search

electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
https://www.electron.build
MIT License
13.47k stars 1.72k forks source link

fix: verify LiteralPath of update file during windows signature verification #8295

Closed mmaietta closed 1 week ago

mmaietta commented 1 week ago

To prevent env var expansion during the signature verification step when executed via cmd.exe -> powershell, we need to verify the LiteralPath of the scanned asset and compare the string against the original intended update filename

changeset-bot[bot] commented 1 week ago

🦋 Changeset detected

Latest commit: 106f800454d46db0670a175c79846f903bb1bc14

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package | Name | Type | | ---------------- | ----- | | electron-updater | Patch |

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

netlify[bot] commented 1 week ago

Deploy Preview for car-park-attendant-cleat-11576 ready!

Name Link
Latest commit 106f800454d46db0670a175c79846f903bb1bc14
Latest deploy log https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/66871b6ee11c9d00088654e9
Deploy Preview https://deploy-preview-8295--car-park-attendant-cleat-11576.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

basil commented 19 hours ago

Are there any plans for a non-alpha release or backport? This is now showing up as https://nvd.nist.gov/vuln/detail/CVE-2024-39698

mmaietta commented 1 hour ago

Yep, I'll be converting to non-alpha release when I return from vacation on Monday. Unfortunately, I cannot backport with the current CI/CD setup using changeset package.