Update dependency electron-updater to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron-updater (source)	^5.0.1 → ^6.0.0

---

electron-updater Code Signing Bypass on Windows

CVE-2024-39698 / GHSA-9jxc-qjr9-vjxq

More information

Details

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq
• https://github.com/electron-userland/electron-builder/pull/8295
• https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f
• https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41
• https://nvd.nist.gov/vuln/detail/CVE-2024-39698
• https://github.com/advisories/GHSA-9jxc-qjr9-vjxq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

electron-userland/electron-builder (electron-updater)

v6.3.0

Compare Source

Minor Changes

• #​8095 53cec79b Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

Patch Changes

• #​8108 3d4cc7ae Thanks @​beyondkmp! - feat: add minimumSystemVersion in electron updater

• #​8304 1ac86c9e Thanks @​mmaietta! - chore: update pnpm to 9.4.0

• #​8323 fa3275c0 Thanks @​mmaietta! - chore(deps): update dependency typescript to v5.5.3

• #​8135 c2392de7 Thanks @​mmaietta! - fix: unstable hdiutil retry mechanism

• #​8295 ac2e6a25 Thanks @​mmaietta! - fix: verify LiteralPath of update file during windows signature verification

• #​8311 35a0784e Thanks @​rastiqdev! - fix(rpm-updater): stop uninstalling app before update

• #​8227 48c59535 Thanks @​rotu! - fix(docs): update autoupdate docs noting that channels work with Github

• #​8110 fa7982f1 Thanks @​mmaietta! - chore: entering alpha release stage

• Updated dependencies [3d4cc7ae, 1ac86c9e, ad668ae1, 445911a7, 140e2f0e, fa7982f1]:

  • builder-util-runtime@​9.2.5

v6.2.1

Compare Source

Patch Changes

• #​8091 e2a181d9 Thanks @​mmaietta! - fix(mac): revert autoupdate for mac differential

v6.2.0

Compare Source

Minor Changes

• #​7709 79df5423 Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

v6.1.9

Compare Source

Patch Changes

• #​8051 48603ba0 Thanks @​mmaietta! - fix: auto-update powershell script requires reset of PSModulePath

• #​8057 ccbb80de Thanks @​mmaietta! - chore: upgrading connected dependencies (typescript requires higher eslint version)

• Updated dependencies [ccbb80de]:

  • builder-util-runtime@​9.2.4

v6.1.8

Compare Source

Patch Changes

• #​7950 03c94516 Thanks @​bronsonmock! - feat(nsis): add option to disable differential download

v6.1.7

Compare Source

Patch Changes

• Updated dependencies [db424e8e, db424e8e]:
  • builder-util-runtime@​9.2.3

v6.1.6

Compare Source

Patch Changes

• Updated dependencies [549d07b0]:
  • builder-util-runtime@​9.2.2

v6.1.5

Compare Source

Patch Changes

• #​7767 21f3069c Thanks @​jackple! - fix: When error code is ENOENT, try to use electron.shell.openPath to run installer on Windows

v6.1.4

Compare Source

Patch Changes

• #​7666 441da40d Thanks @​sethjray! - fix: check null for isCustomChannel in GitHubProvider.ts

v6.1.3

Compare Source

Patch Changes

• #​7637 b3dfe64b Thanks @​mmaietta! - fix: trigger app.relaunch() if isForceRunAfter = true for (beta) deb and rpm updaters

• #​7633 531a6309 Thanks @​s00d! - fix: change typed-emitter to tiny-typed-emitter to remove rxjs dependency

v6.1.2

Compare Source

Patch Changes

• #​7628 98f535e1 Thanks @​mmaietta! - fix: removing stdio from spawnSync to fix crash on rpm/deb updaters

v6.1.1

Compare Source

Patch Changes

• #​7597 cd15e161 Thanks @​marcuskirsch! - fix: default file name of update.${fileExtension} for downloaded files in private repositories.

v6.1.0

Compare Source

Minor Changes

• #​7533 4786d415 Thanks @​vitto-moz! - feat: nsis install method - exposed as public to avoid quit the app for the install

Patch Changes

• #​7544 dab3aeba Thanks @​NoahAndrews! - Fix differential downloads when the server compresses the blockmap file HTTP response

• Updated dependencies [dab3aeba]:

  • builder-util-runtime@​9.2.1

v6.0.4

Compare Source

Patch Changes

• #​7542 9123e31e Thanks @​ganthern! - fix: handle errors on responses in differential download (#​2398)

v6.0.3

Compare Source

Patch Changes

• #​7524 1a134800 Thanks @​NoahAndrews! - Fixed error handling when launching updater (fixes NSIS updates when isAdminRightsRequired is incorrectly set to false)

v6.0.2

Compare Source

Patch Changes

• #​7508 d4c90b67 Thanks @​NoahAndrews! - Removed DefinitelyTyped dependencies from production dependencies list

v6.0.1

Compare Source

Patch Changes

• #​7503 a2ab1ff3 Thanks @​mmaietta! - fix: NsisUpdater - only resolving true if pid !== undefined

v6.0.0

Compare Source

Major Changes

• #​7032 caa32e07 Thanks @​kidonng! - fix: use appropriate electron-updater cache directory on macOS

Minor Changes

• #​7060 1d130012 Thanks @​mmaietta! - feat: Introducing deb and rpm auto-updates as beta feature

• #​7337 9c0c4228 Thanks @​beyondkmp! - feat: Provide a custom verify function interface to enable nsis signature verification alternatives instead of powershell

Patch Changes

• #​7380 7862e388 Thanks @​beyondkmp! - fix: add reject in handleError in Windows verifySignature function

• #​7230 346af1d4 Thanks @​jeremyspiegel! - fix: support powershell constrained language mode

• #​7394 1bbcfb3d Thanks @​ganthern! - fix: inherit stdio for updated processes (#​7393)

• #​7306 01c67910 Thanks @​mmaietta! - chore: Update dependencies per audit/outdated

• #​7213 17863671 Thanks @​mmaietta! - chore(deps): Updating dependencies and fixing pnpm audit with dependency overrides

• Updated dependencies [cc1ddabd, 93930cf0, 01c67910, 53327d51]:

  • builder-util-runtime@​9.2.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.