chromium: 85.0.4183.121 -> 86.0.4240.75

https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html

This update includes 35 security fixes.

CVEs:
CVE-2020-15967 CVE-2020-15968 CVE-2020-15969 CVE-2020-15970
CVE-2020-15971 CVE-2020-15972 CVE-2020-15990 CVE-2020-15991
CVE-2020-15973 CVE-2020-15974 CVE-2020-15975 CVE-2020-15976
CVE-2020-6557 CVE-2020-15977 CVE-2020-15978 CVE-2020-15979
CVE-2020-15980 CVE-2020-15981 CVE-2020-15982 CVE-2020-15983
CVE-2020-15984 CVE-2020-15985 CVE-2020-15986 CVE-2020-15987
CVE-2020-15992 CVE-2020-15988 CVE-2020-15989

4 files changed, 19 insertions, 99 deletions

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index a79a48fffcc..af2d27342f8 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -13,7 +13,6 @@
 , bison, gperf
 , glib, gtk3, dbus-glib
 , glibc
-, xorg
 , libXScrnSaver, libXcursor, libXtst, libGLU, libGL
 , protobuf, speechd, libXdamage, cups
 , ffmpeg_3, libxslt, libxml2, at-spi2-core
@@ -131,7 +130,6 @@ let
       ninja which python2Packages.python perl pkgconfig
       python2Packages.ply python2Packages.jinja2 nodejs
       gnutar python2Packages.setuptools
-      (xorg.xcbproto.override { python = python2Packages.python; })
     ];
 
     buildInputs = defaultDependencies ++ [
@@ -150,9 +148,7 @@ let
       ++ optional pulseSupport libpulseaudio
       ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ];
 
-    patches = optionals (versionRange "68" "86") [
-      ./patches/nix_plugin_paths_68.patch
-    ] ++ [
+    patches = [
       ./patches/remove-webp-include-69.patch
       ./patches/no-build-timestamps.patch
       ./patches/widevine-79.patch
@@ -166,18 +162,19 @@ let
       #
       # ++ optionals (channel == "dev") [ ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" ) ]
       # ++ optional (versionRange "68" "72") ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" )
-    ] ++ optionals (useVaapi && versionRange "68" "86") [ # Improvements for the VA-API build:
-      ./patches/enable-vdpau-support-for-nvidia.patch # https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi
-      ./patches/enable-video-acceleration-on-linux.patch # Can be controlled at runtime (i.e. without rebuilding Chromium)
-    ];
+    ]; # TODO: VA-API patches (we should be able to drop enable-video-acceleration-on-linux.patch now):
+    # ++ optionals (useVaapi && versionRange "68" "86") [ # Improvements for the VA-API build:
+    #   ./patches/enable-vdpau-support-for-nvidia.patch # https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi
+    #   ./patches/enable-video-acceleration-on-linux.patch # Can be controlled at runtime (i.e. without rebuilding Chromium)
+    # ];
 
-    postPatch = optionalString (!versionRange "0" "86") ''
+    postPatch = ''
       # Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.):
       substituteInPlace native_client/SConstruct \
         --replace "#! -*- python -*-" ""
       substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
         --replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
-    '' + ''
+
       # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
       substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
         --replace \
@@ -195,11 +192,6 @@ let
           '/usr/share/locale/' \
           '${glibc}/share/locale/'
 
-      substituteInPlace ui/gfx/x/BUILD.gn \
-        --replace \
-          '/usr/share/xcb' \
-          '${xorg.xcbproto}/share/xcb/'
-
       sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg_utils}/bin/xdg-@' \
         chrome/browser/shell_integration_linux.cc
 
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 7f5378e2b19..d16decfeeda 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -1,5 +1,5 @@
 { newScope, config, stdenv, fetchurl, makeWrapper
-, llvmPackages_10, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils
+, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils
 , glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit
 , libva ? null
 , pipewire_0_2
@@ -23,7 +23,7 @@
 }:
 
 let
-  llvmPackages = llvmPackages_10;
+  llvmPackages = llvmPackages_11;
   stdenv = llvmPackages.stdenv;
 
