Outdated/Vulnerable Electron

Question

Outdated/Vulnerable Electron

frankm773 opened this issue 2 years ago · comments

Wire version: 3.26.2941
Wire for Web Version 2022.02.22.08.56 (Any)
Operating system: Linux (Any)
Which antivirus software do you have installed: none
What steps will reproduce the problem?

The issue:

The current wire-desktop release is using a very old version of electron with a large number of CVEs
Even the current git version uses electron 13.6.7 (current version is 13.6.9) which includes several CVEs

While not all CVEs may be exploitable in the case of wire-desktop, it would take significant research to confirm any single CVE is not exploitable and the recommended security practice is to keep all dependencies updated.

As it stands now wire-desktop has several hundred unfixed vulnerabilities (with official CVE numbers) due to outdated electron and can not be considered secure to operate.

What is the expected result?

The wire-desktop app should receive regular updates to keep up with the current release version of electron.

Alternatively wire-desktop should be marked as unsupported due to lack of development/maintenance

What is the actual result?

Wire-desktop includes a large number of vulnerabilities from outdated dependencies.

(There is not a single common security compliance framework that would allow an enterprise to use wire-desktop in production environments as a consequence)

Florian Klink · Answer 1 · Thu Apr 14 2022 22:02:29 GMT+0800 (China Standard Time)

@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?

Ben Borges · Answer 2 · Sat Jul 02 2022 19:37:26 GMT+0800 (China Standard Time)

It comes with Electron 13 but

frankm773 · Answer 3 · Fri Jul 15 2022 02:36:26 GMT+0800 (China Standard Time)

@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?

It seems to be fixed for now, though its still a very old version of electron instead of the current v19

Florian Klink · Answer 4 · Fri Jul 22 2022 14:58:23 GMT+0800 (China Standard Time)

It comes with Electron 13 but

This looks like a problem with your distribution package, or however you got that binary. The shared library needs to be present on your system, so the shared library can be found.

However, that's unrelated to this issue.

Timothy LeBon · Answer 5 · Thu Oct 13 2022 01:11:04 GMT+0800 (China Standard Time)

We are now updated to Electron 19 and have closed many open dependencies. Thanks!