Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684272 (CVE-2019-5805, CVE-2019-5806, CVE-2019-5807, CVE-2019-5808, CVE-2019-5809, CVE-2019-5810, CVE-2019-5811, CVE-2019-5812, CVE-2019-5813, CVE-2019-5814, CVE-2019-5815, CVE-2019-5816, CVE-2019-5817, CVE-2019-5818, CVE-2019-5819, CVE-2019-5820, CVE-2019-5821, CVE-2019-5822, CVE-2019-5823) - <www-client/chromium-74.0.3729.108 version bump has high CVE fixes
Summary: <www-client/chromium-74.0.3729.108 version bump has high CVE fixes
Status: RESOLVED FIXED
Alias: CVE-2019-5805, CVE-2019-5806, CVE-2019-5807, CVE-2019-5808, CVE-2019-5809, CVE-2019-5810, CVE-2019-5811, CVE-2019-5812, CVE-2019-5813, CVE-2019-5814, CVE-2019-5815, CVE-2019-5816, CVE-2019-5817, CVE-2019-5818, CVE-2019-5819, CVE-2019-5820, CVE-2019-5821, CVE-2019-5822, CVE-2019-5823
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords: PullRequest, STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-04-24 14:19 UTC by wbrana
Modified: 2019-08-15 16:03 UTC (History)
17 users (show)

See Also:
Package list:
www-client/chromium-74.0.3729.169
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
Partly Tested ebuild (chromium-74.0.3729.131.ebuild,20.98 KB, text/plain)
2019-05-08 11:57 UTC, richard
no flags Details
Looks like Clang6 won't work without further patches. (clangfail,31.53 KB, text/plain)
2019-05-08 23:53 UTC, richard
no flags Details
FireBurn build failure. (gccfail,198.18 KB, text/plain)
2019-05-09 01:23 UTC, richard
no flags Details
Clang7 is a Win (chromium74-0-3729-131ebuildfiles.tar.gz,10.92 KB, application/gzip)
2019-05-12 21:04 UTC, richard
no flags Details
Build log failure chromium-74.0.3729.157 (build.log.xz,5.43 KB, application/x-xz)
2019-05-15 14:51 UTC, Mike Lothian
no flags Details
Gallium Vaapi Fix (01-chromium.conf,966 bytes, text/plain)
2019-05-16 22:58 UTC, Mike Lothian
no flags Details
enable-vaapi.patch (enable-vaapi.patch,3.94 KB, patch)
2019-05-18 04:16 UTC, Peter Levine
no flags Details | Diff
enable-vaapi.patch (enable-vaapi.patch,15.91 KB, patch)
2019-05-18 04:23 UTC, Peter Levine
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 08:12:27 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 2 Mike Gilbert gentoo-dev 2019-04-27 22:43:51 UTC
It will probably be a while until I can commit a suitable version of chromium. There are multiple build failures with gcc, and I have not been able to find a magic combination of patches to make it work.
Comment 3 Alex 2019-04-28 05:11:02 UTC
Why not build it with clang as intended? At least for now gcc folks haven’t broken compatibility with clang, but it may happen with new version.
Comment 4 Mike Gilbert gentoo-dev 2019-04-28 13:37:15 UTC
I would like to avoid flipping between toolchains every release, and some people were very unhappy with forced clang.
Comment 5 wbrana 2019-04-28 13:46:49 UTC
Gentoo contains unsafe web browser because some people don't like clang. Seriously?
Comment 6 Mike Gilbert gentoo-dev 2019-04-29 18:07:54 UTC
I'm not going to argue about this anymore. I'll work on this if/when I have time.
Comment 7 Alex 2019-05-01 18:14:03 UTC
www-client/chromium-clang?
Comment 8 wbrana 2019-05-02 08:55:42 UTC
Gentoo Vulnerability Treatment Policy
https://www.gentoo.org/support/security/vulnerability-treatment-policy.html
Comment 9 Mike Lothian 2019-05-02 16:50:29 UTC
Hi Mike

Are the required patches in a repo somewhere? I'll quite happily find a combo that works if you're busy

I'll see what the Arch folk are doing

The build failures I've been seeing in the last few releases had more to do with the C/C++ library than GCC itself
Comment 10 Mike Gilbert gentoo-dev 2019-05-02 18:07:49 UTC
(In reply to Mike Lothian from comment #9)

Part of the problem is I don't know if the patches exist anywhere or not. It may still be broken upstream.

