My thoughts on Slackware, life and everything

Tag: chromium (Page 13 of 20)

Security week

This week and the last, I have pushed quite a few packages into my repository that are meant to enhance the safety of your Slackware computer. If you have not been hiding under a stone for the past couple of weeks, you will have read about the Spectre/Meltdown vulnerabilities that plague many CPUs. Mostly Intel CPU’s, but the less harmful variants are also affecting AMD and ARM CPU’s. The broader Linux community is working hard to mitigate the effects of these vulnerabilities, and new kernels have landed in Slackware that have been recompiled with patched compilers so that the vulnerabilities will be harder (or impossible) to exploit.

These patched GCC compilers in Slackware 14.2 and -current needed a multilib variant of course, so you will find those in my multilib repository. For Slackware 14.2 that’s a set of all-new gcc-5.5.0 packages, i.e. the latest gcc 5 release available. In Slackware-current it’s of course the latest gcc 7: version 7.3.0. These compilers support “-mindirect-branch=thunk-extern“, allowing full mitigation of Spectre v2 in the kernel (when CONFIG_RETPOLINE is used).

Then there were the monthly Flash security vulnerabilities, patched by Adobe in version 28.0.0.161 of the flashplayer-plugin (NPAPI plugin for Mozilla based browsers) and the chromium-pepperflash-plugin (PPAPI plugin for Chromium based browsers).  This one was particularly nasty because a 0-day exploit was used actively to gain full control of vulnerable computers (including Linux computers).

The update of Chromium to version 64.0.3282.140 fixed one security related bug, but the previous stable release (the first 64 version I packaged two weeks ago) actually plugged a series of serious vulnerabilities with CVE‘s assigned to them. So, time to upgrade!
And this latest Chromium package of mine has one additional feature: I enabled HEVC/H.265 video playback in the embedded ffmpeg engine. Try it out here: http://www.h265files.com/embed-h265-video.php and notice that most other browsers (except Microsoft Edge and Apple Safari) do not support this video codec. Unfortunately, the online HTML5 tester does not detect this HEVC playback capability.

Another browser’s security update: Pale Moon plugs two vulnerabilities with their 27.7.2 release. Updated package available in my repository of course.

 

And to end this series, I will soon upload a patched plasma-workspace-5.11.3 package for Slackware64 14.2, for those of you who are running my ‘ktown’ Plasma5 desktop.
A vulnerability was discovered, allowing arbitrary command execution in the removable device notifier.
This bug is already fixed in Plasma 5.12, so those who run the Plasma5 Desktop on Slackware-current only need to wait until tomorrow to get an all-new monthly set of packages among which Plasma 5.12. Watch this blog for the news!

Chromium 64 – and 32bit pain

The new release of the Chromium sources gives us version 64 of Google’s browser. I have created Slackware packages for you, but that was not entirely trivial.
The Chromium compilation on my 32bit Slackware OS kept failing on the embedded ffmpeg. I am afraid the fact that some of the bigger distros are dropping 32bit variants starts showing and things are coming apart at the seams.
When you are a developer and there’s no 32bit release of your favorite OS, this makes it quite difficult to test the validity of code paths when you only compile and test your code on a 64bit platform. This is what’s happening with Google’s Chromium code and it will probably only get worse.

For now, I could get away by disabling assembly code in the 32bit avcodec library, but in order to get that going I had to study the Chromium code carefully – Google does not use the standard autotools or cmake configurations that the Average Joe would employ when compiling ffmpeg, instead they re-invent the wheel every so often to keep everyone on edge. First it was Gyp, but that did not work out too well and the current fad is called GN (as Google state themselves “GN is a meta-build system that generates Ninja build files so that you can build Chromium with Ninja“).

Some time soon, I need to dissect Chromium’s embedded ffmpeg code, to see if I can get assembly code compiling again on 32bit. Else it may be more prudent to start depending on an external (system-wide) ffmpeg installation, which I can compile without any pain on 32bit Slackware.

