Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency electron to v22 [SECURITY] #751

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 5, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 12.2.3 -> 22.3.25 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at [email protected].

CVE-2022-29247

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at [email protected]

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

CVE-2023-29198

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6

For more information

If you have any questions or comments about this advisory, email us at [email protected]

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at [email protected]

CVE-2023-5217

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.


Release Notes

electron/electron (electron)

v22.3.25: electron v22.3.25

Compare Source

Release Notes for v22.3.25

Other Changes

v22.3.24: electron v22.3.24

Release Notes for v22.3.24

Other Changes

v22.3.23: electron v22.3.23

Release Notes for v22.3.23

Other Changes

v22.3.22: electron v22.3.22

Release Notes for v22.3.22

Fixes

Other Changes

v22.3.21: electron v22.3.21

Compare Source

Release Notes for v22.3.21

Fixes

  • Fixed unnecessary package.json check on built-in modules. #​39425

Other Changes

v22.3.18: electron v22.3.18

Compare Source

Release Notes for v22.3.18

Other Changes

v22.3.17: electron v22.3.17

Compare Source

Release Notes for v22.3.17

Other Changes

v22.3.16: electron v22.3.16

Compare Source

Release Notes for v22.3.16

Other Changes

v22.3.15: electron v22.3.15

Compare Source

Release Notes for v22.3.15

Other Changes

v22.3.14: electron v22.3.14

Compare Source

Release Notes for v22.3.14

Other Changes

v22.3.13: electron v22.3.13

Compare Source

Release Notes for v22.3.13

Other Changes

v22.3.12: electron v22.3.12

Compare Source

Release Notes for v22.3.12

Other Changes

v22.3.11: electron v22.3.11

Compare Source

Release Notes for v22.3.11

Other Changes

v22.3.10: electron v22.3.10

Compare Source

Release Notes for v22.3.10

Other Changes

v22.3.9: electron v22.3.9

Compare Source

Release Notes for v22.3.9

Other Changes

  • Fixed drag-and-drop crash on Wayland. #​38199

v22.3.8: electron v22.3.8

Compare Source

Release Notes for v22.3.8

Fixes

  • Fixed crash when executing eval in the utility process. #​38156 (Also in 23, 24, 25)

v22.3.7: electron v22.3.7

Compare Source

Release Notes for v22.3.7

Fixes

  • Fixed an issue which made defaultFontFamily in webPreferences have no effect. #​37970 (Also in 23, 24, 25)
  • Fixed broken defaults in shell.openExternal() options. #​38092 (Also in 23, 24, 25)
  • Fixed the active background color for top-level menu items on Windows. #​37991 (Also in 23, 24)

Other Changes

v22.3.6: electron v22.3.6

Compare Source

Release Notes for v22.3.6

Fixes

  • Fixed recommended node-gyp version in node.h error. #​37942 (Also in 23, 24, 25)
  • Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). #​37843 (Also in 24)

Other Changes

v22.3.5: electron v22.3.5

Compare Source

Release Notes for v22.3.5

Fixes

  • Fixed an issue where calling port.postMessage in MessagePortMain with some invalid parameters could cause a crash. #​37725 (Also in 23, 24)
  • Fixed canceling of bluetooth requests when no devices are returned. #​37739 (Also in 23, 24)

Other Changes

v22.3.4: electron v22.3.4

Compare Source

Release Notes for v22.3.4

Fixes

  • Fixed an issue with potential dock icon duplication on macOS. #​37623 (Also in 23, 24)
  • Fixed issue with BrowserWindow not updating after call to previewFile. #​37576 (Also in 23, 24)
  • Improved error messages on session.cookies.set failure. #​37595 (Also in 23, 24)

Other Changes

v22.3.3: electron v22.3.3

Compare Source

Release Notes for v22.3.3

Fixes

  • Fixed an issue where unhandled rejections could cause duplicate logs in some cases. #​37502 (Also in 23, 24)

