Page 1 of 2

CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Wed Oct 21, 2020 3:40 pm
by DvL
Hi,

There is a hurry behind updating the available CEF build to Chromium 86.0.4240.111, due to this incident: https://www.zdnet.com/article/google-releases-chrome-security-update-to-patch-actively-exploited-zero-day/
Hackers in question are targetting app (as in: software application) users as well.

So please, if it's possible to update faster than the usual 6-10 days you take at average to update to a new version of Chromium, do so, @magreenblatt
Thanks for considering :)

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Thu Oct 22, 2020 6:35 pm
by magreenblatt
Updated builds should be available tomorrow (Friday).

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Thu Oct 22, 2020 9:38 pm
by DvL
magreenblatt wrote:Updated builds should be available tomorrow (Friday).


Alright, thank you very much!

I would personally advise all developers using CEF to upgrade after tomorrow.. even if your users can only browse to limited content/domains (due to the nature of your app), remotely served fonts could be fitted with the exploit.
Imagine a popular fonts CDN gets compromised, all internet users on this version of Chromium would be at huge risk during routine tasks.

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Fri Oct 23, 2020 1:42 am
by ndesktop
For whoever build CEF themselves and emergency patching, the patch is here.
What needs to be patched is src/third_party/freetype/src/src/sfnt/pngshim.c.

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Fri Oct 23, 2020 11:18 am
by magreenblatt
A 4183 branch build with the fix will also be available later today.

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Fri Oct 23, 2020 5:47 pm
by DvL
Multiple platforms have built (CEF 86.0.18+gd3ead8b+chromium-86.0.4240.111), but not Windows.
If possible, make the updated Windows build available as fast as the other platforms..

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Fri Oct 23, 2020 6:43 pm
by amaitland
The Windows builds are available (they've been available for at least 13 hours).

The http://opensource.spotify.com/cefbuilds/index.html page is cached and can take some time to update.

View http://opensource.spotify.com/cefbuilds/index.json for a list of all builds

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Tue Nov 03, 2020 12:00 am
by ChrmiumMonkey
Can the emergency patch be applied to 4147 branch?

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Tue Nov 03, 2020 12:04 pm
by magreenblatt
ChrmiumMonkey wrote:Can the emergency patch be applied to 4147 branch?

Probably, but you will need to build it yourself.

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

PostPosted: Wed Nov 04, 2020 10:32 am
by ndesktop
ChrmiumMonkey wrote:Can the emergency patch be applied to 4147 branch?

Yes, I did that. As stated, you need to build CEF yourself.