wire-desktop icon indicating copy to clipboard operation
wire-desktop copied to clipboard

Published 20 hours ago verified publisher icon wireapp

Outdated/Vulnerable Electron

Open frankm773 opened this issue 3 years ago • 4 comments

Wire version: 3.26.2941 Wire for Web Version 2022.02.22.08.56 (Any) Operating system: Linux (Any) Which antivirus software do you have installed: none What steps will reproduce the problem?

The issue:

The current wire-desktop release is using a very old version of electron with a large number of CVEs Even the current git version uses electron 13.6.7 (current version is 13.6.9) which includes several CVEs

While not all CVEs may be exploitable in the case of wire-desktop, it would take significant research to confirm any single CVE is not exploitable and the recommended security practice is to keep all dependencies updated.

As it stands now wire-desktop has several hundred unfixed vulnerabilities (with official CVE numbers) due to outdated electron and can not be considered secure to operate.

What is the expected result?

The wire-desktop app should receive regular updates to keep up with the current release version of electron.

Alternatively wire-desktop should be marked as unsupported due to lack of development/maintenance

What is the actual result?

Wire-desktop includes a large number of vulnerabilities from outdated dependencies.

(There is not a single common security compliance framework that would allow an enterprise to use wire-desktop in production environments as a consequence)

frankm773 avatar Mar 09 '22 23:03 frankm773

@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?

flokli avatar Apr 14 '22 14:04 flokli

It comes with Electron 13 but image

benborges avatar Jul 02 '22 11:07 benborges

@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?

It seems to be fixed for now, though its still a very old version of electron instead of the current v19

frankm773 avatar Jul 14 '22 18:07 frankm773

It comes with Electron 13 but image

This looks like a problem with your distribution package, or however you got that binary. The shared library needs to be present on your system, so the shared library can be found.

However, that's unrelated to this issue.

flokli avatar Jul 22 '22 06:07 flokli

We are now updated to Electron 19 and have closed many open dependencies. Thanks!

tlebon avatar Oct 12 '22 17:10 tlebon