I see in the changelog for v0.23.0 a critical security patch was applied. I went looking through the logs but couldn't spot the commit(s). Can you please describe the security vulnerability for the sake of my sanity?
Thanks
@TensorTom The security vulnerability is in Chromium itself. I can't say any more until it's public, unfortunately. I'll keep this issue open so I remember to give an update here once the bug is public.
Here's some more info about this bug, now that the fix has been about for a while.
There was a really bad libwebrtc bug (libwebrtc is the library that provides webrtc in chromium). It affected any WebRTC app that establishes data channels with potentially malicious peers.
Here's my attempt at a summary (though see the bug report for full details). Basically, the WebRTC implementation was sending raw pointers to the remote peer (breaking ASLR) and also letting the remote peer set the callback pointer that the local peer would jump to. This could potentially be used to remotely exploit a webrtc peer running the vulnerable code.
The fix is in libwebrtc from June 5 or later (Chromium M84, branch 4147).
We patched this in WebTorrent Desktop v0.23.0 (https://github.com/webtorrent/webtorrent-desktop/releases/tag/v0.23.0) and within 2 weeks we had over 64% of users running v0.23.0 or later (thanks to our auto-updater). As of today, less than 5% of WebTorrent Desktop users are running a vulnerable version.
More details about the underlying libwebrtc bug here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2034
https://bugs.chromium.org/p/chromium/issues/detail?id=1076703
https://github.com/sctplab/usrsctp/issues/376
I will close this issue now.
Most helpful comment
@TensorTom The security vulnerability is in Chromium itself. I can't say any more until it's public, unfortunately. I'll keep this issue open so I remember to give an update here once the bug is public.