Opened 6 years ago

Closed 3 years ago

#10495 closed defect (wontfix)

chromium-67.0.3396.87

Reported by: bdubbs@… Owned by: blfs-book
Priority: low Milestone: x-future
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by ken@…)

Vulnerability fixes. While investigating a firefox vulnerability, I got to https://security-tracker.debian.org/tracker/CVE-2018-6126 where it turns out that the vulnerability was originally found in chromium (or perhaps in chrome).

According to that, it is fixed in 67.0.3396.62. But Arch's security report says it is fixed in 67.0.3396.79.

Looking at qtwebengine there are lots more vulnerabilities addressed by upstream patches to the chromium code.

I don't know my way around chromium, but a .tar.gz for .79 is currently on about the fourth page of https://github.com/chromium/chromium/releases

According to Arch, .87 fixes an out of bounds write in the V8 code which can lead to arbitrary code execution.

I'm still trying to see if I can build this beast (Arch use clang because of a gcc-8.1 issue, but I found a patch at fedora this morning, haven't had time to try it yet).

Change History (20)

comment:1 by bdubbs@…, 6 years ago

Owner: changed from blfs-book@… to blfs-book

comment:2 by Bruce Dubbs, 6 years ago

Summary: chromium-65.0.3325.146chromium-66.0.3359.117

Now version 66.0.3359.117

comment:3 by ken@…, 6 years ago

Description: modified (diff)
Priority: normalhigh
Summary: chromium-66.0.3359.117chromium-67.0.3396.79
Type: enhancementdefect

comment:4 by ken@…, 6 years ago

I started to take a look at this, to see if I could do it. The constexpr patch has been applied upstream. The directory third_party/WebKit/Source/ re warning messages does not exist.

AFAICS kerberos is only required because we force it on. I do not have kerberos, so tried turning it off.

Apparently, widevine might be a reason for people to use chromium. First attempt to use gn failed

ERROR at //third_party/widevine/cdm/BUILD.gn:14:1: Assertion failed.
assert(!enable_widevine || is_win || is_mac || is_chromecast,
^-----
Component updated CDM only supported on Windows and Mac for now.
See //chrome/BUILD.gn:318:9: which caused the file to be included.

There is a chromium-widevine-r2.patch at Arch, https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium : with that applied gn completes, but ninja very quickly fails:

mkdir -p third_party/node/linux/node-linux-x64/bin &&
> ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/ &&
> ninja -C out/Release chrome chrome_sandbox chromedriver widevinecdmadapter
ninja: Entering directory `out/Release'
ninja: error: unknown target 'widevinecdmadapter'

comment:5 by ken@…, 6 years ago

Description: modified (diff)
Summary: chromium-67.0.3396.79chromium-67.0.3396.87

comment:6 by ken@…, 6 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

It looks as if I can now build this, but some of the details still need more investigation before I get it to a point where I can install it to see if any of it works.

comment:7 by ken@…, 6 years ago

Fedora has now updated to 67.0.3396.79 and their security announcement specifies CVE-2018-6123 to 6137 and 6148.

comment:8 by ken@…, 6 years ago

I had not realised how horrendously painful building this package can be.

Current status:

Using boolfix patch from fedora (fixes build with gcc-8). Adding

sed -i 's%/include%/src/src/psnames%' third_party/pdfium/core/fxge/freetype/fx_freetype.cpp to stop pdfium trying to include the removed freetype header

With kerberos=false and widevine=false it built last night (omitting widevinecdmaadapter), with a warning that the gconf define was not used.

At that point I had NOT installed libsecret nor File::BaseDir - I can see why libsecret might get used, so I've now added it.

Today I've been trying to remove the kerberos, widevine and gconf entries from GN_CONFIG - but the build failed trying to find my non-existent gssapi.h, so presumably I still need the kerberos=false line (and enabling kerberos is only useful for people who have Single Sign-On in their site AND use that to authenticate to (their own) websites).

I've just retried after reinstating kerberos=false, but got a stupid failure in the main build almost immediately. Giving up for the moment.

Meanwhile, the partial build gave no evidence that it was using system libsecret, and I see that fedora do not list libsecret as a dependency.

comment:9 by ken@…, 6 years ago

It does NOT use system libsecret.

