Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency electron to v17.2.0 [security] #153

Merged
merged 1 commit into from
Jun 27, 2022
Merged

fix(deps): update dependency electron to v17.2.0 [security] #153

merged 1 commit into from
Jun 27, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 17, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 17.0.1 -> 17.2.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-29247

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Release Notes

electron/electron

v17.2.0

Compare Source

Release Notes for v17.2.0
Features
  • Added ses.setCodeCachePath() API for setting code cache directory. #​33285 (Also in 18)
Fixes
  • Fire 'show' event when a BrowserWindow is shown via maximize(). #​33213 (Also in 16, 18)
  • Fixed a network service crash that could occur when using setCertificateVerifyProc. #​33254 (Also in 18)
  • Fixed an issue where BrowserView layout bounds where limited to it's visible bounds. #​33398 (Also in 18)
  • Fixed an issue where Chrome DevTools settings didn't persist between loads. #​33273 (Also in 18)
  • Fixed an issue where clicking "Open in Containing Folder" in the Sources tab in Devtools caused a crash. #​33196 (Also in 16, 18)
  • Fixed broken event loop in renderer process when process reuse is enabled on windows platform. #​33362 (Also in 16, 18)
  • Fixed crash in the render process on reload with pending node fs.promises. #​33335 (Also in 15, 16, 18)
  • Fixed drag regions on WCO windows on Windows. #​33201 (Also in 15, 16, 18)
  • Fixed incorrect external memory allocation tracking in nativeImage module. #​33306 (Also in 15, 16, 18)
  • Theoretical fix for a crash we're seeing when closing multiple child windows at the same time on macOS. #​33283 (Also in 18)
Other Changes
  • Fixed an issue where adding/removing display changes the BrowserWindow size. #​33251 (Also in 14, 15, 16, 18)
  • Fixed an issue where moving a window created in a scaled display to a regular display would increase the window size. #​33231

v17.1.2

Compare Source

Release Notes for v17.1.2

Fixes

  • Fixed an issue where setting window maxHeight or maxWidth made it so the width and height could no longer be resized. #​33118 (Also in 18)
  • Strip crashpad_handler binary on Linux, reducing bundle size. #​33176 (Also in 15, 16, 18)

v17.1.1

Compare Source

Release Notes for v17.1.1

Fixes

  • Fixed an issue where alternateImages did not work properly on macOS. #​33105 (Also in 15, 16, 18)
  • Fixed an issue where the Tray could get garbage collected incorrectly under some circumstances. #​33076 (Also in 15, 16, 18)
  • Fixed an occasional crash on Mac when spawning a child process. #​33116 (Also in 18)
  • Fixed broken transparency option in offscreen window rendering. #​33052 (Also in 16, 18)

Other Changes

  • Updated Chromium to 98.0.4758.109. #​33085

v17.1.0

Compare Source

Release Notes for v17.1.0

Features

  • Added height option for Windows Control Overlay. #​32939

Fixes

  • Fixed BrowserWindow.showInactive restoring a maximized window to non-maximized on Windows. #​33021 (Also in 16, 18)
  • Fixed a crash that occurred when a user attempted to print a document either with window.print(), the print button in the PDF viewer, or with BrowserWindow.webContents() and clicked cancel in the resulting print dialog. #​33015
  • Fixed an issue where webContents.openDevTools({ mode }) did not work for certain dock positions. #​32945 (Also in 18)
  • Fixed an issue where webContents.savePage failed when passing a relative path instead of an absolute one. #​33016 (Also in 15, 16, 18)
  • Fixed command string registered via setAsDefaultProtocolClient on windows. #​33012 (Also in 14, 15, 16, 18)
  • Fixed stale renderer process when application is quit while renderer is busy. #​32970 (Also in 14, 15, 16, 18)

Other Changes

  • Chore: backport EPROTOTYPE fixes from libuv. #​32943 (Also in 16, 18)
  • Updated Chromium to 98.0.4758.102. #​32906

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the CVE label Jun 17, 2022
@kunalnagar kunalnagar merged commit 259f0fe into master Jun 27, 2022
@kunalnagar kunalnagar deleted the renovate/npm-electron-vulnerability branch June 27, 2022 01:10
github-actions bot pushed a commit that referenced this pull request Jun 27, 2022
@semantic-release-bot
chore(release): 3.10.12
5c398d6 
[skip ci]

### [3.10.12](v3.10.11...v3.10.12) (2022-06-27)

### Bug Fixes

* **deps:** update dependency electron to v17.2.0 [security] ([#153](#153)) ([259f0fe](259f0fe))

### Chores

* **deps:** lock file maintenance ([#154](#154)) ([e0acd26](e0acd26))
@kunalnagar
Copy link
Owner

🎉 This PR is included in version 3.10.12 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CVE released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kunalnagar @renovate-bot