x86-64 Branch: Update Chromium Embedded Framework to mitigate vulnerabilities

[igniscitrinus]

Details

The x86-64 branch of the game uses version 80.0.4 of the Chromium Embedded Framework, which is vulnerable to the following CVEs, among others: https://nvd.nist.gov/vuln/detail/CVE-2020-15999 https://nvd.nist.gov/vuln/detail/CVE-2020-16000 CEF versions starting from v85.3.13 aren't vulnerable to the exploits.

[WinterPhoenix]

There are other issues that have been fixed since CEF 80 as well.

asset:// doesn't work properly for media files:

• https://bitbucket.org/chromiumembedded/cef/issues/2873/streamreaderurlloader-doesnt-correctly

There's a sort of "tearing" effect on certain video playback:

• Can't find a listed issue for it, but I experience it with HLS playback using H.264

Netflix no longer works:

• My Cinema server supports the service, but due to JavaScript errors caused by an out of date CEF version, videos haven't been playable for a few months now

CEF 87 is the most recent Stable version available, so I'd recommend updating to that at the current time. CEF 88 will be Stable on January 19th, 2021, if we find ourselves delayed for that long.

[onestep749]

Anything users can do about this in the mean time?

Gmod has been vulnerable to these for quite some time, is it going to take a mass-hacking of your players to see an update?

[onestep749]

Please just give users a way to totally disable all webkit/chromium stuff in the game/engine, right now I have to use a module to load early and detour all things pertaining to opening urls, loading html and js and that is pretty ridiculous.

Gmod server admins are malicious enough that it's not uncommon for them to attempt to ddos, or dox you so one of them abusing this is not that far fetched..

[brightersun99]

I am going to release a POC to abuse to some skiddie circle jerks if I don't see an update soon.

[brightersun99]

I'll check back in 2 weeks

[MFSiNC]

vinh'll fix it

[onestep749]

karmakarmakarmakarmakarmakarmakarma just what do you think this issue is about you dipshit?

On 1/10/21, karmakarmakarmakarmakarmakarmakarma notifications@github.com wrote:

I am going to release a POC to abuse to some skiddie circle jerks if I don't see an update soon.

i feel like i doubt your ability to find chrome RCEs

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/Facepunch/garrysmod-issues/issues/4765#issuecomment-757473842

[ghost]

Absolutely ridiculous that this issue has remained unfixed even after a month.

[WinterPhoenix]

As of 5 hours ago, the x86-64 branch now has CEF 86.0.4240.198 on Windows.

Rubat is still working on getting it updated on macOS and Linux.

It's not CEF 87 because apparently there were some issues getting that to work in GMod, but also 88 is right around the corner, so I don't see that as a big deal.

[Aws0mee]

facepunch moment

[onestep749]

we'll probably never see a macos update, ever macos branch has the same bugs it did when it was first released

On 1/14/21, Aws0me notifications@github.com wrote:

facepunch moment

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/Facepunch/garrysmod-issues/issues/4765#issuecomment-760551032

[onestep749]

its like a time machine, playing gmod on mac

On 1/15/21, cyrus torros sugondesenuts007@gmail.com wrote:

we'll probably never see a macos update, ever macos branch has the same bugs it did when it was first released

On 1/14/21, Aws0me notifications@github.com wrote:

facepunch moment

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/Facepunch/garrysmod-issues/issues/4765#issuecomment-760551032

[mcNuggets1]

+1