You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
dead150 is only a partial fix for the signature verification bypass issue recently disclosed by Doyensec. While it is no longer possible to trigger the parse errors with single or double quotes as of dead150, there are other ways to cause them.
From the report:
we believe that other attack payloads for the same vulnerable code path still [exist] in Electron-Builder.
In my opinion, the root cause of the vulnerability lies in the fact that even though signature verification is failing, the update is still installed:
So, even though an error is encountered, null is resolved and the update is installed anyway. I opened this issue because I was hoping to start a discussion on the following:
Is there a reason why we would want the update to be installed despite the fact that signature verification failed (i.e. is there a valid use case for the current behavior)?
We would prefer that any errors in signature verification cause the update process to abort. Would a PR for the ability to opt-in to stricter signature verification (e.g. strictSignatureVerification: true in the electron-builder config) be accepted?
The text was updated successfully, but these errors were encountered:
electron-builder
: 22.3.5electron-updater
: 4.2.4dead150 is only a partial fix for the signature verification bypass issue recently disclosed by Doyensec. While it is no longer possible to trigger the parse errors with single or double quotes as of dead150, there are other ways to cause them.
From the report:
In my opinion, the root cause of the vulnerability lies in the fact that even though signature verification is failing, the update is still installed:
electron-builder/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts
Lines 37 to 38 in caebf37
electron-builder/packages/electron-updater/src/NsisUpdater.ts
Line 42 in caebf37
So, even though an error is encountered,
null
is resolved and the update is installed anyway. I opened this issue because I was hoping to start a discussion on the following:strictSignatureVerification: true
in theelectron-builder
config) be accepted?The text was updated successfully, but these errors were encountered: