From d3b280dc23c54a8b80cd512b896baee3fd2cbd221b64e26e7206342cb726a3b6 Mon Sep 17 00:00:00 2001
From: Andreas Stieger <Andreas.Stieger@gmx.de>
Date: Wed, 10 Dec 2025 20:58:40 +0100
Subject: [PATCH 1/4] update to 143.0.7499.109

---
 chromium-143.0.7499.109-linux.tar.xz | 3 +++
 chromium-143.0.7499.40-linux.tar.xz  | 3 ---
 chromium.changes                     | 5 +++++
 chromium.spec                        | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 chromium-143.0.7499.109-linux.tar.xz
 delete mode 100644 chromium-143.0.7499.40-linux.tar.xz

diff --git a/chromium-143.0.7499.109-linux.tar.xz b/chromium-143.0.7499.109-linux.tar.xz
new file mode 100644
index 0000000..0b40e7e
--- /dev/null
+++ b/chromium-143.0.7499.109-linux.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d3a3f3acbae7c9edc75fcea8c7725f90c6e5b57a21c8e37d3e629f2224184b51
+size 1140751164
diff --git a/chromium-143.0.7499.40-linux.tar.xz b/chromium-143.0.7499.40-linux.tar.xz
deleted file mode 100644
index 9559e9c..0000000
--- a/chromium-143.0.7499.40-linux.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:373082ec4599eb802dcb6b66ba3611ac5edf96cf3b4800300eb04f291f6d2634
-size 1776087920
diff --git a/chromium.changes b/chromium.changes
index 2d923a5..2b7bfb6 100644
--- a/chromium.changes
+++ b/chromium.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 10 19:58:00 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Chromium 143.0.7499.109
+
 -------------------------------------------------------------------
 Tue Dec  2 18:49:57 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/chromium.spec b/chromium.spec
index aaa8359..13bbcaf 100644
--- a/chromium.spec
+++ b/chromium.spec
@@ -118,7 +118,7 @@
 %global official_build 1
 
 Name:           chromium%{n_suffix}
-Version:        143.0.7499.40
+Version:        143.0.7499.109
 Release:        0
 Summary:        Google's open source browser project
 License:        BSD-3-Clause AND LGPL-2.1-or-later
-- 
2.51.1


From 386212568bb9f2e28503bc85de2e47eb3357e002f1a90c3eb68ee61d2731a545 Mon Sep 17 00:00:00 2001
From: Andreas Stieger <Andreas.Stieger@gmx.de>
Date: Wed, 10 Dec 2025 21:36:31 +0100
Subject: [PATCH 2/4] gtk-414-2.patch

---
 chromium.changes |   3 +-
 chromium.spec    |   2 +
 gtk-414-2.patch  | 120 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 gtk-414-2.patch

diff --git a/chromium.changes b/chromium.changes
index 2b7bfb6..e954a15 100644
--- a/chromium.changes
+++ b/chromium.changes
@@ -1,7 +1,8 @@
 -------------------------------------------------------------------
-Wed Dec 10 19:58:00 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+Wed Dec 10 20:26:49 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
 
 - Chromium 143.0.7499.109
+- add gtk-414-2.patch to fix build on openSUSE Leap
 
 -------------------------------------------------------------------
 Tue Dec  2 18:49:57 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
diff --git a/chromium.spec b/chromium.spec
index 13bbcaf..e64a485 100644
--- a/chromium.spec
+++ b/chromium.spec
@@ -243,6 +243,7 @@ Patch1010:      chromium-124-system-libxml.patch
 Patch1030:      chromium-134-revert-rust-adler2.patch
 # gtk4 is too old
 Patch1040:      gtk-414.patch
+Patch1041:      gtk-414-2.patch
 # flac is too old
 Patch1050:      chromium-140-old-flac.patch
 # end conditionally applied patches
@@ -503,6 +504,7 @@ WebDriver is an open source tool for automated testing of webapps across many br
 %endif
 