This upstream tracker bug is usually pretty helpful, but I haven't had much luck.

https://crbug.com/819294

There was quite a bit of refactoring that happened in the "base" component, so it's hard to tell what is relevant to GCC and also difficult to extract just the necessary parts.
Comment 11 Mike Gilbert gentoo-dev 2019-05-02 18:21:29 UTC
Here's my work-in-progress.

https://github.com/floppym/gentoo/commits/chromium-74

If you can make this work with either gcc or clang, I would appreciate the help.
Comment 12 richard 2019-05-03 00:36:02 UTC
The Ubuntu and Debian guys have this working. I had a look at what the Ubuntu guys did, they appear to be running Clang with some patches.

http://deb.debian.org/debian/pool/main/c/chromium/chromium_74.0.3729.108-1.debian.tar.xz
Comment 13 Mike Gilbert gentoo-dev 2019-05-03 03:12:24 UTC
If you can get it working with debians patches, please submit a pull request or attach the necessary files.
Comment 14 Alex 2019-05-08 04:50:22 UTC
chromium-74.0.3729.131 version builds with clang just fine.

Maybe the other 2 patches can be dropped too.
Haven't tried gcc. 

clang is set via package.env in my case.

--- /usr/portage/www-client/chromium/chromium-73.0.3683.86.ebuild       2019-04-19 20:04:39.612025695 +0300
+++ chromium-74.0.3729.131.ebuild       2019-05-07 21:59:49.719709392 +0300
@@ -139,17 +139,8 @@
 "
 
 PATCHES=(
-       "${FILESDIR}/chromium-compiler-r7.patch"
        "${FILESDIR}/chromium-widevine-r4.patch"
        "${FILESDIR}/chromium-fix-char_traits.patch"
-       "${FILESDIR}/chromium-73-gcc-0.patch"
-       "${FILESDIR}/chromium-73-gcc-1.patch"
-       "${FILESDIR}/chromium-73-gcc-2.patch"
-       "${FILESDIR}/chromium-73-gcc-3.patch"
-       "${FILESDIR}/chromium-73-gcc-4.patch"
-       "${FILESDIR}/chromium-73-gcc-5.patch"
-       "${FILESDIR}/chromium-73-gcc-6.patch"
-       "${FILESDIR}/chromium-73-xdg-current-desktop.patch"
 )
 
 pre_build_checks() {
@@ -252,12 +243,15 @@
                third_party/crashpad/crashpad/third_party/zlib
                third_party/crc32c
                third_party/cros_system_api
+               third_party/dav1d
                third_party/devscripts
                third_party/dom_distiller_js
+               third_party/emoji-segmenter
                third_party/fips181
                third_party/flatbuffers
                third_party/flot
                third_party/freetype
+               third_party/glslang
                third_party/google_input_tools
                third_party/google_input_tools/third_party/closure_library
                third_party/google_input_tools/third_party/closure_library/third_party/closure
Comment 15 Mike Lothian 2019-05-08 11:00:50 UTC
I tried using the patches from https://sources.debian.org/patches/chromium/74.0.3729.108-1/?page=1

But I ran into the Angle issue (seen in https://bugs.gentoo.org/681870) which I don't think is GCC 9 related but possibly related to my and the reporters setup

I'm currently compiling with Clang 9999 with the vaapi patch, I notice there are patches there to get things running with the system libraries too if you're interested
Comment 16 Mike Lothian 2019-05-08 11:33:54 UTC
The build failed with Clang 9999

