Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency electron to v9 [SECURITY] #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency electron to v9 [SECURITY] #47

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 2, 2020
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 1.8.7 -> 9.4.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2018-15685

GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

More information to determine if you are impacted can be found on the electron blog.

Recommendation

Upgrade Electron to >=3.0.0-beta.7, >=2.0.8, >=1.8.8, or >=1.7.16."

CVE-2020-4077

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-4076

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

Non-Impacted Versions

  • 9.0.0-beta.*

For more information

If you have any questions or comments about this advisory:

CVE-2020-4075

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-15096

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
  • 6.1.11

For more information

If you have any questions or comments about this advisory:

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Release Notes

electron/electron

v9.4.0

Compare Source

Release Notes for v9.4.0
Fixes
  • Added Electron DLLs like libGLESv2.dll to symbol server. #​26967 (Also in 10, 11, 12)
  • Fixed systemPreferences.effectiveAppearance returning systemPreferences.getAppLevelAppearance(). #​26881 (Also in 10, 11, 12)
  • Fixed an issue where event.reply could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #​26928 (Also in 10, 11, 12)
  • Fixed an issue where some buttons were un-clickable in some BrowserViews with draggable regions enabled. #​26745 (Also in 10, 11)
  • Fixed an issue whereby a corrupted async_hooks stack would crash the renderer when throwing some errors in the renderer process. #​26748 (Also in 10, 11)
  • Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. #​26950 (Also in 10, 11, 12)
  • Fixed usage of --disable-dev-shm-usage for apps using --no-sandbox on linux. #​26806
Other Changes

v9.3.5

Compare Source

Release Notes for v9.3.5
Fixes
  • Fixed <webview> render-process-gone event dispatch. #​26576
  • Fixed LC_ALL environment variable getting changed in Electron. #​26508 (Also in 10, 11)
  • Fixed debug.log files being created under working directory on windows. #​26267 (Also in 10)
  • Fixed draggable regions stops working when devtools is opened on macOS. #​26506 (Also in 10, 11)
Other Changes
Unknown

v9.3.4

Compare Source

Release Notes for v9.3.4

Fixes

  • Fixed an issue where Hover Text on macOS Catalina did not work without VoiceOver also being enabled. #​26244 (Also in 10, 11)
  • Fixed an issue where draggable regions did not work exclusively on BrowserViews. #​26261 (Also in 10, 11)
  • Fixed an issue where draggable regions were not properly updated on BrowserViews when a containing BrowserWindow was resized. #​26322 (Also in 10, 11)
  • Fixed calling app.commandLine.appendSwitch('lang') not changing app's locale. #​26242 (Also in 10, 11)

Other Changes

v9.3.3

Compare Source

Release Notes for v9.3.3

Fixes

  • Browser views will properly resize within windows. #​26034 (Also in 10, 11)
  • Fix: gdi printing in silent printing mode. #​25724 (Also in 10, 11)
  • Fixed NativeImage.getScaleFactors() always returning the same value. #​25904 (Also in 10, 11)
  • Fixed a crash in printing on Windows. #​26066 (Also in 10, 11)
  • Fixed an issue where Windows notifications with timeoutType of 'never' did not work properly. #​25862 (Also in 10, 11)
  • Fixed an issue where Save as PDF from PDF Viewer Print dialog failed and sometimes crashed. #​26067 (Also in 10, 11)
  • Fixed an issue where frameless windows showed window controls after being in simple fullscreen mode on macOS. #​26128 (Also in 10, 11)
  • Fixed an issue where some Node.js module API calls hung in the renderer process after reloads when render process reuse was enabled. #​25924 (Also in 10, 11)
  • Fixed an issue where the PDF annotations button existed in a broken state. #​26004
  • Fixed bug that meant require.resolve paths option was ignored. #​26035 (Also in 10, 11)
  • Fixed maximized frameless window bleeding to other monitors. #​25980 (Also in 8, 10, 11)
  • Fixed memory leak on macOS when using dialog.showMessageBox API. #​26098 (Also in 8, 10, 11)

Other Changes

v9.3.2

Compare Source

Release Notes for v9.3.2

Fixes

  • Fixed CORS not being disabled by webSecurity: false. #​25505 (Also in 9, 10, 11)
  • Fixed ready-to-show event not emitted on some machines. #​25490 (Also in 9, 10, 11)
  • Fixed a crash in app.importCertificate() on Linux. #​25538 (Also in 9, 10, 11)
  • Fixed a crash when closing window in an event listener after exiting fullscreen on macOS. #​25605 (Also in 9, 10, 11)
  • Fixed an issue that could cause a normally-exiting process to fail with an "illegal access" message and exit code 7. #​25502 (Also in 8, 9, 10, 11)
  • Fixed an issue where an error would be displayed when using webContents.print() if no default was set and no device name provided. #​25607 (Also in 9, 10, 11)
  • Fixed crash when application launched from UNUserNotificationCenter notification (via a native node module). #​25739 (Also in 9, 10, 11)
  • Fixed crashes caused by attempting to modify destroyed views. #​25609 (Also in 9, 10, 11)
  • Fixed memory leak when creating "Services" menu. #​25689 (Also in 9, 10, 11)
  • Fixed unsubscribe from observers when window is closing. #​25586 (Also in 9, 10, 11)
  • Updated Node root certs to use NSS 3.56. #​25364 (Also in 8, 9, 10, 11)

Other Changes

Unknown

  • Fixed extension background page devtools not being openable. #​25567 (Also in 9, 10, 11)

v9.3.1

Compare Source

Release Notes for v9.3.1

Fixes

  • Added missing module delay loads on windows to reduce per process reference set impact. #​25437 (Also in 9, 10, 11)
  • Fixed a crash in the renderer process when invoking the Badging API. #​25371 (Also in 9, 10, 11)
  • Fixed a memory leak in net.request(). #​25382
  • Fixed multiple dock icons being left in system when calling dock.show/hide on macOS. #​25301 (Also in 8, 9, 10, 11)

Other Changes

Unknown

  • Added support for some chrome.management APIs. #​25344 (Also in 9, 10, 11)

v9.3.0

Compare Source

Release Notes for v9.3.0
Features
  • Added back a previously broken visibleOnFullScreen option for setVisibleOnAllWorkspaces. #​25126
  • Added the currencyCode field that Apple's StoreKit in-app-purchasing library provides but has not been added to the Product object that inAppPurchase.getProducts returns. #​25085
Fixes
  • Fixed powerMonitor not emitting suspend/resume events on some Windows machines. #​25165
  • Fixed an issue where filters set in dialogs on macOS would have nondeterministic ordering. #​25194
  • Fixed an issue where notifications with a reply button could potentially be destroyed too early when a user clicked on the notification body before replying. #​25101
  • Fixed frameless window's size being changed when restored from minimized state. #​25045
  • Fixed network permission error when there are multiple WebContents sharing same session are created with web security disabled. #​25179
  • Fixed node's TLS stack not allowing renegotiation. #​25041
  • Fixed the following issues for frameless when maximized on Windows * fix unreachable task bar when auto hidden with position top
  • fix 1px extending to secondary monitor
  • fix 1px overflowing into taskbar at certain resolutions
  • fix white line on top of window under 4k resolutions. #​25218
  • Fixed window size being changed after unmaximizing. #​25133
Unknown
  • Fixed not working WebSQLDatabase in extension background pages. #​25070

v9.2.1

Compare Source

Release Notes for v9.2.1
Fixes
  • fix loading shared worker scripts over custom protocol
  • fix crash when loading worker scripts with nodeIntegration enabled. #​24750
  • Fixed a crash that could occur when using in-memory sessions. #​25002
  • Fixed an issue where some Node.js methods would not work with URL instances constructed in the renderer process. #​24862
  • Fixed an issue where the Save button did not function in PDF previews. #​24996
  • Fixed inactive windows having active titlebar on Windows. #​24873
  • Fixed missing guid parameter in Linux crash reports. #​24898
  • Increased maximum length for crash keys from 127B to 20KB. #​24854
  • [a11y] fix an issue where voiceover doesn't read the first item selected from a ARIA combobox. #​25004
Other Changes
Unknown
  • Fixed issues with CORS when making requests from extensions. #​24915

v9.2.0

Compare Source

Release Notes for v9.2.0

Features

  • Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from webFrame.executeJavaScript are world safe when context isolation is enabled. #​24712 (Also in 10)

