ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • Marius Bakke
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 15 Mar 2021 09:44
(address . bug-guix@gnu.org)(address . marius@gnu.org)
93ae6853638adebc7ccaf5f861815954bf99bfb5.camel@zaclys.net
Hello!

Latest version is 89.0.4389.90

ungoogled-chromium upstream has it:

Debian also upgraded:

I am not sure how to undertake this upgrade, I tried a little bit but
it failed at failing to delete some bundled third_party directories.

Would love to know in more detail what is the process for upgrading
ungoogled-chromium, license checking and patch rebasing if necessary.

Thank you!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBPHmYACgkQRaix6GvN
EKYv2w/9HNV/qA4h0GAXj5Qh0HMtJhtb1hvqR8UVBlX5/YgJh36NngrJMfa62+NP
EL9cjVtEzWBSLC18IxKGrzFklhrPdciTu8O8PU/Hi0XClUPVgAF65Q0b2ckrWd10
R/PK5yMMGAmmJrY/BZctR60s5kYLSyqTTwBi7YPuYvQUfqKwmgUOFAXbenhkUsxc
HE/8xyYNaDiYOi6mF/htfQm4D3HPP8u1/ru+tl4Bf7fgomz6dX3FDBrWOw8UwNFl
O8nTedXogELmsY/pvj61VubHyfUqo4KfbGCamguZ411n831NN6FzjGCDshN3tYRP
BI2NBoh8Ma5DPR3OaGBUPSZjDPaozgzFj5VfiHo+Gfi1xwX84RBn/k2S+04bAhCT
3zU5bDaEdI/Ok+VwRzhBAi6ap8dqyXq87dbNtnjZB4Xi7rj/tw6o0Ephxmpw1/oT
DfCyI0HuUGOxb0uOxVOUsQjBpZ70CO874hyBBI7GE4LsYY2kT91zYWhZ4UNEK8KE
3Hw9jS+tEhYfQXNvj0Mn32hKEAUXGVonXnYiurZLpXjGOB7T+yf15F7KU/FE2Snu
hvOWa+CxlNpQl0Dd9gXtUqGvkTbyuNvHJTR2FeS36GWg6jJvOYoM0pCRPp5cxEBR
oSaAmS5YIAfHPCrLVjJ8sSeu8n15l2+YoWgQdp+nI3JyhF1f2mE=
=Qddl
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 19 Mar 2021 09:48
(address . 47154-done@debbugs.gnu.org)
42246bbae075fe016da0c538c81a526cd4adf3a1.camel@zaclys.net
Fixed by 1155a88308df7649fe74bd5bb8279a4d103ce386
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUZXsACgkQRaix6GvN
EKYhjRAAsK0Carn2LO69V+Xxq4HN+jBZ4UVAI7l4neKznfVmF0g/JnLGCfb6+X8O
MRsa3RRNLmkyD60RFsvN+y7sd/2k+008Stg4uiYfAEEJuCNKjlaB8vUTrbP3eyXb
OcyS+qodfhxDkcekR4dZrljQSzSNCgsVFLk2pwWiXSxmx52tfe7MIEg9875lZahs
dPldYxc1/vYdBN2osIhlGAkZAMYUc3X4Y91AyqhcgQ0HNiVgto9cVoPJMjY+nk0y
wrBgWmYZQx42PE3cRgH/IeZYafU0DH2RVnFBc/OQI6ltY097BLPFRt5igwYs92Mt
4svBFq80lgDuTPR1beaTa9shGvVyXOZNZAEKiAePhQy1XUiU5SFJWiEY3NX2yke+
OsrZKn8mr2oOqZCtOAPNJC4TUWpGh+OQepEg6YpzTqWNwI876Te6Lw+QAADHIvif
AoXE6P/+tN+YTn0WTWUDLKyWorx3KAfuc2ddtc3C83Jlj1h7NrFuNIA3CeKcEbGn
OlKlaksb5If/5HVjJ9G881ZlbFJwfsfYxQiyp6t72Ymc2AuEEC0nS8mCwiMXb7Fx
7IBVhwnagvY/xAsWoEcPvt4aBcHKZXIWzeIKQ9Qd6S11+o9QXTDERVMHRLimZsq7
RiaMdAuciFPMVWcsnVYB8ThgHAJEEmPWoe2fGZXgoV64ACOgpFY=
=dhRR
-----END PGP SIGNATURE-----


Closed
M
M
Marius Bakke wrote on 20 Mar 2021 14:41
877dm20wpb.fsf@gnu.org
Hello!

Sorry for not seeing this earlier.

Léo Le Bouter <lle-bout@zaclys.net> skriver:

Toggle quote (6 lines)
> I am not sure how to undertake this upgrade, I tried a little bit but
> it failed at failing to delete some bundled third_party directories.
>
> Would love to know in more detail what is the process for upgrading
> ungoogled-chromium, license checking and patch rebasing if necessary.

For major upgrades such as 88->89, I usually comment out the pruning
script from the snippet, and add a phase such as...

(add-after 'unpack 'prune
(lambda _
(apply invoke "python"
"build/linux/unbundle/remove_bundled_libraries.py"
"--do-remove" (list ,@%preserved-third-party-files))))

...to avoid having to repack for every change to
%preserved-third-party-files.

Then just run './pre-inst-env guix build ...' as usual, see what the
configure phase reports, and adjust %preserved-third-party-files
accordingly.

Each "third_party" directory contains a README.chromium with license
information. That file is not always correct (i.e. listing a single
license when multiple are involved), so I typically check the source
files too.

For patch rebasing, sometimes I make the necessary adjustments manually
and use plain old "diff"; other times I'll create a git repository from
the vanilla Chromium source, apply patches, branch out and try to
cherry-pick the patches to the new version in order to benefit from
git's conflict markers.

I also keep an eye on the Arch and Gentoo Chromium packages for
"inspiration" (that's how I found the recent Opus patch).

Hope this helps, and thanks for the interest in helping out with
maintaining this package. :-)
-----BEGIN PGP SIGNATURE-----

iQFCBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAmBV+3APHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6tJAH901dwDiMhcHxqHYsBGPt5YV8IWulEZv3lhsm
ZjHaY5iWGxuimJwjHcNluBr/LZfRva7ydICyZ+ydUtytgH5yvX1rIkQ3ZXWCbDls
bxGvio/FLSeVBSZiidhGZxY1J/q4mrLDxKMKv/AkV9xMM0G+mF23L70py+RskLqS
YHj9PUDpTnuokSe97xRnM2AnFrG1mU5RHpEOR2yA1KYClWFC1y3D5PaJr4AjPZuX
uLYG0BCQq7r9J8nHcVBAXRJNh7el5gz2HitpFWpIx/NjREFjGQSFP6Znvb/hJfFF
SkEksNESvpEQYeTYhbyogyMDhQS3oywiEDOttnlWCe/2QAcKcA==
=Qzg2
-----END PGP SIGNATURE-----

?