Update dependency electron to v22 [SECURITY] #751
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.2.3
->22.3.25
GitHub Vulnerability Alerts
CVE-2022-21718
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom
select-bluetooth-device
event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.6
16.0.6
15.3.5
14.2.4
13.6.6
Workarounds
Adding this code to your app can workaround the issue.
For more information
If you have any questions or comments about this advisory, email us at [email protected].
CVE-2022-29247
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFrames
enabled which in turn allows effective access toipcRenderer
.Please note the misleadingly named
nodeIntegrationInSubFrames
option does not implicitly grant Node.js access rather it depends on the existingsandbox
setting. If your application is sandboxed thennodeIntegrationInSubFrames
just gives access to the sandboxed renderer APIs (which includesipcRenderer
).If your application then additionally exposes IPC messages without IPC
senderFrame
validation that perform privileged actions or return confidential data this access toipcRenderer
can in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.6
15.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrame
as per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at [email protected].
CVE-2022-29257
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2022-36077
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')
event, for all WebContents:For more information
If you have any questions or comments about this advisory, email us at [email protected].
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
CVE-2023-29198
Impact
Apps using
contextIsolation
andcontextBridge
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
This issue is exploitable under either of two conditions:
contextBridge
can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrownError: object could not be cloned
.contextBridge
has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.
Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.
Fixed Versions
25.0.0-alpha.2
24.0.1
23.2.3
22.3.6
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2023-39956
Impact
Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as
myapp --help
Specifically this issue can only be exploited if the following conditions are met:
This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
26.0.0-beta.13
25.5.0
24.7.1
23.3.13
22.3.19
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2023-5217
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Release Notes
electron/electron (electron)
v22.3.25
: electron v22.3.25Compare Source
Release Notes for v22.3.25
Other Changes
v22.3.24
: electron v22.3.24Release Notes for v22.3.24
Other Changes
v22.3.23
: electron v22.3.23Release Notes for v22.3.23
Other Changes
v22.3.22
: electron v22.3.22Release Notes for v22.3.22
Fixes
Other Changes
v22.3.21
: electron v22.3.21Compare Source
Release Notes for v22.3.21
Fixes
Other Changes
1444438
.v22.3.18
: electron v22.3.18Compare Source
Release Notes for v22.3.18
Other Changes
1454860
. #38949v22.3.17
: electron v22.3.17Compare Source
Release Notes for v22.3.17
Other Changes
1454860
. #38949v22.3.16
: electron v22.3.16Compare Source
Release Notes for v22.3.16
Other Changes
1450536
.v22.3.15
: electron v22.3.15Compare Source
Release Notes for v22.3.15
Other Changes
1450536
.v22.3.14
: electron v22.3.14Compare Source
Release Notes for v22.3.14
Other Changes
1450536
.v22.3.13
: electron v22.3.13Compare Source
Release Notes for v22.3.13
Other Changes
1437346
.1439691
.1425115
.1431761
.1442263
. #383321447430
.1444195
.v22.3.12
: electron v22.3.12Compare Source
Release Notes for v22.3.12
Other Changes
1423360
. #38277v22.3.11
: electron v22.3.11Compare Source
Release Notes for v22.3.11
Other Changes
1423360
. #38277v22.3.10
: electron v22.3.10Compare Source
Release Notes for v22.3.10
Other Changes
v22.3.9
: electron v22.3.9Compare Source
Release Notes for v22.3.9
Other Changes
v22.3.8
: electron v22.3.8Compare Source
Release Notes for v22.3.8
Fixes
v22.3.7
: electron v22.3.7Compare Source
Release Notes for v22.3.7
Fixes
shell.openExternal()
options. #38092 (Also in 23, 24, 25)Other Changes
1360571
. #380621404790
. #380641417317
. #376651427388
. #379831428820
. #38068v22.3.6
: electron v22.3.6Compare Source
Release Notes for v22.3.6
Fixes
node-gyp
version innode.h
error. #37942 (Also in 23, 24, 25)Other Changes
v22.3.5
: electron v22.3.5Compare Source
Release Notes for v22.3.5
Fixes
port.postMessage
inMessagePortMain
with some invalid parameters could cause a crash. #37725 (Also in 23, 24)Other Changes
1412991
. #376591418734
. #37661v22.3.4
: electron v22.3.4Compare Source
Release Notes for v22.3.4
Fixes
session.cookies.set
failure. #37595 (Also in 23, 24)Other Changes
1415249
. #376711416916
. #376571417585
. #37663v22.3.3
: electron v22.3.3Compare Source
Release Notes for v22.3.3
Fixes
Other Changes
1414224
. #37483v22.3.2
: electron v22.3.2Compare Source
Release Notes for v22.3.2
Fixes
minWidth
/minHeight