Other Changes

v22.3.2: electron v22.3.2

Compare Source

Release Notes for v22.3.2

Fixes

  • Fixed an issue where minWidth/minHeight and maxWidth/maxHeight would not be enforced if the user set an aspectRatio on macOS. #​37458 (Also in 23, 24)
  • Fixed an issue where passing both hasReply and actions to a main process Notification on macOS resulted in the first action being obscured and unavailable. #​37447 (Also in 23, 24)
  • Fixed window could not go back to maximized state when restored on Linux. #​37360 (Also in 23, 24)

Other Changes

  • Improved error messages for contents.takeHeapSnapshot. #​37459 (Also in 23, 24)

v22.3.1: electron v22.3.1

Compare Source

Release Notes for v22.3.1
Other Changes
  • Security: backported fix for chromium:1408392. #​37298
Documentation

v22.3.0: electron v22.3.0

Compare Source

Release Notes for v22.3.0

Features

  • Added several standard page size options to webContents.print(). #​37263 (Also in 23, 24)

Fixes

  • Fixed a crash when BrowserViews are present and a user attempts to prevent beforeunload in the renderer process. #​37266 (Also in 23, 24)
  • Fixed an incorrect result returned when using secure as a cookies filter. #​37247 (Also in 24)

Other Changes

v22.2.1: electron v22.2.1

Compare Source

Release Notes for v22.2.1
Features
  • Whole-program optimization is enabled by default in electron node headers config file. #​37047 (Also in 21, 23)
Fixes
  • Basic accessibility support is now enabled when macOS Voice Control is activated to allow for full voice control of Electron applications. #​37146 (Also in 21, 23)
  • Fixed audio worklet scripts failing to run when nodeIntegrationInWorker: true. #​37102 (Also in 23)
Documentation

v22.2.0: electron v22.2.0

Compare Source

Release Notes for v22.0.0

Stack Upgrades

Breaking Changes

  • Added WebContents input-event event.
    • Deprecated BrowserWindow scroll-touch-* events. #​35531
  • The deprecated new-window event has been removed. #​34526

Features

  • Added LoadBrowserProcessSpecificV8Snapshot as a new fuse that will let the main/browser process load its v8 snapshot from a file at browser_v8_context_snapshot.bin. Any other process will use the same path as is used today. #​35266 (Also in 20, 21)
  • Added WebContents.opener to access window opener.
    • Added webContents.fromFrame(frame) to get the WebContents corresponding to a WebFrameMain instance. #​35140 (Also in 21)
  • Added app.getSystemLocale() method. #​35697 (Also in 21)
  • Added contextBridge.exposeInIsolatedWorld(worldId, key, api) to expose an API to an isolatedWorld within a renderer from a preload script. #​34974
  • Added webContents.close() method. #​35509
  • Added webFrameMain.origin. #​35438 (Also in 19, 20, 21)
  • Added an app.getPreferredSystemLanguages() API to return the user's system languages. #​36291 (Also in 21)
  • Added new UtilityProcess API to launch chromium child process with node integration. #​36089
  • Added new WebContents event content-bounds-updated. #​35533
  • Added new WebContents.ipc and WebFrameMain.ipc APIs. #​34959 (Also in 21)
  • Added support for Web Bluetooth pin pairing on Linux and Windows. #​35416 (Also in 21)
  • Added support for navigator.mediaDevices.getDisplayMedia via a new session handler, ses.setDisplayMediaRequestHandler. #​30702
  • Added support for serialPort.forget() as well as a new event serial-port-revoked emitted when a given origin is revoked. #​36062