Fixes

  • Fixed a crash that could happen when using hookWindowMessage on Windows. #​24769 (Also in 10)
  • Fixed an issue where suspend/resume were emitted twice on macOS. #​24845 (Also in 8, 10)
  • Fixed crash when navigating from a page with webview that has inherited zoom level. #​24764 (Also in 8, 10)
  • Save crash reports locally when uploadToServer: false on linux. #​24788 (Also in 10)
  • Fixed an a11y regression where children reported an index in parent greater than the parent child count. #​24765

v9.1.2

Compare Source

Release Notes for v9.1.2

Fixes

  • Fix: remove unnecessary corner mask overriding to increase window resize performance. #​24702
  • Fixed an issue where VoiceOver was unable to navigate from the top-level window back into the web contents. #​24699
  • Protocol response streams are now destroyed if the request is aborted. #​24657

Other Changes

  • Improved the performance of sending JS primitives over the context bridge. #​24746

v9.1.1

Compare Source

Release Notes for v9.1.1

Fixes

  • Fixed a termination crash on Web Workers with Node.js integration enabled. #​24464
  • Fixed an issue where webContents.print() would sometimes hang with invalid settings. #​24508
  • Fixed an issue where cpu and heap profiling in Node.js did not work properly with --cpu-prof, --heap-prof, and related CLI flags. #​24541
  • Fixed an issue where macOS window vibrancy active state did not always match the active state of the window. #​24533
  • Fixed broken --trace-sync-io flag in Node.js. #​24648
  • Fixed clipboard.readBuffer returning incorrect value. #​24469
  • Fixed potentially invalid duplex mode settings on Linux. #​24547

Other Changes

  • Fix: DCHECK failure in value.IsHeapObject() in objectsdebug.cc. (Chromium security issue 1084820). #​24566
  • Fix: XSS on chrome://histograms/ with a compromised renderer. (Chromium security issue 1073409). #​24625
  • Fix: crash when executing debugger.sendCommand. (Chromium security issue 1016278). #​24620
  • Fix: heap-use-after-free in content::NavigationRequest::OnWillProcessResponseProcessed. (Chromium security issue 1090543). #​24569
  • Fix: heap-use-after-free in ui::AXTreeSerializerblink (Chromium security issue 1065122). #​24557
  • Fix: iframe in victim page can detect Scroll To Text Fragment activation. (Chromium security issue 1042986). #​24624
  • Fix: integer overflow in GrTextBlob::Make. (Chromium security issue 1080481). #​24586
  • Fix: javascript URI sandbox flags aren't propagated in a blank string case. (Chromium security issue 1074340). #​24621
  • Fix: memcpy-param-overlap in AudioBuffer::copyFromChannel. (Chromium security issue 1081722). #​24582
  • Fix: remove leaks of post-redirect URL for <script> in the CSP reports and stacktraces of errors (Chromium security issue 1074317). #​24560
  • Fix: update webrtc root certificate. (Chromium security issue 978779). #​24617
  • Fix: upgrade SQLite to 3.32.1. (Chromium security issue 1087629). #​24554
  • Fix: use-after-free in devtools console. (Chromium security issue 986051). #​24614
  • Fix: use-of-uninitialized-value in amr_read_header. (Chromium security issue 1065731). #​24594
  • Fix: usrsctp is called with pointer as network address. (Chromium security issue 1076703). #​24563

Documentation

v9.1.0

Compare Source

Release Notes for v9.1.0

Features

  • Added support for MessagePort in the main process. #​24323
  • Added support for suspend and resume events to Windows. #​24283
  • Added support for suspend and resume events to macOS. #​24294
  • Expose sessionId associated with a target from debugger module. #​24398
  • Implemented systemPreferences.getMediaAccessStatus() on Windows. #​24312

Fixes

  • Fixed an intermittent high-CPU usage problem caused a system clock issue during sleep. #​24415
  • Fixed an issue where some old notifications were not properly removed from the Notification Center on macOS. #​24406
  • Fixed bug on macOS where the main window could be targeted for a focus event when it was disabled behind a modal. #​24354

v9.0.5

Compare Source

Release Notes for v9.0.5

Fixes

  • Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #​24185
  • Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #​24232
  • Fixed an error when calling dialog.showCertificateTrustDialog with no BrowserWindow. #​24121
  • Fixed an issue where shutdown would be emitted both on app and system shutdown on macOS. #​24141
  • Fixed an issue where withFileTypes was not supported as an option to fs.readdir or fs.readdirSync under asar. #​24108
  • Fixed an issue which would cause streaming protocol responses to stall in some cases. #​24082
  • Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #​24236
  • Fixed delayed execution of some Node.js callbacks in the main process. #​24178
  • Fixed tray menu showing in taskbar on Windows. #​24193
  • Fixed window titlebar not responding to pen on Windows 10. #​24103

Other Changes

  • Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #​24059
  • Fixed mac app store rejection notice for invalid symbolic link in bundle. #​24238
  • Updated Chromium to 83.0.4103.119. #​24234

Documentation

v9.0.4

Compare Source

Release Notes for v9.0.4

Fixes

  • Added missing support for isComposing KeyboardEvent property. #​23996
  • Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #​23934
  • Fix: Allow windows behind macOS elements if "frame" is false. #​24033
  • Fixed chrome://media-internals and chrome://webrtc-internals pages not loading. #​24058
  • Fixed a crash that could occur when using the ipcRenderer module after blink had released the context. Instead, a JS exception will be thrown. #​23978
  • Fixed an issue where rmdir and rmdirSync work with original-fs in an asar context. #​23956
  • Fixed no session in webContents of type remote. #​24065
  • Fixed: On some Windows machines, especially Windows Insider builds, Electron would crash silently during startup. #​24039

Other Changes

  • Updated Chromium to 83.0.4103.104. #​24068
  • [a11y] fix incorrect position and size reported for grouped items in a listbox. #​24060
  • [a11y] fix incorrect selection item count for listbox with grouped items. #​24061

v9.0.3

Compare Source

Release Notes for v9.0.3

Features

  • V8CacheOptions is a new webpreference option to enforce code caching policy. #​23868

Fixes

  • Fixed disabling color correct rendering with --disable-color-correct-rendering. #​23900
  • Fixed the acceptLanguages argument being ignored in session.setUserAgent(). #​23962
  • Restored old implementation of Linux Tray icons to fix a collection of issues where the tray icon wouldn't appear, would be the wrong size or would randomly disappear. #​23926

Other Changes

  • Updated Chromium to 83.0.4103.99. #​23967

v9.0.2

Compare Source

Release Notes for v9.0.2

Fixes

  • Fixed crash when navigating between origins in a child window with nativeWindowOpen and contextIsolation enabled. #​23895
  • Fixed tray menu on Windows not keyboard navigable. #​23880

v9.0.1

Compare Source

Release Notes for v9.0.1

Features

  • EnableWebSQL is a new webpreference option to enable/disable websql api. #​23580

Fixes

  • Don't ignore the referrer header in net.request. #​23685
  • Fixed GTK dark theme setting not respected in Electron on Linux. #​23712
  • Fixed process.windowsStore returning undefined in AppX packages. #​23801
  • Fixed a bezeling issue on vibrant non-frameless BrowserWindows. #​23810
  • Fixed an issue where nativeImages might throw conversion errors in the renderer process. #​23796
  • Fixed an issue where window.location properties would throw an error for windows opened with window.open. #​23805
  • Fixed an issue where some logging would double-print. #​23689
  • Fixed an issue where the 'about' role had on effect on Windows menus. #​23715
  • Fixed an issue with volume-related globalShortcut registration. #​23824
  • Fixed an occasional menu crash on macOS Catalina when menu is closing. #​23808