We’re fine for now, at least. Let’s hope it does not get worse.

Get your chromium 64 packages for Slackware 14.2 and -current:

Cheers, Eric

Chromium is now compiled using clang

chromium_iconIn my previous blog post about Chromium 62, I described the issues I had while attempting to compile it on Slackware14.2. The gcc compiler suite on Slackware 14.2 is “too old” for Chromium because it lacks the required C++11 support. More to the point, the Google developers use clang instead of gcc for their own compilations and therefore gcc support is becoming stale. Response by Google developers when they encounter a gcc-related bug report is to ‘please switch to clang’.

Unfortunately, as previously noted, the chromium build framework will download Google’s own clang binaries in that case. I do not trust these binaries on my Slackware computer. I stated that I would not switch to clang until it became possible to either use Slackware’s own clang or else compile Google’s clang from source on my own computer.

I exchanged a couple of emails with Google developers and got enough hints to convince me that compiling Google’s clang was possible.

And indeed, after a week of trial and error (especially the 32bit build gave me headaches) I managed to add all the needed bits and pieces to my chromium.SlackBuild.

The updated packages for Chromium (version 62.0.3202.75) for which the sources were released last week, are compiled with clang instead of gcc, and that clang has been compiled from source first. Of course, this adds time to the package build… every time I compile the chromium package, the SlackBuild script has to download and compile clang as well. But, the process is fully automated and a separate “gcc5” package is not needed on Slackware 14.2. Also, we are future-proof now. And an added bonus is that the package size has decreased substantially, from 65 to 56 MB (a 14% decrement).

Note about the new Chromium release: it addresses CVE-2017-15396 (Stack overflow in V8) so it will be good to upgrade.

If you want to compile chromium using gcc nevertheless (to decrease the total build time for instance) then all you need to do is: set the variable “USE_CLANG” to “0”.
On Slackware 14.2 you still need my gcc5 package and apply the instructions from my previous post.

The packages for chromium are available for Slackware 14.2 and -current in my repository or one of its mirrors:

Have fun! Eric

Chromium 62 ready for download

chromium_iconEarlier this week, Google released a security update for its chrome/chromium browser. The new version 62.0.3202.62 plugs the holes of 35 more or less serious issues, several of them have a CVE rating.
When the topic of Chromium 62 came up in the comments section of a previous post, I mentioned that I was unable to compile it on Slackware 14.2. Errors like “error: static assertion failed: Bound argument |i| of type |Arg| cannot be converted and bound as |Storage|” yield some results when looked up on the Internet, and they indicate that Slackware’s own gcc-5.3.0 package is too old to compile chromium 62.
The c++11 implementation in gcc-5.3.0 has issues which are fixed in gcc-5.4.0. Unfortunately we are stuck with what we have on Slackware 14.2; it will only get security fixes, no functional upgrades, so no gcc-5.4.0.

I posted on the chromium-packagers discussion group to see if there’s anything to be done about this and that lead to an e-mail discussion with a Google developer who is also a Slackware user. He told me that Google compiles its own Chrome with clang, and more specifically, using a modified bleeding-edge version of clang that does what Google wants it to do. Compiling with gcc is not tested all that much, which apparently is leading to a multitude of reports about gcc related compilation issues. It’s not just me.

There is a reason that I want to compile with gcc, even though the chromium.SlackBuild already has some (hopefully complete) support for using clang instead. Google does not want to use the system-clang of the distro and instead, forces a download of its own clang binaries. I am not ready to trust a binary black-box to compile my chromium package… after all I created the chromium package for Slackware so that we do not have to depend on Google’s Chrome binaries.
This entry on Google’s  reviewboard is encouraging though; there is an initiative to take distro packagers’ wishes more seriously. The idea is to work toward using the system toolchain to compile Google’s clang variant from source and then use that to compile chromium. I’ll wait for that to happen before I switch to clang. I have nothing against clang as compared to gcc – it’s only my unease at having to trust someone else’s binaries.
I hear you say “but what about NaCl?”… indeed in order to compile NaCl my chromium.SlackBuild is already downloading a binary toolchain from Google. But that downloaded PNaCl toolchain is not used to compile the complete browser, it’s used only for the NaCl sandbox. And even that is coming to an end. Google has deprecated (P)NaCl in favor of WebAssembly. As of April 2018, it will only support PNaCl in Chrome Apps and Extensions. Meanwhile, WebAssembly (a portable cross-platform and cross-browser solution for presenting web apps at near-native speed) is already fully functional in Chrome/Chromium, as can be seen by visiting http://webassembly.org/demo/

Back to the present day. I still needed to compile chromium 62 for Slackware 14.2 with its too-old compiler suite. Therefore I grabbed my gcc5.SlackBuild which I had originally meant to be installed alongside gcc7 on slackware-current. I polished it a wee bit, and then build packages for Slackware 14.2. My ‘gcc5‘ works by sourcing its “/etc/profile.d/gcc5.sh” script which sets several environment variables and points those to the gcc5 binaries (CC, CPP, GXX, AR, NM, RANLIB). Unfortunately, the chromium framework ignores these environment variables and uses the “which” command to look for gcc and g++. Therefore I had to be a bit more creative (i.e. break some stuff).

So, what is the drill on Slackware 14.2 if you want to compile Chromium 62?

  • Install gcc5ninja and nodejs for which I have packages in my repository. Note that installing this ‘gcc5’ does not replace your Slackware gcc-5.3.0, it gets installed alongside and does not clash.
  • Download the chromium sources and scripts from my repository.
  • Make the ‘gcc’ and ‘g++’ symlinks in Slackware point to the ‘gcc5’ binaries:
    # cd /usr/bin
    # mv gcc gcc.orig
    # ln -s gcc-5 gcc
    # mv g++ g++.orig
    # ln -s g++-5 g++
  • Source the profile script (just to be sure). Note the ‘dot’ at the beginning, that dot is the ‘source’ command:
    # . /etc/profile.d/gcc5.sh
  • Compile chromium. Note that this requires lots of RAM and lots of diskspace, and if your CPU does not have many cores, you’ll need a lot of time too.
  • Restore Slackware’s gcc and g++ symlinks:
    # cd /usr/bin
    # mv gcc.orig gcc
    # mv g++.orig g++

Fortunately gcc5, ninja and nodejs are only needed for the compilation, not for actually running the browser. So if you do not fancy a re-compilation, you do not have to install any of those other packages.

The packages for chromium are available for Slackware 14.2 and -current in my repository or one of its mirrors:

Have fun! Eric

Chromium 60 packages available

chromium_iconGoogle released chrome/chromium 60.0.3112.78 on 25 July. My mother-in-law passed away which shifted my priorities this week, but I found some time to compile new packages. In my VM, the 64bit package creation took more than 24 hours… perhaps now is a good time to look at that Ryzen CPU and empty my savings account. This is getting ridiculous.

Note that this is a security release, fixing 40 security issues. Of those, the following are classified as “high risk” (many of them do not yet have their details published at cve.mitre.org or nvd.nist.gov): CVE-2017-5091, CVE-2017-5092, CVE-2017-5093, CVE-2017-5094, CVE-2017-5095, CVE-2017-5096, CVE-2017-5097, CVE-2017-5098, CVE-2017-5099. So I guess you better do the upgrade.

Compiling Chromium requires ninja and nodejs for which I have packages in my repository if you need them. Fortunately ninja and nodejs are only needed for the compilation, not for actually running the browser.

The packages for chromium, and the Widevine CDM plugin (package is called ‘chromium-widevine-plugin‘), are available for Slackware 14.2 and -current in my repository or one of its mirrors:

Have fun! Eric

« Older posts Newer posts »

© 2024 Alien Pastures

Theme by Anders NorenUp ↑