Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump electron from 3.0.2 to 7.2.4 #158

Closed

Conversation

dependabot-preview[bot]
Copy link

Bumps electron from 3.0.2 to 7.2.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Arbitrary file read via window-open IPC in Electron

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

Affected versions: < 7.2.4

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via contextBridge in Electron

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

Affected versions: < 7.2.4

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via leaked cross-context objects in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

Non-Impacted Versions

  • 9.0.0-beta.*

For more information

If you have any questions or comments about this advisory:

Affected versions: < 7.2.4

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via Promise in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
  • 6.1.11

For more information

If you have any questions or comments about this advisory:

Affected versions: < 6.1.11

Sourced from The Node Security Working Group.

Arbitrary Code Execution A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.

Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5

Release notes

Sourced from electron's releases.

electron v7.2.4

Release Notes for v7.2.4

Fixes

  • Fixed Promise timeout issue when running Electron as Node. #23324
  • Fixed a use-after-free error that could happen if a Tray was destroyed while showing a custom context menu. #23182
  • Fixed an issue where windows without nativeWindowOpen: true could invoke the non-native-open path. #23224
  • Fixed memory leak when using contextBridge with sandbox=true. #23232
  • MacOS VoiceOver is now able to find its way back into web contents after it navigated "out" of an application. #23174

electron v7.2.3

Release Notes for v7.2.3

Fixes

  • Security: Ensure proxy object is created in the correct context a9bead22

electron v7.2.2

Release Notes for v7.2.2

Fixes

  • Fixed a potential crash on invalid zoomFactor values when setting the zoom factor of a webpage. #22710
  • Fixed an issue with maximizable state persistence of BrowserWindows on macOS. #23019
  • Fixed an issue with possible creation of a messageBox which cannot be dismissed on macOS. #23089
  • Fixed an occasional crash when closing all BrowserWindows. #23024
  • Security: Backported fix for CVE-2020-6426: inappropriate implementation in V8. #23043
  • Security: backported a fix for crbug.com/1065094. #23059
  • Security: backported fix for a potential buffer overrun in WebRTC audio encoding. #23037
  • Security: backported fix for site isolation bypass in dedicated workers. #23040
  • Security: backported the fix to CVE-2020-6452: potential container-overflow in MediaStream mojo. #23044

Other Changes

  • Security: Backport fix for buffer underflow in DWrite. #22979
  • Security: Backported fix for use after free in file chooser. #22981
  • Security: backport fix for CVE-2020-6451: Use after free in WebAudio. #22945
  • Security: backport fix for use after free in VideoEncodeAccelerator. #22983
  • Security: backported fix for CVE-2019-20503: Out of bounds read in usersctplib. #22986
  • Security: backported fix for CVE-2020-6422: Use after free in WebGL. #23017
  • Security: backported fix for CVE-2020-6423: Use after free in audio. #23048
  • Security: backported fix for CVE-2020-6427: Use after free in audio. #23015
  • Security: backported fix for CVE-2020-6428: Use after free in audio. #23013
  • Security: backported fix for CVE-2020-6429: Use after free in audio. #23011
  • Security: backported fix for CVE-2020-6449: Use after free in audio. #23009
  • Security: backported fix for use-after-poison in WebAudio (crbug.com/1023810). #22869
  • Security: backported fix for use-after-poison in WebAudio. #22943
Commits
  • 0552e0d Bump v7.2.4
  • c87b474 refactor: port window-setup to use ctx bridge instead of being run in the mai...
  • 69683de fix: use Node's microtasks policy in node_main.cc (#23154) (#23324)
  • 8148b76 style: use build/include_directory for NOLINT (#23266) (#23304)
  • 7dfcb5e fix: block custom window.open when nativeWindowOpen is true (#23188) (#23224)
  • 0b3bf1e fix: do not mutate ipc instances across contexts (#23239)
  • fd529ac fix: do not allow child windows to specify their own preload script (#23229)
  • 3909001 fix: ensure that functions are not retained beyond their context being releas...
  • 039be2e build: improve patch filename remembering (#23070) (#23184)
  • fb6f604 fix: heap-use-after-free in tray.popUpContextMenu (#22842) (#23182)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Bumps [electron](https://github.com/electron/electron) from 3.0.2 to 7.2.4. **This update includes security fixes.**
- [Release notes](https://github.com/electron/electron/releases)
- [Changelog](https://github.com/electron/electron/blob/master/docs/breaking-changes.md)
- [Commits](electron/electron@v3.0.2...v7.2.4)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jul 7, 2020
@dependabot-preview
Copy link
Author

Superseded by #268.

@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/electron-7.2.4 branch January 28, 2021 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants