update to 143.0.7499.146

add CVE-2025-14174 to 143.0.7499.109 for boo#1254776
add CVE for boo#1254776
2025-12-17 17:38:57 +01:00 · 2025-12-13 10:17:53 +01:00 · 2025-12-11 08:16:18 +01:00 · 2025-12-10 22:00:56 +01:00 · 2025-12-10 21:36:31 +01:00 · 2025-12-10 20:58:40 +01:00
5 changed files with 125 additions and 4 deletions
--- a/chromium-143.0.7499.146-linux.tar.xz
+++ b/chromium-143.0.7499.146-linux.tar.xz
--- a/chromium-143.0.7499.40-linux.tar.xz
+++ b/chromium-143.0.7499.40-linux.tar.xz
--- a/chromium.changes
+++ b/chromium.changes
@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Dec 17 17:26:48 CET 2025 - Ruediger Oertel <ro@suse.de>
+
+- Chromium 143.0.7499.146 (boo#1255115):
+  * CVE-2025-14765: Use after free in WebGPU
+  * CVE-2025-14766: Out of bounds read and write in V8 
+
+-------------------------------------------------------------------
+Wed Dec 10 20:52:29 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Chromium 143.0.7499.109 (boo#1254776):
+  * CVE-2025-14372: Use after free in Password Manager
+  * CVE-2025-14373: Inappropriate implementation in Toolbar
+  * CVE-2025-14174: Out of bounds memory access in ANGLE
+- added patch gtk-414-2.patch
+  (also revert upstream cdc2a57272589f9522689500838e889b88b3f9d4
+   for older gtk versions)
+
 -------------------------------------------------------------------
 Tue Dec  2 18:49:57 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/chromium.spec
+++ b/chromium.spec
@@ -118,7 +118,7 @@
 %global official_build 1

 Name:           chromium%{n_suffix}
-Version:        143.0.7499.40
+Version:        143.0.7499.146
 Release:        0
 Summary:        Google's open source browser project
 License:        BSD-3-Clause AND LGPL-2.1-or-later
@@ -243,6 +243,7 @@ Patch1010:      chromium-124-system-libxml.patch
 Patch1030:      chromium-134-revert-rust-adler2.patch
 # gtk4 is too old
 Patch1040:      gtk-414.patch
+Patch1041:      gtk-414-2.patch
 # flac is too old
 Patch1050:      chromium-140-old-flac.patch
 # end conditionally applied patches
@@ -503,6 +504,7 @@ WebDriver is an open source tool for automated testing of webapps across many br
 %endif

 %if %{without gtk4_4_19}
+%patch -p1 -R -P 1041
 %patch -p1 -R -P 1040
 %endif

--- a/gtk-414-2.patch
+++ b/gtk-414-2.patch
@@ -0,0 +1,101 @@
+commit cdc2a57272589f9522689500838e889b88b3f9d4
+Author: Tom Anderson <thomasanderson@chromium.org>
+Date:   Fri Nov 21 10:43:53 2025 -0800
+
+    [GTK] Directly render header button icons
+    
+    The old code used GetTextureFromRenderNode which doesn't work for vector
+    icons. The solution is to call gsk_render_node_draw() to directly render
+    the icon.
+    
+    R=thestig
+    
+    Fixed: 448684006
+    Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
+    Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7180182
+    Reviewed-by: Lei Zhang <thestig@chromium.org>
+    Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
+    Cr-Commit-Position: refs/heads/main@{#1548603}
+
+diff --git a/ui/gtk/gsk.sigs b/ui/gtk/gsk.sigs
+index 9dc03167830f4..59f87dce81b1c 100644
+--- a/ui/gtk/gsk.sigs
+++ b/ui/gtk/gsk.sigs
+@@ -17,4 +17,5 @@ GdkTexture* gsk_texture_node_get_texture(UI_GTK_CONST GskRenderNode* node);
+ float gsk_opacity_node_get_opacity(const GskRenderNode* node);
+ GskRenderNode* gsk_mask_node_get_mask(const GskRenderNode* node);
+ GdkTexture* gsk_texture_scale_node_get_texture(const GskRenderNode* node);
+-GskRenderNode* gsk_subsurface_node_get_child(const GskRenderNode* node);
+\ No newline at end of file
+GskRenderNode* gsk_subsurface_node_get_child(const GskRenderNode* node);
+void gsk_render_node_draw(GskRenderNode* node, cairo_t* cr);
+diff --git a/ui/gtk/gtk_util.cc b/ui/gtk/gtk_util.cc
+index 0a2bd7bfb8927..be1a6d8569a1b 100644
+--- a/ui/gtk/gtk_util.cc
+++ b/ui/gtk/gtk_util.cc
+@@ -290,6 +290,15 @@ CairoSurface::CairoSurface(SkBitmap& bitmap)
+           cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, bitmap.width()))),
+       cairo_(cairo_create(surface_)) {}
+ 
+CairoSurface::CairoSurface(void* pixels, int width, int height)
+    : surface_(cairo_image_surface_create_for_data(
+          static_cast<unsigned char*>(pixels),
+          CAIRO_FORMAT_ARGB32,
+          width,
+          height,
+          cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, width))),
+      cairo_(cairo_create(surface_)) {}
+
+ CairoSurface::CairoSurface(const gfx::Size& size)
+     : surface_(cairo_image_surface_create(CAIRO_FORMAT_ARGB32,
+                                           size.width(),
+diff --git a/ui/gtk/gtk_util.h b/ui/gtk/gtk_util.h
+index 0fbebedc6a61f..f2e9934c0bb66 100644
+--- a/ui/gtk/gtk_util.h
+++ b/ui/gtk/gtk_util.h
+@@ -61,6 +61,10 @@ class CairoSurface {
+   // into it.  |bitmap| must outlive this CairoSurface.
+   explicit CairoSurface(SkBitmap& bitmap);
+ 
+  // Attaches a cairo surface to a pointer to pixel data.  `pixels`
+  // must outlive this CairoSurface.
+  CairoSurface(void* pixels, int width, int height);
+
+   // Creates a new cairo surface with the given size.  The memory for
+   // this surface is deallocated when this CairoSurface is destroyed.
+   explicit CairoSurface(const gfx::Size& size);
+diff --git a/ui/gtk/nav_button_provider_gtk.cc b/ui/gtk/nav_button_provider_gtk.cc
+index 527b9a0743a01..ae46e11dade2b 100644
+--- a/ui/gtk/nav_button_provider_gtk.cc
+++ b/ui/gtk/nav_button_provider_gtk.cc
+@@ -112,18 +112,22 @@ gfx::Size LoadNavButtonIcon(ui::NavButtonProvider::FrameButtonDisplayType type,
+     auto* snapshot = gtk_snapshot_new();
+     gdk_paintable_snapshot(paintable, snapshot, width, height);
+     auto* node = gtk_snapshot_free_to_node(snapshot);
+
+     size_t nbytes = width * height * sizeof(SkColor);
+-    SkColor* pixels = reinterpret_cast<SkColor*>(g_malloc(nbytes));
+    void* pixels = g_malloc(nbytes);
+     UNSAFE_TODO(memset(pixels, 0, nbytes));
+     size_t stride = sizeof(SkColor) * width;
+-    if (GdkTexture* texture = GetTextureFromRenderNode(node)) {
+-      gdk_texture_download(texture, reinterpret_cast<guchar*>(pixels), stride);
+-    }
+
+    CairoSurface surface(pixels, width, height);
+    cairo_t* cr = surface.cairo();
+    gsk_render_node_draw(node, cr);
+
+     SkColor fg = GtkStyleContextGetColor(button_context);
+-    for (int i = 0; i < width * height; ++i) {
+-      UNSAFE_TODO(pixels[i]) =
+-          SkColorSetA(fg, UNSAFE_TODO(SkColorGetA(pixels[i])));
+-    }
+    cairo_set_source_rgba(cr, SkColorGetR(fg) / 255.0, SkColorGetG(fg) / 255.0,
+                          SkColorGetB(fg) / 255.0, SkColorGetA(fg) / 255.0);
+    cairo_set_operator(cr, CAIRO_OPERATOR_IN);
+    cairo_paint(cr);
+
+     icon->texture = TakeGObject(
+         gdk_memory_texture_new(width, height, GDK_MEMORY_B8G8R8A8,
+                                g_bytes_new_take(pixels, nbytes), stride));
Author	SHA256	Message	Date
Ruediger Oertel	96724d1d02	update to 143.0.7499.146	2025-12-17 17:38:57 +01:00
Andreas Stieger	9ce7582648	add CVE-2025-14174 to 143.0.7499.109 for boo#1254776	2025-12-13 10:17:53 +01:00
Andreas Stieger	63710dd6ca	add CVE for boo#1254776	2025-12-11 08:16:18 +01:00
Andreas Stieger	824de58679	gtk-414-2.patch: match chromium-beta change	2025-12-10 22:00:56 +01:00
Andreas Stieger	386212568b	gtk-414-2.patch	2025-12-10 21:36:31 +01:00
Andreas Stieger	d3b280dc23	update to 143.0.7499.109	2025-12-10 20:58:40 +01:00