FAILED: obj/chrome/browser/ui/ui/tab_strip_model_observer.o
clang++ -MMD -MF obj/chrome/browser/ui/ui/tab_strip_model_observer.o.d -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_NSS_CE=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -DCR_CLANG_REVISION=\"354873-1\" -D__STDC_CONSTANT_MACROS -DALLOWED=GLIB_VERSION_2_32 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -DENABLE_IPC_FUZZER -DTOOLKIT_VIEWS=1 -DVK_NO_PRRTTI -DGOOGLE_PROTOBUF_NO_STATIC_INITIALIZER -DHAVE_PTHREAD -DLEVELDB_PLATFORM_CHROMIUM=1 -DLEVELDB_PLATFORM_CHROMIUM=1
DUCHAR_TYPE=uint16_t -DWEBRTC_NON_STATIC_TRACE_EVENT_HANDLERS=0 -DWEBRTC_CHROMIUM_BUILD -DWEBRTC_POSIX -DWEBRTC_LINUX -DJPEG_LIBRARY -DSK_VULKAN_HEADER=\"../../skia/config/SkVulkanConfig.h\" -DSK_VULKAN=1 -DSK_SUPPORT_GPU=1 -DSK_GPU_WORKARODDER -DPERFETTO_BUILD_WITH_CHROMIUM -DPERFETTO_FORCE_DLOG=0 -DI18N_ADDRESS_VALIDATION_DATA_URL=\"https://chromium-i18n.ahim_headers/snappy_shim -I../../third_party/libyuv/include -Igen/shim_headers/libpng_shim -Igen/shim_headers/libwebp_shi_shim -Igen/shim_headers/flac_shim -I../../third_party/protobuf/src -Igen/protoc_out -I../../third_party/protobuf/src -Iveldatabase/src/include -I../../third_party/ced/src -I../../third_party/icu/source/common -I../../third_party/icu/sourceskia/config -I../../skia/ext -I../../third_party/skia/include/c -I../../third_party/skia/include/codec -I../../third_parfects -I../../third_party/skia/include/encode -I../../third_party/skia/include/gpu -I../../third_party/skia/include/pathty/skia/third_party/vulkanmemoryallocator -I../../third_party/skia/src/gpu -I../../third_party/skia/src/sksl -I../../thi8/include -I../../third_party/perfetto/include -Igen/third_party/perfetto/protos -I../../testing/gtest/include -Igen/thihird_party/metrics_proto -I../../third_party/mesa_headers -Igen -Igen -Igen -Igen -I../../third_party/libaddressinput/srs/src/include -I../../third_party/brotli/include -Igen -Igen -Igen -Igen -Igen -fno-strict-aliasing --param=ssp-buffer-sower-dbg-declare=0 -m64 -march=x86-64 -Wno-builtin-macro-redefined -D__DATE__= -D__TIME__= -D__TIMESTAMP__= -no-canonicawing -Wno-unneeded-internal-declaration -Wno-undefined-var-template -Wno-ignored-pragma-optimize -O2 -fno-ident -fdata-sp-compare -Wexit-time-destructors -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -I/usr/include/glib-2include/nss -I/usr/include/nspr -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -std=c++14 -fno-exceptions -fno-rthrome/browser/ui/ui/tab_strip_model_observer.o
../../chrome/browser/ui/tabs/tab_strip_model_observer.cc:51:22: error: defaulting this default constructor would delete
TabStripModelChange::TabStripModelChange() = default;
                     ^
../../chrome/browser/ui/tabs/tab_strip_model_observer.h:106:28: note: default constructor of 'TabStripModelChange' is im  const std::vector<Delta> deltas_;
                           ^
1 error generated.
Comment 17 richard 2019-05-08 11:57:51 UTC
Created attachment 575526 [details]
Partly Tested ebuild

Ok, so after combining my testing and Alex's work. I've got Chromium 74 running.
Draft ebuild attached.
There's some irregularities in my system. So I'm going to clean some out and do some more QA. For example, I built with clang 8. Not 6 which is what is in stable.
Comment 18 Mike Lothian 2019-05-08 13:34:10 UTC
I fixed that default constructor issue locally

I've pushed the ebuild with the patches to the FireBurn overlay if you're interested

https://github.com/FireBurn/Overlay/commit/ba21c73d3a4bce76e1746433648ca21ca8692a30
Comment 19 Andrew Udvare 2019-05-08 17:56:25 UTC
The ebuild in the FireBurn overlay fails immediately if libva is not installed. Can we keep libva optional?
Comment 20 richard 2019-05-08 23:53:16 UTC
Created attachment 575558 [details]
Looks like Clang6 won't work without further patches.

Looks like Clang6 isn't viable without patches as well.
Comment 21 richard 2019-05-09 01:23:00 UTC
Created attachment 575560 [details]
FireBurn build failure.

Hey Mike, I copied your ebuild locally and attempted to build it. I have attached the failure log.