And since libwidevineadapter.so is not created, it seems pointless to enable widevine.

With gcc-8.1, the build takes 130 SBU on an 8-core intel and witrh the equiivalent of a DESTDIR creates 6.7GB of source and 323 MB installed.

in reply to:  4 comment:10 by ken@…, 6 years ago

Replying to ken@…:

AFAICS kerberos is only required because we force it on. I do not have kerberos, so tried turning it off.

That is not exactly true - without any mention of kerberos in GN_CONFIG, my build failed trying to find my non-existent gssapi.h. BUT - although kerberos might be enabled in the default build, the indications are that it is turned off by default "for security reasons" (I think it was wikipedia that said that), and it certainly needs whitelisting for valid sites. So, although the default position would be "recommended", that seems hard to justify (most users will NOT have a server tro provide their kerberos tickets).

In general, distros do not seem to require it (although their various build methods differ enormously).

comment:11 by ken@…, 6 years ago

Also, it appears to use its internal flac code - chromedriver has 'audio/flac' in its strings, but neither chromedriver nor chromium link to flac.

comment:12 by ken@…, 6 years ago

Built and installed, but no certificates - google will return a page but then hang that tab.

comment:13 by ken@…, 6 years ago

It tells me I have details for cert authorities, and offers to let me import - but any crt file I try is reported as either Private key missing, or invalid.

comment:14 by ken@…, 6 years ago

Owner: changed from ken@… to blfs-book
Status: assignednew

No joy, giving this back to the book.

comment:15 by Bruce Dubbs, 6 years ago

Milestone: 8.3x-future

Moving to future for lack of support.

comment:16 by Douglas R. Reno, 6 years ago

Priority: highlow

Moving to low to get it out of the first page of the report.

comment:17 by christopher, 5 years ago

This was quite a mission to get to work. After spending many hours on this I have managed to get chromium-70.0.3538.102, to compile and install.

During the ordeal I have learnt the following:

First and foremost, do NOT under any circumstances download the source tarballs from github. This is a mirror of googles developer repository, and I can state from bitter experience that the tarballs downloaded from there are in various states of incompleteness and some have many errors. They have mixed beta versions, development versions and just plain junk on there. It was only after two days of constant builds and failures that I went back to the search engines and found a site that stated this fact.

So Ken, I think you *may* well have downloaded a dodgy version when you tried.

I can confirm that https sites load fine with this version. I was able to log into my internet banking site and https:// on google works fine.

You can get the source code from:

http://gsdview.appspot.com/chromium-browser-official/chromium-70.0.3538.102.tar.xz

To check which version is the latest stable:

https://omahaproxy.appspot.com/

There are a number of things that need to be done to get this beast to work, so I am going to be posting everything that I did for *this* particular tar ball release.

Debian have about 44 patches for this latest release, but I have not used the debian patches at this stage as I wanted to test with as few changes as possible.

Below is what I have done to get things working:

1) Go to:

https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files

download chromium-70-gcc-0.patch, chromium-70-gcc-1.patch, chromium-70-gcc-2.patch, chromium-pdfium-stdlib-r0.patch, chromium-widevine-r2.patch, chromium-widevine-r3.patch and apply them to the sourcecode.

2) edit tools/gn/bootstrap/bootstrap.py and remove:

if not options.with_sysroot:

cmd.append('--no-sysroot')

This has to be done, otherwise you will get an error and the build will stop before it even got started.

3) I had to modify the commands from the book in an attempt to get away from an issue with pstables.h. Basically I have allowed chromium to build its own internal versions of freetype and harfbuzz.

for LIB in flac libjpeg libjpeg_turbo libwebp libxslt yasm; do find -type f -path "*third_party/$LIB/*" \! -path "*third_party/$LIB/chromium/*" \! -path "*third_party/$LIB/google/*" \! -path "*base/third_party/icu/*" \! -path './third_party/yasm/run_yasm.py' \! -regex '.*\.\(gn\|gni\|isolate\|py\)' -delete; done

Then:

The remainder of that block of book instructions remains the same.