Fixes

  • Added support for Webauthn discoverable keys (aka resident keys), allowing users to authenticate without first having to select or type a username. #​35374
  • Enable crashpad for ELECTRON_RUN_AS_NODE processes on linux. #​36483
  • Fixed click event and tooltip of Tray not working on Linux. #​36472
  • Fixed an issue where frameless non-resizable windows showed a Windows 7 frame during startup. #​36024
  • Fixed an issue with incomplete EventEmitter object in sandboxed renderer preload script. #​35522
  • Fixed race condition during update on macOS that could result in TCC and Keychain errors. #​36362
  • Removed unneeded --turbo-profiling-input argument from mksnapshot_args. #​36463
Also in earlier versions...
  • Added a background to the WCO container to avoid rendering glitches. #​35569 (Also in 19, 20, 21)
  • Added support for Windows drop-down dialog extensions. #​35618 (Also in 18, 19, 20, 21)
  • Default margin has been added in the code. #​36073 (Also in 21)
  • Enable WCO maximize button when window enters tablet mode and is not already maximized. #​35617 (Also in 19, 20, 21)
  • Fixed uv_os_gethostname failing on Windows 7. #​35702 (Also in 19, 20, 21)
  • Fixed a bug where calling atob in the renderer process could fail under some circumstances. #​35415 (Also in 19, 20, 21)
  • Fixed a crash that occured when loading non-standard schemes from iframes. #​35485 (Also in 21)
  • Fixed a crash when switching origins with emulation settings set. #​35466 (Also in 21)
  • Fixed a drag-and-drop issue on macOS where items would be incorrectly moved instead of copied in some contexts. #​35976 (Also in 20, 21)
  • Fixed a potential crash on WebWorker destruction. #​35422 (Also in 19, 20, 21)
  • Fixed a potential issue when calling webContents.printToPDF(). #​36065 (Also in 21)
  • Fixed a potential memory leak. #​35964 (Also in 21)
  • Fixed an edge case in app.isInApplicationsFolder() which would return false incorrectly in some cases. #​35636 (Also in 19, 20, 21)
  • Fixed an issue where DevTools could not be docked with Windows Control Overlay enabled. #​35754 (Also in 19, 20, 21)
  • Fixed an issue where WCO could occlude DevTools opened in any non-detached mode. #​35209 (Also in 18, 19, 20, 21)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​35503 (Also in 21)
  • Fixed an issue where serialPort.open() failed with NetworkError: Failed to open serial port.. #​35306 (Also in 21)
  • Fixed an issue where app.relaunch loses args when execPath is specified. #​35108 (Also in 19, 20, 21)
  • Fixed an issue where calling app.dock.setIcon(/path/t/icon) would crash when called before the ready event on app. #​36293 (Also in 20, 21)
  • Fixed an issue where frameless resizable windows showed Window 7 style frames while opening. #​35189 (Also in 18, 19, 20, 21)
  • Fixed an issue where frameless windows with roundedCorners: false couldn't enter fullscreen without crashing. #​35421 (Also in 19, 20, 21)
  • Fixed an issue where part of the BrowserView could be cut off when calling setBounds on some windows. #​34713 (Also in 19, 20, 21)
  • Fixed an issue where some options were incorrectly ignored when using webContents.printToPDF(). #​35993 (Also in 21)
  • Fixed crash in renderer when resuming system from sleep. #​35322 (Also in 18, 19, 20, 21)
  • Fixed enable promise support with webFrameMain.executeJavaScript. #​35292 (Also in 20, 21)
  • Fixed issue with history.back() in sandboxed iframes affecting parent browsing context. #​35420 (Also in 19, 20, 21)
  • Fixed on-screen-keyboard not hiding on input rendered in webview is blurred. #​35983 (Also in 20, 21)
  • Fixed session.getBlobData never resolves with blob sizes > 65536. #​35277 (Also in 19, 20, 21)
  • Fixed spurious promise rejection in webContents.loadURL when navigating to a hash. #​36151 (Also in 20, 21)
  • Fixed undefined details.requestingUrl from session.setPermissionCheckHandler. #​35281 (Also in 20, 21)
  • Fixed v8 flags and desktop name in package.json does not hornored when running local app using electron cli. #​36049 (Also in 20, 21)
  • Fixed: If a custom Electron build contains an electron.d.ts file, it is now being used. #​33979 (Also in 20, 21)
  • Picture-In-Picture mode no longer becomes a red rectangle on hover. #​35034 (Also in 19, 20, 21)
  • Provided display_id for desktopCapturer on Linux. #​33861 (Also in 19, 20, 21)
  • Removed support for nodeIntegrationInWorker in Service Workers and Shared Workers owing to sandboxing policies. #​36010 (Also in 21)
  • Usage of safeStorage now consistently uses the correct service name on macOS regardless of timing with browser window construction. #​34683 (Also in 19, 20)
  • You can now import the built-in electron module via ESModule loaders, i.e. import('electron') and import 'electron' now work natively. #​35957 (Also in 20, 21)
  • Fixed a typo in the section on debugging with VSCode. #​35256 (Also in 19, 20, 21)

