Update dependency electron-updater to v6.3.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron-updater (source)	6.1.8 → 6.3.0

GitHub Vulnerability Alerts

CVE-2024-39698

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

---

Release Notes

electron-userland/electron-builder (electron-updater)

v6.3.0

Compare Source

Minor Changes

• #​8095 53cec79b Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

Patch Changes

• #​8108 3d4cc7ae Thanks @​beyondkmp! - feat: add minimumSystemVersion in electron updater

• #​8304 1ac86c9e Thanks @​mmaietta! - chore: update pnpm to 9.4.0

• #​8323 fa3275c0 Thanks @​mmaietta! - chore(deps): update dependency typescript to v5.5.3

• #​8135 c2392de7 Thanks @​mmaietta! - fix: unstable hdiutil retry mechanism

• #​8295 ac2e6a25 Thanks @​mmaietta! - fix: verify LiteralPath of update file during windows signature verification

• #​8311 35a0784e Thanks @​rastiqdev! - fix(rpm-updater): stop uninstalling app before update

• #​8227 48c59535 Thanks @​rotu! - fix(docs): update autoupdate docs noting that channels work with Github

• #​8110 fa7982f1 Thanks @​mmaietta! - chore: entering alpha release stage

• Updated dependencies [3d4cc7ae, 1ac86c9e, ad668ae1, 445911a7, 140e2f0e, fa7982f1]:

  • builder-util-runtime@​9.2.5

v6.2.1

Compare Source

Patch Changes

• #​8091 e2a181d9 Thanks @​mmaietta! - fix(mac): revert autoupdate for mac differential

v6.2.0

Compare Source

Minor Changes

• #​7709 79df5423 Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

v6.1.9

Compare Source

Patch Changes

• #​8051 48603ba0 Thanks @​mmaietta! - fix: auto-update powershell script requires reset of PSModulePath

• #​8057 ccbb80de Thanks @​mmaietta! - chore: upgrading connected dependencies (typescript requires higher eslint version)

• Updated dependencies [ccbb80de]:

  • builder-util-runtime@​9.2.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.