From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53326) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZmv9-0007Qr-1h for guix-patches@gnu.org; Thu, 11 Jan 2018 19:10:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZmv4-0002Ne-Tw for guix-patches@gnu.org; Thu, 11 Jan 2018 19:10:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:44822) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eZmv4-0002NT-Ol for guix-patches@gnu.org; Thu, 11 Jan 2018 19:10:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eZmv4-0001hF-H7 for guix-patches@gnu.org; Thu, 11 Jan 2018 19:10:02 -0500 Subject: [bug#28004] Chromium Resent-Message-ID: From: Marius Bakke In-Reply-To: <20180108232042.nqjurjr2bcfl2yyc@abyayala> References: <87y3qvb15k.fsf@fastmail.com> <20171010131949.y43plpzxbppvrigr@abyayala> <87lgkha2cx.fsf@gnu.org> <20171012195628.GA31843@jasmine.lan> <87shensfq6.fsf@gnu.org> <87o9p45bb6.fsf@fastmail.com> <20180104191648.custe7w3l57fvbac@abyayala> <87wp0s2ewl.fsf@fastmail.com> <20180108232042.nqjurjr2bcfl2yyc@abyayala> Date: Fri, 12 Jan 2018 01:09:04 +0100 Message-ID: <87373cey5b.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: ng0 Cc: 28004@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain ng0 writes: > Many thanks for your ongoing work with this (and the patience :)) > As this is 63, you you are keeping track of Debian, right? I tried > to package 64 a couple of days ago because I wanted the workaround > for some of the recent security clusterfucks, but Debian is still > on 63 :/ > I hope they'll update their patchset soon. Indeed Google did not add the Spectre mitigation to Chromium 63, even though the latest version was released after the fact. https://xlab.tencent.com/special/spectre/spectre_check.html For reasons that beat me, they only added it to the proprietary Chrome browser, which follows the same version number as Chromium. The attached patch adds Spectre mitigation to the current Chromium release. The patch was pulled from the Chrome 64 branch: --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-chromium-Add-spectre-mitigation.patch Content-Transfer-Encoding: quoted-printable From=20b011b57f357af97f3a003a3b1c481fc8bd2b869c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 11 Jan 2018 14:36:47 +0100 Subject: [PATCH] gnu: chromium: Add spectre mitigation. * gnu/packages/patches/chromium-spectre-mitigation.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/chromium.scm (chromium)[source]: Use it. =2D-- gnu/local.mk | 1 + gnu/packages/chromium.scm | 3 ++- gnu/packages/patches/chromium-spectre-mitigation.patch | 13 +++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/chromium-spectre-mitigation.patch diff --git a/gnu/local.mk b/gnu/local.mk index 513f64043..89dab227c 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -575,6 +575,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/ceph-skip-collect-sys-info-test.patch \ %D%/packages/patches/ceph-skip-unittest_blockdev.patch \ %D%/packages/patches/chmlib-inttypes.patch \ + %D%/packages/patches/chromium-spectre-mitigation.patch \ %D%/packages/patches/clang-libc-search-path.patch \ %D%/packages/patches/clang-3.8-libc-search-path.patch \ %D%/packages/patches/clementine-use-openssl.patch \ diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm index dd040527b..1e9dba42e 100644 =2D-- a/gnu/packages/chromium.scm +++ b/gnu/packages/chromium.scm @@ -240,7 +240,8 @@ %chromium-system-icu.patch %chromium-system-nspr.patch %chromium-system-libevent.patch =2D %chromium-disable-api-keys-warning.patch)) + %chromium-disable-api-keys-warning.patch + (search-patch "chromium-spectre-mitigation.pa= tch"))) (modules '((srfi srfi-1) (guix build utils))) (snippet diff --git a/gnu/packages/patches/chromium-spectre-mitigation.patch b/gnu/p= ackages/patches/chromium-spectre-mitigation.patch new file mode 100644 index 000000000..a44a3bce4 =2D-- /dev/null +++ b/gnu/packages/patches/chromium-spectre-mitigation.patch @@ -0,0 +1,13 @@ +diff --git a/content/public/common/content_features.cc b/content/public/co= mmon/content_features.cc +index 43feb76..33a49b8 100644 +--- a/content/public/common/content_features.cc ++++ b/content/public/common/content_features.cc +@@ -308,7 +308,7 @@ +=20 + // http://tc39.github.io/ecmascript_sharedmem/shmem.html + const base::Feature kSharedArrayBuffer{"SharedArrayBuffer", +- base::FEATURE_ENABLED_BY_DEFAULT}; ++ base::FEATURE_DISABLED_BY_DEFAULT}; +=20 + // An experiment to require process isolation for the sign-in origin, + // https://accounts.google.com. Launch bug: https://crbug.com/739418. =2D-=20 2.15.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlpX/KAACgkQoqBt8qM6 VPp9Ugf9EcLGWsYQsyktXTYY7fo37j1CKGiXuzbBtyXpJGWCAz8MBHVC0qA1H7Lf EhK7HBpf1dybG7yyIC2M5wV9wMi8y1fB0m05HNH5JmYoVe1oZFtdaeV8XFNmLxqa Gjh9SOwo41YTX+tPciv1Z0Y6i+4XBYSaSw8FUh9Xm1E3ceJHBVx3GNsde9KZ4Vng twCWeii97hhnnmKjhZ67B/AzuvJz2ar5AmHaj8nL8wAlK1xd14l7O2LGAKeLQe0x +R/0ihjae/y2SUnnffOt0k9X9oqYF/E59QKArY//8j/aoMJtbKYZfu+pEoYIjrdF z5TOdQR6W0ePo1gOPE37bIgMAhj3Yw== =8mQZ -----END PGP SIGNATURE----- --==-=-=--