 %if %{without gtk4_4_19}
+%patch -p1 -R -P 1041
 %patch -p1 -R -P 1040
 %endif
 
diff --git a/gtk-414-2.patch b/gtk-414-2.patch
new file mode 100644
index 0000000..26e098f
--- /dev/null
+++ b/gtk-414-2.patch
@@ -0,0 +1,120 @@
+From d83a1f30992c4889bd85b4480438d783b3ad21ff Mon Sep 17 00:00:00 2001
+From: Tom Anderson <thomasanderson@chromium.org>
+Date: Mon, 24 Nov 2025 16:02:48 -0800
+Subject: [PATCH] [M143] [GTK] Directly render header button icons
+
+Original change's description:
+> [GTK] Directly render header button icons
+>
+> The old code used GetTextureFromRenderNode which doesn't work for vector
+> icons. The solution is to call gsk_render_node_draw() to directly render
+> the icon.
+>
+> R=thestig
+>
+> Fixed: 448684006
+> Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
+> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7180182
+> Reviewed-by: Lei Zhang <thestig@chromium.org>
+> Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
+> Cr-Commit-Position: refs/heads/main@{#1548603}
+
+(cherry picked from commit cdc2a57272589f9522689500838e889b88b3f9d4)
+
+Bug: 462754490,448684006
+Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7201583
+Auto-Submit: Chrome Cherry Picker <chrome-cherry-picker@chops-service-accounts.iam.gserviceaccount.com>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/7499@{#2635}
+Cr-Branched-From: b30439823e5177773584139e72e0593e36863899-refs/heads/main@{#1536371}
+---
+ ui/gtk/gsk.sigs                   |  3 ++-
+ ui/gtk/gtk_util.cc                |  9 +++++++++
+ ui/gtk/gtk_util.h                 |  4 ++++
+ ui/gtk/nav_button_provider_gtk.cc | 20 ++++++++++++--------
+ 4 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/ui/gtk/gsk.sigs b/ui/gtk/gsk.sigs
+index 9dc03167830f48..59f87dce81b1c9 100644
+--- a/ui/gtk/gsk.sigs
++++ b/ui/gtk/gsk.sigs
+@@ -17,4 +17,5 @@ GdkTexture* gsk_texture_node_get_texture(UI_GTK_CONST GskRenderNode* node);
+ float gsk_opacity_node_get_opacity(const GskRenderNode* node);
+ GskRenderNode* gsk_mask_node_get_mask(const GskRenderNode* node);
+ GdkTexture* gsk_texture_scale_node_get_texture(const GskRenderNode* node);
+-GskRenderNode* gsk_subsurface_node_get_child(const GskRenderNode* node);
+\ No newline at end of file
++GskRenderNode* gsk_subsurface_node_get_child(const GskRenderNode* node);
++void gsk_render_node_draw(GskRenderNode* node, cairo_t* cr);
+diff --git a/ui/gtk/gtk_util.cc b/ui/gtk/gtk_util.cc
+index 0a2bd7bfb8927e..be1a6d8569a1bf 100644
+--- a/ui/gtk/gtk_util.cc
++++ b/ui/gtk/gtk_util.cc
+@@ -290,6 +290,15 @@ CairoSurface::CairoSurface(SkBitmap& bitmap)
+           cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, bitmap.width()))),
+       cairo_(cairo_create(surface_)) {}
+ 
++CairoSurface::CairoSurface(void* pixels, int width, int height)
++    : surface_(cairo_image_surface_create_for_data(
++          static_cast<unsigned char*>(pixels),
++          CAIRO_FORMAT_ARGB32,
++          width,
++          height,
++          cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, width))),
++      cairo_(cairo_create(surface_)) {}
++
+ CairoSurface::CairoSurface(const gfx::Size& size)
+     : surface_(cairo_image_surface_create(CAIRO_FORMAT_ARGB32,
+                                           size.width(),
+diff --git a/ui/gtk/gtk_util.h b/ui/gtk/gtk_util.h
+index 0fbebedc6a61f9..f2e9934c0bb667 100644
+--- a/ui/gtk/gtk_util.h
++++ b/ui/gtk/gtk_util.h
+@@ -61,6 +61,10 @@ class CairoSurface {
+   // into it.  |bitmap| must outlive this CairoSurface.
+   explicit CairoSurface(SkBitmap& bitmap);
+ 
++  // Attaches a cairo surface to a pointer to pixel data.  `pixels`
++  // must outlive this CairoSurface.
++  CairoSurface(void* pixels, int width, int height);
++
+   // Creates a new cairo surface with the given size.  The memory for
+   // this surface is deallocated when this CairoSurface is destroyed.
+   explicit CairoSurface(const gfx::Size& size);
+diff --git a/ui/gtk/nav_button_provider_gtk.cc b/ui/gtk/nav_button_provider_gtk.cc
+index 527b9a0743a011..ae46e11dade2ba 100644
+--- a/ui/gtk/nav_button_provider_gtk.cc
++++ b/ui/gtk/nav_button_provider_gtk.cc
+@@ -112,18 +112,22 @@ gfx::Size LoadNavButtonIcon(ui::NavButtonProvider::FrameButtonDisplayType type,
+     auto* snapshot = gtk_snapshot_new();
+     gdk_paintable_snapshot(paintable, snapshot, width, height);
+     auto* node = gtk_snapshot_free_to_node(snapshot);
++
+     size_t nbytes = width * height * sizeof(SkColor);
+-    SkColor* pixels = reinterpret_cast<SkColor*>(g_malloc(nbytes));
++    void* pixels = g_malloc(nbytes);
+     UNSAFE_TODO(memset(pixels, 0, nbytes));
+     size_t stride = sizeof(SkColor) * width;
+-    if (GdkTexture* texture = GetTextureFromRenderNode(node)) {
+-      gdk_texture_download(texture, reinterpret_cast<guchar*>(pixels), stride);
+-    }
++
++    CairoSurface surface(pixels, width, height);
++    cairo_t* cr = surface.cairo();
++    gsk_render_node_draw(node, cr);
++
+     SkColor fg = GtkStyleContextGetColor(button_context);
+-    for (int i = 0; i < width * height; ++i) {
+-      UNSAFE_TODO(pixels[i]) =
+-          SkColorSetA(fg, UNSAFE_TODO(SkColorGetA(pixels[i])));
+-    }
++    cairo_set_source_rgba(cr, SkColorGetR(fg) / 255.0, SkColorGetG(fg) / 255.0,
++                          SkColorGetB(fg) / 255.0, SkColorGetA(fg) / 255.0);
++    cairo_set_operator(cr, CAIRO_OPERATOR_IN);
++    cairo_paint(cr);
++
+     icon->texture = TakeGObject(
+         gdk_memory_texture_new(width, height, GDK_MEMORY_B8G8R8A8,
+                                g_bytes_new_take(pixels, nbytes), stride));
-- 
2.51.1


