Skip to content

Comments

🚨 [security] Update electron: 16.0.9 → 16.2.8 (minor)#56

Open
depfu[bot] wants to merge 1 commit intowinfrom
depfu/update/win/npm/electron-16.2.8
Open

🚨 [security] Update electron: 16.0.9 → 16.2.8 (minor)#56
depfu[bot] wants to merge 1 commit intowinfrom
depfu/update/win/npm/electron-16.2.8

Conversation

@depfu
Copy link

@depfu depfu bot commented Jun 17, 2022
edited
Loading

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ electron (16.0.9 → 16.2.8) · Repo

Security Advisories 🚨

🚨 AutoUpdater module fails to validate certain nested components of the bundle

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

🚨 Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Release Notes

16.2.8

Release Notes for v16.2.8

Fixes

  • Fixed an issue where Pointer Lock behavior could not be properly exited. #32826 (Also in 18)
  • Fixed an issue where bounds changes were incorrectly delayed in the case where a window was moved or resized and event.preventDefault was called in either will-resize or will-move on Windows. #34282 (Also in 17, 18, 19)
  • Fixed an issue with background colors being improperly applied to BrowserViews on Windows. #33546
  • Fixed crash when calling navigator.serial.getPorts(). #34334 (Also in 17, 18, 19)

16.2.6

Release Notes for v16.2.6

Other Changes

16.2.0

Release Notes for v16.2.0

Features

  • Added nativeTheme.inForcedColorsMode API to allow detecting forced color mode. #33359 (Also in 15, 17, 18)

Fixes

  • Fixed maximizing frameless windows by double-clicking on a draggable (title bar) region. #33444 (Also in 15, 17, 18)
  • Fixed slowness when using child_process.spawn and related methods on macOS Big Sur and newer. #33405 (Also in 17, 18)

Other Changes

16.0.10

Release Notes for v16.0.10

Fixes

  • Fixed BrowserWindow.showInactive restoring a maximized window to non-maximized on Windows. #33020 (Also in 17, 18)
  • Fixed an issue where webContents.savePage failed when passing a relative path instead of an absolute one. #33017 (Also in 15, 17, 18)
  • Fixed broken transparency option in offscreen window rendering. #33051
  • Fixed command string registered via setAsDefaultProtocolClient on windows. #33010 (Also in 14, 15, 17, 18)
  • Fixed stale renderer process when application is quit while renderer is busy. #32969 (Also in 14, 15, 17, 18)

Other Changes

  • Backported fix for CVE-2022-0609. #32900
  • Backported fix for CVE-2022-0610. #32918
  • Chore: backport EPROTOTYPE fixes from libuv. #32942 (Also in 17, 18)
  • Security: backported fix for CVE-2022-0607. #32916
  • Security: backported fix for chromium:1039885. #32803
  • Security: backported fix for chromium:1258603. #32809
  • Security: backported fix for chromium:1262967. #32807
  • Security: backported fix for chromium:1267426. #32805
  • Security: backported fix for chromium:1267627. #32806
  • Security: backported fix for chromium:1274376. #32808
  • Security: backported fix for chromium:1289384. #32911
  • Security: backported fix for chromium:1289394. #32907
  • Security: backported fixes to chromium:1292537 and CVE-2022-0606. #32903

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added dependencies Pull requests that update a dependency file depfu labels Jun 17, 2022
@depfu depfu bot assigned riotrah Jun 17, 2022
@depfu depfu bot requested a review from riotrah June 17, 2022 00:06
@depfu depfu bot force-pushed the depfu/update/win/npm/electron-16.2.8 branch from a0e35a0 to 6890388 Compare June 24, 2022 21:45
@depfu depfu bot force-pushed the depfu/update/win/npm/electron-16.2.8 branch from 6890388 to 53f57ef Compare July 16, 2022 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@riotrah riotrah Awaiting requested review from riotrah

Assignees

@riotrah riotrah

Labels

dependencies Pull requests that update a dependency file depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riotrah