   callPackage = newScope chromium;
@@ -38,16 +38,6 @@ let
               cupsSupport pulseSupport useOzone;
       # TODO: Remove after we can update gn for the stable channel (backward incompatible changes):
       gnChromium = gn.overrideAttrs (oldAttrs: {
-        version = "2020-05-19";
-        src = fetchgit {
-          url = "https://gn.googlesource.com/gn";
-          rev = "d0a6f072070988e7b038496c4e7d6c562b649732";
-          sha256 = "0197msabskgfbxvhzq73gc3wlr3n9cr4bzrhy5z5irbvy05lxk17";
-        };
-      });
-    } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "86") {
-      llvmPackages = llvmPackages_11;
-      gnChromium = gn.overrideAttrs (oldAttrs: {
         version = "2020-07-20";
         src = fetchgit {
           url = "https://gn.googlesource.com/gn";
@@ -56,7 +46,6 @@ let
         };
       });
     } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "87") {
-      llvmPackages = llvmPackages_11;
       useOzone = true; # YAY: https://chromium-review.googlesource.com/c/chromium/src/+/2382834 \o/
       gnChromium = gn.overrideAttrs (oldAttrs: {
         version = "2020-08-17";
diff --git a/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch b/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch
deleted file mode 100644
index da6a4c92b46..00000000000
--- a/pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_68.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
-index f4e119d..d9775bd 100644
---- a/chrome/common/chrome_paths.cc
-+++ b/chrome/common/chrome_paths.cc
-@@ -68,21 +68,14 @@ static base::LazyInstance<base::FilePath>
-     g_invalid_specified_user_data_dir = LAZY_INSTANCE_INITIALIZER;
- 
- // Gets the path for internal plugins.
--bool GetInternalPluginsDirectory(base::FilePath* result) {
--#if defined(OS_MACOSX)
--  // If called from Chrome, get internal plugins from a subdirectory of the
--  // framework.
--  if (base::mac::AmIBundled()) {
--    *result = chrome::GetFrameworkBundlePath();
--    DCHECK(!result->empty());
--    *result = result->Append("Internet Plug-Ins");
--    return true;
--  }
--  // In tests, just look in the module directory (below).
--#endif
--
--  // The rest of the world expects plugins in the module directory.
--  return base::PathService::Get(base::DIR_MODULE, result);
-+bool GetInternalPluginsDirectory(base::FilePath* result,
-+                                 const std::string& ident) {
-+  std::string full_env = std::string("NIX_CHROMIUM_PLUGIN_PATH_") + ident;
-+  const char* value = getenv(full_env.c_str());
-+  if (value == NULL)
-+      return base::PathService::Get(base::DIR_MODULE, result);
-+  else
-+      *result = base::FilePath(value);
- }
- 
- // Gets the path for bundled implementations of components. Note that these
-@@ -272,7 +265,7 @@ bool PathProvider(int key, base::FilePath* result) {
-       create_dir = true;
-       break;
-     case chrome::DIR_INTERNAL_PLUGINS:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "ALL"))
-         return false;
-       break;
-     case chrome::DIR_COMPONENTS:
-@@ -280,7 +273,7 @@ bool PathProvider(int key, base::FilePath* result) {
-         return false;
-       break;
-     case chrome::DIR_PEPPER_FLASH_PLUGIN:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "PEPPERFLASH"))
-         return false;
-       cur = cur.Append(kPepperFlashBaseDirectory);
-       break;
-@@ -358,7 +351,7 @@ bool PathProvider(int key, base::FilePath* result) {
-         cur = cur.DirName();
-       }
- #else
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "PNACL"))
-         return false;
- #endif
-       cur = cur.Append(FILE_PATH_LITERAL("pnacl"));
diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.json b/pkgs/applications/networking/browsers/chromium/upstream-info.json
index ec8fc3407d2..9ea7182b96d 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json
@@ -1,17 +1,17 @@
 {
   "stable": {
-    "version": "85.0.4183.121",
-    "sha256": "0a1xn39kmvyfpal6pgnylpy30z0322p3v7sx6vxi0r2naiz58670",
-    "sha256bin64": "08vqf1v91703aik47344bl409rsl4myar9bsd2lsvzqncncwsaca"
+    "version": "86.0.4240.75",
+    "sha256": "1ddw4p9zfdzhi5hrd8x14k4w326znljzprnpfi2f917rlpnl2ynx",
+    "sha256bin64": "17isxkd80rccqim6izzl08vw4yr52qsk6djp1rmhhijzg9rsvghz"
   },
   "beta": {
-    "version": "86.0.4240.42",
-    "sha256": "06cfhiym9xmz2q86v6b6xcicrrp2pmr7karavylzz4fqvwd2v6fa",
-    "sha256bin64": "1z5zmdc2i31iimps7p5z43vv4qi83c8ljb7x68zc1rvf8x62p7xj"
+    "version": "86.0.4240.75",
+    "sha256": "1ddw4p9zfdzhi5hrd8x14k4w326znljzprnpfi2f917rlpnl2ynx",
+    "sha256bin64": "16snxdka5bkbvybx6x0dzgfbfaifv0jcc1dcny6vlqqp2fmb2v39"
   },
   "dev": {
-    "version": "87.0.4263.3",
-    "sha256": "1ybfrlm4417lpbg5qcwhq5p6nnxrw68wzyy5zvb1sg1ma8s9hhkk",
-    "sha256bin64": "1f7a272kalglmdwmrrzb4iw3crvvpv3mhxca5jh75qpldn4gby6m"
+    "version": "87.0.4278.0",
+    "sha256": "1ywmv4iwn2as7vk2n0pslnmr300fl5y809ynxiw5xqcx9j6i8w85",
+    "sha256bin64": "15dvwvk6l6n7l04085hr48hlvsijypasyk7d8iq3s6cxai3wx4cl"
   }
 }