My GN CONFIG line looks like:

GN_CONFIG=('google_api_key="AIzaSyDxKL42zsPjbke5O8_rPVpVrLrJ8aeE9rQ"' 'google_default_client_id="595013732528-llk8trb03f0ldpqq6nprjp1s79596646.apps.googleusercontent.com"' 'google_default_client_secret="5ntt6GbbkjnTVXx-MSxbmx5e"' 'clang_use_chrome_plugins=false' 'enable_hangout_services_extension=true' 'enable_nacl=false' 'enable_nacl_nonsfi=false' 'enable_swiftshader=false' 'enable_widevine=true' 'fatal_linker_warnings=false' 'ffmpeg_branding="Chrome"' 'fieldtrial_testing_like_official_build=true' 'is_debug=false' 'is_clang=false' 'link_pulseaudio=true' 'linux_use_bundled_binutils=false' 'proprietary_codecs=true' 'remove_webcore_debug_symbols=true' 'symbol_level=0' 'treat_warnings_as_errors=false' 'use_allocator="none"' 'use_cups=true' 'use_gconf=false' 'use_gnome_keyring=false' 'use_gold=false' 'use_gtk3=true' 'use_kerberos=true' 'use_pulseaudio=true' 'use_sysroot=false' 'pdf_is_complete_lib=true')

Notice that there is a new addition to this block, namely pdf_is_complete_lib=true has to be added to the build instructions now, as it will happily build through the source code and then fail at the linking stage. It took me hours to find the solution to that one.

The actual ninja build line needs to be changed as well:

ninja -C out/Release chrome chrome_sandbox chromedriver

is what is now required. This is in line with what the other distros like slackware and arch have done. I have not installed widevine at this stage. I did not see the need to actually add more time to things if the browser itself was going to fail to load https:// sites.

I have not added the patch that the book had for the old chromium build.

In order to silence those compiler warnings that are only good to those working on the code itself, adding the following works:

CFLAGS+='-w' CXXFLAGS+='-w'

It is a lowercase w and that will suppress all the warning messages from flooding your screen when compiling.

I will also note that during this, as with webkit before, on an amd64 system with a cpu of 6 real cores, and 8gig of ram, I HAD to use ninja -j5 to stop it slowing to a snails pace and timing out.

The debian patches will probably be worth looking at, as they address using system icu and other system libraries.

http://deb.debian.org/debian/pool/main/c/chromium-browser/chromium-browser_70.0.3538.102-1.debian.tar.xz

Of the gentoo patches, the two widevine patches are required. I used those patches instead of the sed block in the book instructions.

One of those gcc patches has 30 additions, so that patch would be needed to be added. The other patches could be made into sed's.

I will be redoing the build and seeing if the other system patches work. This information at least shows that the latest chromium does indeed now work.

Regards,

Christopher.

comment:18 by ken@…, 5 years ago

Glad you have got it working. For that omahaproxy link, the verification is at https://www.chromium.org/administrators/frequently-asked-questions under

How do I know what the most current version of Google Chrome is for Windows?

(interesting that versions differ between OS's).

So, congratulations! For myself, I've used rather more than my current crop of spare cycles in getting the perl modules changes done, so I don't expect to look at this in the near future.

I remain shocked (but not surprised) about the number of (gentoo) patches you have needed to use to get this far.

comment:19 by Bruce Dubbs, 5 years ago

Note that we have archived chromium. It is not in BLFS any more and the latest issues are just examples of why it was removed.

This ticket is marked for 'future', but I'd just as soon mark it as wontfix.

in reply to:  19 comment:20 by ken@…, 3 years ago

Resolution: wontfix
Status: newclosed

Replying to bdubbs:

Note that we have archived chromium. It is not in BLFS any more and the latest issues are just examples of why it was removed.

This ticket is marked for 'future', but I'd just as soon mark it as wontfix.

Since nothing has happened for all-but 2 years and 5 months to persuade us that chromium is useful (and a lot of adverse reports about it being bad for privacy) I'm changing this to wontfix.

And if ever someone decides they do need a chromium-like browser (e.g. for testing web pages) I suggest they look at https://github.com/Eloston/ungoogled-chromium (obviously, not the contributed binaries) and the Arch version of that [ https://aur.archlinux.org/packages/ungoogled-chromium/] which seems to get updated frequently.

Note that the latest version still requires python2.

Note: See TracTickets for help on using tickets.