andmaxWidth
/maxHeight
would not be enforced if the user set anaspectRatio
on macOS. #37458 (Also in 23, 24)hasReply
andactions
to a main process Notification on macOS resulted in the first action being obscured and unavailable. #37447 (Also in 23, 24)Other Changes
contents.takeHeapSnapshot
. #37459 (Also in 23, 24)v22.3.1
: electron v22.3.1Compare Source
Release Notes for v22.3.1
Other Changes
Documentation
v22.3.0
: electron v22.3.0Compare Source
Release Notes for v22.3.0
Features
webContents.print()
. #37263 (Also in 23, 24)Fixes
BrowserView
s are present and a user attempts to preventbeforeunload
in the renderer process. #37266 (Also in 23, 24)Other Changes
v22.2.1
: electron v22.2.1Compare Source
Release Notes for v22.2.1
Features
Fixes
nodeIntegrationInWorker: true
. #37102 (Also in 23)Documentation
v22.2.0
: electron v22.2.0Compare Source
Release Notes for v22.0.0
Stack Upgrades
Breaking Changes
input-event
event.scroll-touch-*
events. #35531new-window
event has been removed. #34526Features
LoadBrowserProcessSpecificV8Snapshot
as a new fuse that will let the main/browser process load its v8 snapshot from a file atbrowser_v8_context_snapshot.bin
. Any other process will use the same path as is used today. #35266 (Also in 20, 21)WebContents.opener
to access window opener.webContents.fromFrame(frame)
to get the WebContents corresponding to a WebFrameMain instance. #35140 (Also in 21)app.getSystemLocale()
method. #35697 (Also in 21)contextBridge.exposeInIsolatedWorld(worldId, key, api)
to expose an API to anisolatedWorld
within a renderer from a preload script. #34974webContents.close()
method. #35509webFrameMain.origin
. #35438 (Also in 19, 20, 21)app.getPreferredSystemLanguages()
API to return the user's system languages. #36291 (Also in 21)content-bounds-updated
. #35533WebContents.ipc
andWebFrameMain.ipc
APIs. #34959 (Also in 21)navigator.mediaDevices.getDisplayMedia
via a new session handler,ses.setDisplayMediaRequestHandler
. #30702serialPort.forget()
as well as a new eventserial-port-revoked
emitted when a given origin is revoked. #36062Fixes
click
event and tooltip ofTray
not working on Linux. #36472Also in earlier versions...
uv_os_gethostname
failing on Windows 7. #35702 (Also in 19, 20, 21)atob
in the renderer process could fail under some circumstances. #35415 (Also in 19, 20, 21)webContents.printToPDF()
. #36065 (Also in 21)app.isInApplicationsFolder()
which would return false incorrectly in some cases. #35636 (Also in 19, 20, 21)screen.getCursorScreenPoint()
crashed on Wayland when it was called before aBrowserWindow
had been created. #35503 (Also in 21)serialPort.open()
failed withNetworkError: Failed to open serial port.
. #35306 (Also in 21)app.dock.setIcon(/path/t/icon)
would crash when called before theready
event onapp
. #36293 (Also in 20, 21)roundedCorners: false
couldn't enter fullscreen without crashing. #35421 (Also in 19, 20, 21)setBounds
on some windows. #34713 (Also in 19, 20, 21)webContents.printToPDF()
. #35993 (Also in 21)webContents.loadURL
when navigating to a hash. #36151 (Also in 20, 21)nodeIntegrationInWorker
in Service Workers and Shared Workers owing to sandboxing policies. #36010 (Also in 21)safeStorage
now consistently uses the correct service name on macOS regardless of timing with browser window construction. #34683 (Also in 19, 20)import('electron')
andimport 'electron'
now work natively. #35957 (Also in 20, 21)Other Changes
webContents.printToPDF().
. #36095win.getBrowserViews()
not being updated when a BrowserView was moved to a different window. #35511common.gypi
for native modules to support C++17 features in V8. #36369 (Also in 20, 21)Documentation
Notices
Sunsetting Windows 7/8/8.1
Electron will be ending support for Windows 7/8/8.1 after version 22.x.y following Chromium's plan to end support. Older versions of Electron will continue to work, but no further updates will be made for these operating systems.
End of Support for 19.x.y
Electron 19.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
v22.1.0
: electron v22.1.0Compare Source
Release Notes for v22.1.0
Features
label
property toDisplay
objects. #36932 (Also in 21, 23)Fixes
webView
s could have an incorrect initial background color following reloads. #36940 (Also in 21, 23)Other Changes
v22.0.3
: electron v22.0.3Compare Source
Release Notes for v22.0.3
Fixes
Cmd+Tab
after exiting Kiosk Mode. #36918 (Also in 21, 23)setPermissionRequestHandler
callback would be invoked twice when usingnavigator.getUserMedia(...)
. #36873 (Also in 23)v22.0.2
: electron v22.0.2Compare Source
Release Notes for v22.0.2
Fixes
BrowserWindow.setTrafficLightPosition()
on macOS. #36851 (Also in 21, 23)Other Changes
v22.0.1
: electron v22.0.1Compare Source
Release Notes for v22.0.1
Fixes
requireInteraction
option to not timeout on Linux and Windows. #36501 (Also in 21)dialog.showMessageBox()
. #36802 (Also in 21, 23)WebSwapCGLLayer
symbols when Electron starts on macOS. #36800 (Also in 21, 23)Other Changes
v22.0.0
: electron v22.0.0Compare Source
Release Notes for v22.0.0
Stack Upgrades