Other Changes

  • Improved error logging on moveItemToTrash failures on macOS. #​23628
  • Updated Chromium to 83.0.4103.94. #​23875

v9.0.0

Compare Source

Release Notes for 9.0.0
Stack Upgrades
Breaking Changes
  • Changed the default value of app.allowRendererProcessReuse to true. This will prevent loading of non-context-aware native modules in renderer processes. (See #​18397 for more information on this change.) #​22401
  • Removed deprecated <webview>.getWebContents(). #​20986
  • Removed the deprecated 'setLayoutZoomLevelLimits' method. #​21383
  • IPC between main and renderer processes now uses the Structured Clone Algorithm. #​20214
  • Split shell.openItem(path) into synchronous and asynchronous methods. #​20682
Features
  • Added fullScreen property support for BrowserWindows. #​23330
  • Added session.listWordsInSpellCheckerDictionary API to list custom words in the dictionary. #​22128
  • Added session.removeWordFromSpellCheckerDictionary API to remove custom words in the dictionary. #​22368
  • Added session.serviceWorkerContext API to access basic service worker info and receive console logs from service workers. #​22313
  • Added a new force parameter to app.focus() on macOS to allow apps to forcefully take focus. #​23447
  • Added chrome.i18n extension API. #​22570
  • Added chrome.tabs.connect extension API for background pages. #​22549
  • Added support for property access to some getter/setter pairs on BrowserWindow. #​23208
  • Added support for the chrome.extension.getBackgroundPage API when building with enable_electron_extensions. #​22177
  • Allow an optional callback parameter for WebFrame.executeJavaScript* methods, which is called synchronously unless the target context is paused. #​22501
  • Restored support for pdfium-based PDF viewer. #​22131
Fixes
  • Don't allow window to go behind menu bar on mac. #​22828
  • Fixed webRequest module not working with file:// protocol. #​22919
  • Fixed webRequest not working for CORS requests. #​22468
  • Fixed win.setMenuBarVisibility(false) not hiding menu bar. #​23263
  • Fixed an issue where changing theme on macOS would break window maximizability state. #​22724
  • Fixed crash in network service process when using protocol.registerSchemeAsPrivileged api. #​22917
  • Fixed crash that could occur when calling session.fromPartition inside the ready event. #​23472
  • Fixed incorrect hit testing on top of ::after element with layoutNG. #​23190
  • Fixed missing debug symbols for crashpad handler on macOS. #​23573
  • Fixed possible freeze on window with disabled background throttling. #​22852
  • Fixed the print button functionality in the PDF viewer extension. #​23173
  • Limited manipulation of custom spellchecker dictionary words to persistent sessions. #​22683
  • Removed extraneous crashpad_handler binary from the Linux distribution files. #​23575
  • crashReporter is now explicitly initialized only in the main process, and implicitly initialized in other child processes. This fixes an issue preventing the crash reporter from functioning in sandboxed renderers on Linux. #​23461
  • Fixed broken Views API builds. #​22642
Performance
  • Improved window events handler efficiency on Linux. #​23260
  • Made setting window icons slightly faster on Linux. #​22736

v8.5.5

Compare Source

Release Notes for v8.5.5

Fixes

  • Fixed <webview> render-process-gone event dispatch. #​26575

Unknown

v8.5.4

Compare Source

Release Notes for v8.5.4
Other Changes

v8.5.3

Compare Source

Release Notes for v8.5.3

Fixes

  • Fixed ready-to-show event not emitted on some machines. #​26140 (Also in 8, 10, 11)
  • Fixed an issue that could cause a normally-exiting process to fail with an "illegal access" message and exit code 7. #​25501 (Also in 8, 9, 10, 11)
  • Fixed loading shared worker scripts over custom protocol
    • fix crash when loading worker scripts with nodeIntegration enabled. #​26142 (Also in 8, 9, 10)
  • Fixed maximized frameless window bleeding to other monitors. [#​25979

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 1decc15 to 4bedad0 Compare August 22, 2020 16:00
@renovate renovate bot changed the title Update dependency electron to v1.8.8 [SECURITY] Update dependency electron to v7 [SECURITY] Aug 22, 2020
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 4bedad0 to 0c1f188 Compare February 3, 2021 10:51
@renovate renovate bot changed the title Update dependency electron to v7 [SECURITY] Update dependency electron to v9 [SECURITY] Feb 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot