Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to latest Electron 1.7.x #49899

Closed
zyxneo opened this issue May 15, 2018 · 6 comments
Closed

Update to latest Electron 1.7.x #49899

zyxneo opened this issue May 15, 2018 · 6 comments
Assignees
@bpasero @Tyriar
Labels
electron Issues and items related to Electron
Milestone
June 2018

Comments

@zyxneo
Copy link

zyxneo commented May 15, 2018

Please update Electron version whenever new release with a fix is available. The reason for that is:

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

As far I understand, the current version is 1.7.12
https://github.com/Microsoft/vscode/blob/master/.yarnrc

more info:
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/

Many thanks in advice!
@vscodebot
Copy link

vscodebot bot commented May 15, 2018

(Experimental duplicate detection)
Thanks for submitting this issue. Please also check if it is already covered by an existing one, like:

@bpasero bpasero added this to the May 2018 milestone May 15, 2018
@bpasero bpasero added the electron Issues and items related to Electron label May 15, 2018
@bpasero
Copy link
Member

bpasero commented May 15, 2018
edited
Loading

We should ideally wait for 1.7.15 to be released that includes electron/electron#12808

@Tyriar
Copy link
Member

Tyriar commented May 15, 2018

I don't think we're impacted by this, @mjbvz?

@mjbvz
Copy link
Collaborator

mjbvz commented May 15, 2018

No I wasn't able to exploit it using a custom webview extension that has no csp and enables scripts. I believe we also block mounting unknown webviews if there happened to be an html injection in the main product

@zyxneo
Copy link
Author

zyxneo commented May 16, 2018

@mjbvz Many thanks for investigating it!

@bpasero bpasero changed the title Update Electron - CVE-2018-1000136 - Electron nodeIntegration Bypass Update to latest Electron 17.x May 17, 2018
@bpasero bpasero changed the title Update to latest Electron 17.x Update to latest Electron 1.7.x May 17, 2018
@bpasero bpasero modified the milestones: May 2018, June 2018 May 29, 2018
@bpasero
Copy link
Member

bpasero commented Jun 2, 2018

I think we will probably just go to 2.0.x directly. Closing as duplicate of #45542

@bpasero bpasero closed this as completed Jun 2, 2018
@vscodebot vscodebot bot locked and limited conversation to collaborators Jul 17, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bpasero bpasero

@Tyriar Tyriar

Labels
electron Issues and items related to Electron
Projects
None yet
Milestone
June 2018
Development

No branches or pull requests
4 participants
@bpasero @zyxneo @Tyriar @mjbvz