Other Changes

  • Backported fix for chromium:1352405. #​36458
  • Bumps the minimum required version of Node.js needed to install Electron to 12.20.55. #​35301
  • Enabled out-of-process iframe printing to PDF with webContents.printToPDF().. #​36095
  • Fixed win.getBrowserViews() not being updated when a BrowserView was moved to a different window. #​35511
  • Fixed an issue where some spellcheck functionality would incorrectly throw errors on macOS. #​35514 (Also in 21)
  • Modified the WCO maximized button style to match Windows 11 more closely. #​35370 (Also in 20, 21)
  • Updated common.gypi for native modules to support C++17 features in V8. #​36369 (Also in 20, 21)

Documentation

Notices

Sunsetting Windows 7/8/8.1

Electron will be ending support for Windows 7/8/8.1 after version 22.x.y following Chromium's plan to end support. Older versions of Electron will continue to work, but no further updates will be made for these operating systems.

End of Support for 19.x.y

Electron 19.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v22.1.0: electron v22.1.0

Compare Source

Release Notes for v22.1.0

Features

  • Added label property to Display objects. #​36932 (Also in 21, 23)

Fixes

  • Fixed an issue where webViews could have an incorrect initial background color following reloads. #​36940 (Also in 21, 23)
  • Removed plugin helper checks on macOS gated behind enable_plugins buildflag. #​36978 (Also in 23)

Other Changes

  • Fixed voiceover repeating selected text when expanding selection in a textarea. #​36991

v22.0.3: electron v22.0.3

Compare Source

Release Notes for v22.0.3
Fixes
  • Fixed an issue on macOS when trying to switch processes with Cmd+Tab after exiting Kiosk Mode. #​36918 (Also in 21, 23)
  • Fixed an issue where the setPermissionRequestHandler callback would be invoked twice when using navigator.getUserMedia(...). #​36873 (Also in 23)
  • Use the process cache to reduce the memory for asar file. #​36664 (Also in 21, 23)

v22.0.2: electron v22.0.2

Compare Source

Release Notes for v22.0.2

Fixes

  • Fixed an RTL issue that could happen in some locales when calling BrowserWindow.setTrafficLightPosition() on macOS. #​36851 (Also in 21, 23)
  • Fixed an error when fs.readdir gets null for options. #​36849 (Also in 23)
  • Fixed missing headers in libcxx_headers bundle. #​36865

Other Changes

v22.0.1: electron v22.0.1

Compare Source

Release Notes for v22.0.1

Fixes

  • Changed HTML5 Notifications created with the requireInteraction option to not timeout on Linux and Windows. #​36501 (Also in 21)
  • Fixed a crash that could occur when running eval in inline scripts in unsandboxed renderer processes. #​36668 (Also in 23)
  • Fixed an issue with incorrect focus ring highlighting when using dialog.showMessageBox(). #​36802 (Also in 21, 23)
  • Fixed binary stripping for branded release builds on Linux. #​36654 (Also in 21, 23)
  • Fixed warning about duplicate WebSwapCGLLayer symbols when Electron starts on macOS. #​36800 (Also in 21, 23)

Other Changes

  • Added node-api: handle no support for external buffers. #​36624
  • Backported fix for chromium:1352405. #​36517
  • Backported fix for chromium:1352405. #​36518
  • Removed unneeded --turbo-profiling-input argument from mksnapshot_args for Linux mksnapshot zips. #​36782 (Also in 23)
  • Updated Chromium to 108.0.5359.99. #​36613

v22.0.0: electron v22.0.0

Compare Source

Release Notes for v22.0.0

Stack Upgrades

@renovate renovate bot added the dependencies label Oct 5, 2023
@confused-Techie
Copy link
Member

If only bumping Electron was this easy.

@renovate
Copy link
Contributor Author

renovate bot commented Oct 6, 2023

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 22.x releases. But if you manually upgrade to 22.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/npm-electron-vulnerability branch October 6, 2023 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant