Does the app auto-update electron, or are you required to make a new build?

[JohnLGalt]

Hi!

Been loving this app for a long time, but I had a question.

In light of the recent 0-days that Apple and Google made separate CVEs for, but which all seem to boil down to libwebp, as seen in this Ars Tecnica article:

https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/

Does this app automatically update the electron packages in any way? And if not, is there an easy way to enable that, for future situations like this?

Just curious - if it is possible, I can make this a RFF, but I suspect it is not....

[timche]

Thanks for sharing this security vulnerability!

Unfortunately we've to upgrade Electron manually and release a new version. In the past I've already tried upgrading Electron, but there are quite a few breaking changes I've to work through, which I didn't have the time go through. Eventually I'll pick this up soon, but I can't make any promises, unless someone from the community is willing to help out on this.

I'll keep you posted if anything changes.

[JohnLGalt]

I had a feeling this was the case lol.

Are the changes required by new(er) versions of Electron simple configuration changes, or are you talking heavy coding / re-coding of the GMail Desktop app itself in order to make it compatible? I can probably help a bit with the former, but doubt I could be of much help with the latter (other than testing compiled versions after the fact).

[timche]

I'm talking about heavy coding, because the Electron upgrade are major versions ahead with breaking changes unfortunately. I'll find some time to work on this ASAP.

[JohnLGalt]

I had a suspicion this was the case as well.

No worries, Google and Apple (and most browser developers) have patched libwepb already, so the chance that someone is going to target people using a malformed wepb image via email is rather small. So, while an important bug to fix, I don't see it being critical, as there is now way to target folks using this Electron-based email app.