I cleaned my system up a bit to make it similar to a normal system so it should have been a good test case.
Comment 22 Alexei Kharitonov 2019-05-09 11:04:58 UTC
(In reply to thesirdmz from comment #21)
> Created attachment 575560 [details]
> FireBurn build failure.
> 
> Hey Mike, I copied your ebuild locally and attempted to build it. I have
> attached the failure log.
> 
> I cleaned my system up a bit to make it similar to a normal system so it
> should have been a good test case.

@thesirdmz

Do first:

export CHROMIUM_FORCE_CLANG=yes

then you can emerge chromium::FireBurn
Comment 23 Mike Lothian 2019-05-09 11:09:11 UTC
Here's my env entry:

CC=clang
CXX=clang++
CFLAGS="-O3 -pipe -flto=thin -march=native"
CXXFLAGS="${CFLAGS}"
LDFLAGS="${CFLAGS}"
AR="llvm-ar"
NM="llvm-nm"
RANLIB="llvm-ranlib"

I'll need to look into why building with USE=-vaapi isn't working
Comment 24 Andrew Udvare 2019-05-09 14:41:51 UTC
Mike (and Mike Gilbert), any thoughts on making the ebuild for 75 (current beta)?

https://chromereleases.googleblog.com/2019/05/beta-channel-update-for-desktop_8.html
Comment 25 Mike Lothian 2019-05-09 15:39:06 UTC
I've added one to my Overlay, I'm compiling it now with Clang 9999 but it takes a while with LTO

Feel free to give it a go and report back
Comment 26 Andrew Udvare 2019-05-09 17:15:17 UTC
Compiling now (without LTO). Will report back.
Comment 27 Andrew Udvare 2019-05-09 17:42:50 UTC
FAILED: obj/cc/cc/compositor_frame_reporting_controller.o
clang++ -MMD -MF obj/cc/cc/compositor_frame_reporting_controller.o.d -DCC_IMPLEMENTATION=1 -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -DUSE_X11=1
-DNO_TCMALLOC -DFULL_SAFE_BROWSING -DSAFE_BROWSING_CSD -DSAFE_BROWSING_DB_LOCAL -DCHROMIUM_BUILD -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOU
RCE -D_GNU_SOURCE -DCR_CLANG_REVISION=\"357692-1\" -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D_FORTIFY_SOURCE=2 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATI
ONS_ENABLED=0 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_32 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -DENABLE_IPC_FUZZER -DVK_NO_PROTOTYPES -DGL_GLEXT_PRO
TOTYPES -DUSE_GLX -DUSE_EGL -DSK_HAS_PNG_LIBRARY -DSK_HAS_WEBP_LIBRARY -DSK_HAS_JPEG_LIBRARY -DSK_VULKAN_HEADER=\"../../skia/config/SkVulkanConfig.h\" -DSK_VU
LKAN=1 -DSK_SUPPORT_GPU=1 -DSK_GPU_WORKAROUNDS_HEADER=\"gpu/config/gpu_driver_bug_workaround_autogen.h\" -DVK_NO_PROTOTYPES -DGOOGLE_PROTOBUF_NO_RTTI -DGOOGLE
_PROTOBUF_NO_STATIC_INITIALIZER -DHAVE_PTHREAD -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DUSE_CHROMIUM_ICU=1 -DU_STATIC_IMPLEMENTATION -DICU_UTIL_DATA_IM
PL=ICU_UTIL_DATA_FILE -DUCHAR_TYPE=uint16_t -DLEVELDB_PLATFORM_CHROMIUM=1 -DLEVELDB_PLATFORM_CHROMIUM=1 -I../.. -Igen -Igen/shim_headers/libpng_shim -Igen/shi
m_headers/libwebp_shim -Igen/shim_headers/zlib_shim -I../../third_party/khronos -I../../gpu -Igen/shim_headers/libdrm_shim -I../../third_party/vulkan/include
-I../../third_party/libyuv/include -Igen/shim_headers/re2_shim -Igen/shim_headers/snappy_shim -I../../skia/config -I../../skia/ext -I../../third_party/skia/in
clude/c -I../../third_party/skia/include/codec -I../../third_party/skia/include/config -I../../third_party/skia/include/core -I../../third_party/skia/include/
docs -I../../third_party/skia/include/effects -I../../third_party/skia/include/encode -I../../third_party/skia/include/gpu -I../../third_party/skia/include/pa
thops -I../../third_party/skia/include/ports -I../../third_party/skia/include/utils -I../../third_party/vulkan/include -I../../third_party/skia/third_party/vu
lkanmemoryallocator -I../../third_party/skia/src/gpu -I../../third_party/skia/src/sksl -I../../third_party/skia/modules/skottie/include -I../../third_party/vu
lkan/include -I../../third_party/protobuf/src -Igen/protoc_out -Igen/third_party/metrics_proto -I../../third_party/protobuf/src -I../../third_party/ced/src -I
../../third_party/icu/source/common -I../../third_party/icu/source/i18n -I../../third_party/libwebm/source -I../../third_party/leveldatabase -I../../third_par
ty/leveldatabase/src -I../../third_party/leveldatabase/src/include -I../../third_party/mesa_headers -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-pro
tector -funwind-tables -fPIC -pthread -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tools/clang/crashreports -Xclang -mllvm -Xclang
-instcombine-lower-dbg-declare=0 -m64 -march=x86-64 -Wno-builtin-macro-redefined -D__DATE__= -D__TIME__= -D__TIMESTAMP__= -no-canonical-prefixes -Wall -Wextra
-Wimplicit-fallthrough -Wthread-safety -Wextra-semi -Wno-missing-field-initializers -Wno-unused-parameter -Wno-c++11-narrowing -Wno-unneeded-internal-declara
tion -Wno-undefined-var-template -Wno-ignored-pragma-optimize -fno-omit-frame-pointer -g0 -fvisibility=hidden -Wheader-hygiene -Wstring-conversion -Wtautologi
cal-overlap-compare -Wexit-time-destructors -O2 -fno-ident -fdata-sections -ffunction-sections -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -Wno-shor
ten-64-to-32 -std=c++14 -fno-exceptions -fno-rtti -fvisibility-inlines-hidden -O2 -pipe -march=native -c ../../cc/scheduler/compositor_frame_reporting_control
ler.cc -o obj/cc/cc/compositor_frame_reporting_controller.o
../../cc/scheduler/compositor_frame_reporting_controller.cc:34:3: error: no matching function for call to 'MakeCheckOpValueString'
DCHECK_NE(reporters_[PipelineStage::kBeginMainFrame],
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/logging.h:940:31: note: expanded from macro 'DCHECK_NE'
#define DCHECK_NE(val1, val2) DCHECK_OP(NE, !=, val1, val2)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/logging.h:911:29: note: expanded from macro 'DCHECK_OP'
EAT_STREAM_PARAMETERS << (::logging::MakeCheckOpValueString(      \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../base/logging.h:724:18: note: candidate function not viable: no known conversion from 'std::unique_ptr<CompositorFrameReporter>' to 'std::nullptr_t' (aka
'nullptr_t') for 2nd argument
BASE_EXPORT void MakeCheckOpValueString(std::ostream* os, std::nullptr_t p);
^
../../base/logging.h:695:1: note: candidate template ignored: requirement 'base::internal::SupportsOstreamOperator<const std::unique_ptr<cc::CompositorFrameRe
porter, std::default_delete<cc::CompositorFrameReporter> > &, void>::value' was not satisfied [with T = std::unique_ptr<cc::CompositorFrameReporter, std::defa
ult_delete<cc::CompositorFrameReporter> >]
MakeCheckOpValueString(std::ostream* os, const T& v) {
^
../../base/logging.h:708:1: note: candidate template ignored: requirement 'std::is_function<std::unique_ptr<cc::CompositorFrameReporter, std::default_delete<c
c::CompositorFrameReporter> > >::value' was not satisfied [with T = std::unique_ptr<cc::CompositorFrameReporter, std::default_delete<cc::CompositorFrameReport
er> >]
MakeCheckOpValueString(std::ostream* os, const T& v) {
^
../../base/logging.h:719:1: note: candidate template ignored: requirement 'std::is_enum<std::unique_ptr<cc::CompositorFrameReporter, std::default_delete<cc::C
ompositorFrameReporter> > >::value' was not satisfied [with T = std::unique_ptr<cc::CompositorFrameReporter, std::default_delete<cc::CompositorFrameReporter>
>]
MakeCheckOpValueString(std::ostream* os, const T& v) {
^
../../cc/scheduler/compositor_frame_reporting_controller.cc:34:3: error: no matching function for call to 'MakeCheckOpValueString'
Comment 28 Mike Lothian 2019-05-10 15:05:37 UTC
I've got chromium 75 working with clang-9999 and pushed to my repo, patched were from arch - chromium-dev
Comment 29 Andrew Udvare 2019-05-10 19:19:56 UTC
(In reply to Mike Lothian from comment #28)
> I've got chromium 75 working with clang-9999 and pushed to my repo, patched
> were from arch - chromium-dev

Successfully built with Clang 8.
Comment 30 richard 2019-05-12 13:21:11 UTC
Great News Everyone!
Clang 7.1 appears to have been stabilized.

I am currently building 74.0.3729.131 with it and everything is going along smoothly. It has passed all the regular failure points. So in theory it should pass.
Comment 31 richard 2019-05-12 21:04:21 UTC
Created attachment 576244 [details]
Clang7 is a Win

Ok Clang 7.1 which has been stabilized and 74 builds fine with it.
Comment 32 Mike Gilbert gentoo-dev 2019-05-15 13:50:44 UTC
Thanks for testing everyone. I'll try a build with clang this week and hopefully get something pushed.
Comment 33 Mike Lothian 2019-05-15 14:04:40 UTC
A new stable release is out 74.0.3729.157, which doesn't work with the patches given

I'm not sure the vaapi patch is worth it, on my Raven system it just produces garbled output and on my Intel/AMD PRIME desktop it errors out as it uses that hardcoded /dev/dri/renderD128 which is the discrete graphics on my laptop

I'm going to look at the code MPV uses to select the currently used FD instead of hard coding it
Comment 34 Alex 2019-05-15 14:11:04 UTC
I was able to build 74.0.3729.157 with clang-8 with chromium-deconst.patch 

https://github.com/FireBurn/Overlay/commit/ba21c73d3a4bce76e1746433648ca21ca8692a30#diff-4f4028433668582ccea798f9d93a9704
Comment 35 Mike Lothian 2019-05-15 14:51:34 UTC
Created attachment 576776 [details]
Build log failure chromium-74.0.3729.157
Comment 36 Andrew Udvare 2019-05-15 15:48:39 UTC
(In reply to Mike Lothian from comment #35)
> Created attachment 576776 [details]
> Build log failure chromium-74.0.3729.157

You have to use Clang to build.

> I'm not sure the vaapi patch is worth it, on my Raven system it just produces garbled output and on my Intel/AMD PRIME desktop it errors out as it uses that hardcoded /dev/dri/renderD128 which is the discrete graphics on my laptop

Mike Gilbert, I assume you would go without the VA-API patches?
Comment 37 Mike Lothian 2019-05-15 15:54:01 UTC
I did use clang using the usual way I do it, an entry in package.env
Comment 38 Mike Gilbert gentoo-dev 2019-05-15 16:03:09 UTC
(In reply to Andrew Udvare from comment #36)
> Mike Gilbert, I assume you would go without the VA-API patches?

Correct.
Comment 39 Mike Lothian 2019-05-16 15:31:52 UTC
I've put the following ebuilds into my overlay:

chromium-74.0.3729.157.ebuild
chromium-75.0.3770.38.ebuild

Version 75 compiled fine for me with Clang-9999 and Version 74 didn't but Alex confirmed it worked with Clang-8 so I've committed it
Comment 40 Mike Lothian 2019-05-16 22:58:56 UTC
Created attachment 576976 [details]
Gallium Vaapi Fix

So the reason vaapi wasn't working on my Raven system, was 10bit configs needed to be forced off

So I've got the ebuild creating /usr/share/drirc.d/01-chromium.conf with the necessary bits to force it off

I'm also experimenting with allowing Chromium access to /dev/dri/renderD129 was well as D128 - which hopefully might fix my PRIME issues
Comment 41 Andrew Udvare 2019-05-17 00:59:06 UTC
Does your VA-API patch work with Nvidia drivers (with x11-libs/libva-vdpau-driver installed)? I did not test this on my setup.
Comment 42 Peter Levine 2019-05-18 04:16:38 UTC
Created attachment 577140 [details, diff]
enable-vaapi.patch

Having tested the chromium-74.0.3729.157 build with vaapi enabled on an nvidia prime setup using x11-drivers/nvidia-drivers-430.14, the current patch doesn't work and emits the following:

> [7378:7378:0517/142452.865469:ERROR:vaapi_wrapper.cc(1457)] vaCreateConfig failed VA error: the requested VAProfile is not supported
> [7378:7378:0517/142452.865673:ERROR:vaapi_wrapper.cc(850)] Failed to create VaapiWrapper for va_profile: -1

This is a patch based on the one from https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/enable_vaapi_on_linux_2.diff.

Using it in place of the current enable-vaapi.patch enabled vaapi on my platform when chromium is run with the "--disable-gpu-sandbox" and "--disable-features=MojoVideoDecoder" flags (provided x11-libs/libva-vdpau-driver was build with the patch from https://github.com/saiarcot895/chromium-ubuntu-build/issues/13#issuecomment-326765168 and the h264ify browser extension is installed).
Comment 43 Peter Levine 2019-05-18 04:23:42 UTC
Created attachment 577142 [details, diff]
enable-vaapi.patch

Sorry, wrong patch.  This is the one that worked.
Comment 44 Stephan Hartmann (RETIRED) gentoo-dev 2019-05-22 17:18:54 UTC
I was able to build chromium-74.0.3729.157 with gcc-8.3.0 with the following four patches:

https://chromium-review.googlesource.com/c/chromium/src/+/1550366
https://chromium-review.googlesource.com/c/chromium/src/+/1478897
https://chromium-review.googlesource.com/c/chromium/src/+/1550363
https://quiche-review.googlesource.com/c/quiche/+/2403 (applied to net/third_party)

However, I did not test if this also works with clang.
Comment 45 Stephan Hartmann (RETIRED) gentoo-dev 2019-05-22 20:37:35 UTC
(In reply to Stephan Hartmann from comment #44)
> I was able to build chromium-74.0.3729.157 with gcc-8.3.0 with the following
> four patches:
> 
> https://chromium-review.googlesource.com/c/chromium/src/+/1550366
> https://chromium-review.googlesource.com/c/chromium/src/+/1478897
> https://chromium-review.googlesource.com/c/chromium/src/+/1550363
> https://quiche-review.googlesource.com/c/quiche/+/2403 (applied to
> net/third_party)
> 
> However, I did not test if this also works with clang.

clang-7.1 works with this too.
Comment 46 Mike Gilbert gentoo-dev 2019-05-28 00:32:23 UTC
If someone wants to create a pull request with a working patchset, that would be very helpful.
Comment 47 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-06-09 20:17:45 UTC
amd64 stable
Comment 48 Larry the Git Cow gentoo-dev 2019-06-16 23:35:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12f7137d8a7c20d00b6756d12cbd7b0ec1b36c28

commit 12f7137d8a7c20d00b6756d12cbd7b0ec1b36c28
Author:     Stephan Hartmann <stha09@googlemail.com>
AuthorDate: 2019-06-16 13:39:08 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-06-16 23:34:32 +0000

    www-client/chromium: security cleanup
    
    Bug: https://bugs.gentoo.org/684272
    Package-Manager: Portage-2.3.66, Repoman-2.3.11
    Signed-off-by: Stephan Hartmann <stha09@googlemail.com>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/chromium/Manifest                       |   2 -
 www-client/chromium/chromium-73.0.3683.75.ebuild   | 717 --------------------
 www-client/chromium/chromium-73.0.3683.86.ebuild   | 718 ---------------------
 www-client/chromium/files/chromium-73-gcc-0.patch  | 108 ----
 www-client/chromium/files/chromium-73-gcc-1.patch  |  99 ---
 www-client/chromium/files/chromium-73-gcc-2.patch  |  51 --
 www-client/chromium/files/chromium-73-gcc-3.patch  |  69 --
 www-client/chromium/files/chromium-73-gcc-4.patch  |  59 --
 www-client/chromium/files/chromium-73-gcc-5.patch  |  65 --
 www-client/chromium/files/chromium-73-gcc-6.patch  |  88 ---
 .../files/chromium-73-xdg-current-desktop.patch    | 124 ----
 .../chromium/files/chromium-compiler-r7.patch      | 176 -----
 12 files changed, 2276 deletions(-)
Comment 49 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 16:03:14 UTC
This issue was resolved and addressed in
 GLSA 201908-18 at https://security.gentoo.org/glsa/201908-18
by GLSA coordinator Aaron Bauman (b-man).