search

dsi-icl / optimise

OptimiseMS
https://optimise.dsi.ic.ac.uk
MIT License
1 stars 1 forks source link

fix(deps): update dependency electron-updater to v6.3.2 [security] - abandoned #2286

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron-updater (source) 6.3.1 -> 6.3.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-39698

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

Release Notes

electron-userland/electron-builder (electron-updater) ### [`v6.3.2`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#632) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.3.1...electron-updater@6.3.2) ##### Patch Changes - [#​8378](https://redirect.github.com/electron-userland/electron-builder/pull/8378) [`c8fe1462`](https://redirect.github.com/electron-userland/electron-builder/commit/c8fe1462d529edeed0ad3fe0b7e99e8af1ca61ac) Thanks [@​s77rt](https://redirect.github.com/s77rt)! - Limit concurrent downloads to 1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] commented 1 month ago

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.