From 824de5867999a1c150450216de53ead592e2d5489efda754498284fa4ed77a1f Mon Sep 17 00:00:00 2001
From: Andreas Stieger <Andreas.Stieger@gmx.de>
Date: Wed, 10 Dec 2025 22:00:56 +0100
Subject: [PATCH 3/4] gtk-414-2.patch: match chromium-beta change

---
 chromium.changes |  6 +++--
 gtk-414-2.patch  | 61 +++++++++++++++++-------------------------------
 2 files changed, 25 insertions(+), 42 deletions(-)

diff --git a/chromium.changes b/chromium.changes
index e954a15..5c16766 100644
--- a/chromium.changes
+++ b/chromium.changes
@@ -1,8 +1,10 @@
 -------------------------------------------------------------------
-Wed Dec 10 20:26:49 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+Wed Dec 10 20:52:29 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
 
 - Chromium 143.0.7499.109
-- add gtk-414-2.patch to fix build on openSUSE Leap
+- added patch gtk-414-2.patch
+  (also revert upstream cdc2a57272589f9522689500838e889b88b3f9d4
+   for older gtk versions)
 
 -------------------------------------------------------------------
 Tue Dec  2 18:49:57 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
diff --git a/gtk-414-2.patch b/gtk-414-2.patch
index 26e098f..d1d73d7 100644
--- a/gtk-414-2.patch
+++ b/gtk-414-2.patch
@@ -1,43 +1,24 @@
-From d83a1f30992c4889bd85b4480438d783b3ad21ff Mon Sep 17 00:00:00 2001
-From: Tom Anderson <thomasanderson@chromium.org>
-Date: Mon, 24 Nov 2025 16:02:48 -0800
-Subject: [PATCH] [M143] [GTK] Directly render header button icons
+commit cdc2a57272589f9522689500838e889b88b3f9d4
+Author: Tom Anderson <thomasanderson@chromium.org>
+Date:   Fri Nov 21 10:43:53 2025 -0800
 
-Original change's description:
-> [GTK] Directly render header button icons
->
-> The old code used GetTextureFromRenderNode which doesn't work for vector
-> icons. The solution is to call gsk_render_node_draw() to directly render
-> the icon.
->
-> R=thestig
->
-> Fixed: 448684006
-> Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
-> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7180182
-> Reviewed-by: Lei Zhang <thestig@chromium.org>
-> Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
-> Cr-Commit-Position: refs/heads/main@{#1548603}
-
-(cherry picked from commit cdc2a57272589f9522689500838e889b88b3f9d4)
-
-Bug: 462754490,448684006
-Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7201583
-Auto-Submit: Chrome Cherry Picker <chrome-cherry-picker@chops-service-accounts.iam.gserviceaccount.com>
-Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
-Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
-Cr-Commit-Position: refs/branch-heads/7499@{#2635}
-Cr-Branched-From: b30439823e5177773584139e72e0593e36863899-refs/heads/main@{#1536371}
----
- ui/gtk/gsk.sigs                   |  3 ++-
- ui/gtk/gtk_util.cc                |  9 +++++++++
- ui/gtk/gtk_util.h                 |  4 ++++
- ui/gtk/nav_button_provider_gtk.cc | 20 ++++++++++++--------
- 4 files changed, 27 insertions(+), 9 deletions(-)
+    [GTK] Directly render header button icons
+    
+    The old code used GetTextureFromRenderNode which doesn't work for vector
+    icons. The solution is to call gsk_render_node_draw() to directly render
+    the icon.
+    
+    R=thestig
+    
+    Fixed: 448684006
+    Change-Id: I3946297974bfdecde9c7b76d86bb9b82c32b9fe8
+    Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7180182
+    Reviewed-by: Lei Zhang <thestig@chromium.org>
+    Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
+    Cr-Commit-Position: refs/heads/main@{#1548603}
 
 diff --git a/ui/gtk/gsk.sigs b/ui/gtk/gsk.sigs
-index 9dc03167830f48..59f87dce81b1c9 100644
+index 9dc03167830f4..59f87dce81b1c 100644
 --- a/ui/gtk/gsk.sigs
 +++ b/ui/gtk/gsk.sigs
 @@ -17,4 +17,5 @@ GdkTexture* gsk_texture_node_get_texture(UI_GTK_CONST GskRenderNode* node);
@@ -49,7 +30,7 @@ index 9dc03167830f48..59f87dce81b1c9 100644
 +GskRenderNode* gsk_subsurface_node_get_child(const GskRenderNode* node);
 +void gsk_render_node_draw(GskRenderNode* node, cairo_t* cr);
 diff --git a/ui/gtk/gtk_util.cc b/ui/gtk/gtk_util.cc
-index 0a2bd7bfb8927e..be1a6d8569a1bf 100644
+index 0a2bd7bfb8927..be1a6d8569a1b 100644
 --- a/ui/gtk/gtk_util.cc
 +++ b/ui/gtk/gtk_util.cc
 @@ -290,6 +290,15 @@ CairoSurface::CairoSurface(SkBitmap& bitmap)
@@ -69,7 +50,7 @@ index 0a2bd7bfb8927e..be1a6d8569a1bf 100644
      : surface_(cairo_image_surface_create(CAIRO_FORMAT_ARGB32,
                                            size.width(),
 diff --git a/ui/gtk/gtk_util.h b/ui/gtk/gtk_util.h
-index 0fbebedc6a61f9..f2e9934c0bb667 100644
+index 0fbebedc6a61f..f2e9934c0bb66 100644
 --- a/ui/gtk/gtk_util.h
 +++ b/ui/gtk/gtk_util.h
 @@ -61,6 +61,10 @@ class CairoSurface {
@@ -84,7 +65,7 @@ index 0fbebedc6a61f9..f2e9934c0bb667 100644
    // this surface is deallocated when this CairoSurface is destroyed.
    explicit CairoSurface(const gfx::Size& size);
 diff --git a/ui/gtk/nav_button_provider_gtk.cc b/ui/gtk/nav_button_provider_gtk.cc
-index 527b9a0743a011..ae46e11dade2ba 100644
+index 527b9a0743a01..ae46e11dade2b 100644
 --- a/ui/gtk/nav_button_provider_gtk.cc
 +++ b/ui/gtk/nav_button_provider_gtk.cc
 @@ -112,18 +112,22 @@ gfx::Size LoadNavButtonIcon(ui::NavButtonProvider::FrameButtonDisplayType type,
-- 
2.51.1


From 63710dd6ca354b46d4f5d193843150a004b3057c23032cae33f9d40d8bb20362 Mon Sep 17 00:00:00 2001
From: Andreas Stieger <Andreas.Stieger@gmx.de>
Date: Thu, 11 Dec 2025 08:16:18 +0100
Subject: [PATCH 4/4] add CVE for boo#1254776

---
 chromium.changes | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/chromium.changes b/chromium.changes
index 5c16766..b570334 100644
--- a/chromium.changes
+++ b/chromium.changes
@@ -1,7 +1,10 @@
 -------------------------------------------------------------------
 Wed Dec 10 20:52:29 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
 
-- Chromium 143.0.7499.109
+- Chromium 143.0.7499.109 (boo#1254776):
+  * CVE-2025-14372: Use after free in Password Manager
+  * CVE-2025-14373: Inappropriate implementation in Toolbar
+  * third issue with an exploit is known to exist in the wild
 - added patch gtk-414-2.patch
   (also revert upstream cdc2a57272589f9522689500838e889b88b3f9d4
    for older gtk versions)
-- 
2.51.1