0058g5dm5nfm7wdpd9y4fn0dmi8bq013l0ky5fsn4j7msm55rrg5";
+    sha256bin64 = "1ag8kg3jjv6jsxdjq33h4ksqhhhfaz5aqw9jaaqhfma908c5mc9y";
+    version = "67.0.3396.10";
   };
   stable = {
-    sha256 = "11w6wg862ixbgm7dpqag2lmbjknv83zlr9imd8zchvmrqr468rlk";
-    sha256bin64 = "0r14w94aa7zg2i3zjpwvb7d6fg9yg0xkki7jzcpjmzwygy78fs16";
-    version = "65.0.3325.181";
+    sha256 = "1mlfavs0m0lf60s42krqxqiyx73hdfd4r1mkjwv31p2gchsa7ibp";
+    sha256bin64 = "1ycfq6pqk7a9kyqf2112agcxav360rxbqqdc1yil0qkmz51i9zdg";
+    version = "66.0.3359.117";
   };
 }