-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[electron-updater] Update is installed even though signature verification fails #4701
Comments
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This is still relevant |
🛠️ A fix has been provided for this issue. Please reference: 418sec#1 🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform. |
electron-builder
: 22.3.5electron-updater
: 4.2.4dead150 is only a partial fix for the signature verification bypass issue recently disclosed by Doyensec. While it is no longer possible to trigger the parse errors with single or double quotes as of dead150, there are other ways to cause them.
From the report:
In my opinion, the root cause of the vulnerability lies in the fact that even though signature verification is failing, the update is still installed:
electron-builder/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts
Lines 37 to 38 in caebf37
electron-builder/packages/electron-updater/src/NsisUpdater.ts
Line 42 in caebf37
So, even though an error is encountered,
null
is resolved and the update is installed anyway. I opened this issue because I was hoping to start a discussion on the following:strictSignatureVerification: true
in theelectron-builder
config) be accepted?The text was updated successfully, but these errors were encountered: