Skip to content

Commit

Permalink
fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@RamyEB
RamyEB committed Dec 14, 2023
1 parent bc8743b commit a4ba694
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release_connect-kit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
# use 'latest' for release, 'alpha' or 'beta' for pre-releases
PKG_RELEASE_TAG: 'latest'
# make sure it matches the version on package.json
PKG_VERSION: '1.1.4'
PKG_VERSION: '1.1.8'
GIT_TAG_PREFIX: 'ck-'
steps:
# Checkout project repository
Expand Down
1 change: 1 addition & 0 deletions packages/connect-kit/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
New version fix

## 1.1.4 - 2023-08-17
Add configuration to segment to use custom proxy
Expand Down
2 changes: 1 addition & 1 deletion packages/connect-kit/package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@ledgerhq/connect-kit",
"version": "1.1.4",
"version": "1.1.8",
"description": "A library for dApps to integrate with the Ledger Extension and Ledger Live",
"author": "Ledger SAS <ledger.com>",
"license": "MIT",
Expand Down

8 comments on commit a4ba694

@npomfret
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is the fix?

@itxtoledo
Copy link

@itxtoledo itxtoledo commented on a4ba694 Dec 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@npomfret

This commit is just for start a new GitHub build that will pull the new code from here

connect-kit/packages/connect-kit-loader/src/index.ts

Line 83 in e4e5f5b

const src = "https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1";

The compromised code is in version 1.1.7: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.7

The fixed code is in 1.1.8: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.8

@natonamco
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I have any chance of getting my device compromised by opening those links?

@npomfret

This commit is just for start a new GitHub build that will pull the new code from here

connect-kit/packages/connect-kit-loader/src/index.ts

Line 83 in e4e5f5b

const src = "https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1";

The compromised code is in version 1.1.7: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.7

The fixed code is in 1.1.8: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.8

@astrovm
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@natonamco no, it doesn't execute code

@darkobas2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wow what a quality fix

@mqklin
Copy link

@mqklin mqklin commented on a4ba694 Dec 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@npomfret

This commit is just for start a new GitHub build that will pull the new code from here

connect-kit/packages/connect-kit-loader/src/index.ts

Line 83 in e4e5f5b

const src = "https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1";

The compromised code is in version 1.1.7: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.7

The fixed code is in 1.1.8: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.8

Is this code opensourced?

@cromatikap
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this code opensourced?

The versioning in the commits history doesn't match with any 1.1.7 and I can't find minimalDrainValue (from the alleged compromised source) when I search globally in this repo. Doesn't look open sourced or this portion might have been deleted(?)

@mqklin
Copy link

@mqklin mqklin commented on a4ba694 Dec 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Malicious code was deployed directly to npm, github was not affected.

Please sign in to comment.