Описание
Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles
Impact
The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.
Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.
Only Tauri applications using wildcard scopes in the fs endpoint are affected.
Only macOS and Linux systems are affected.
Patches
The regression has been patched on v1.4.1.
Workarounds
There are no known workarounds at this time, users should update to v1.4.1 immediately.
References
See the original advisory for more information.
For more Information
If you have any questions or comments about this advisory:
Open an issue in tauri Email us at security@tauri.app
Ссылки
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
- https://nvd.nist.gov/vuln/detail/CVE-2023-34460
- https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
- https://github.com/tauri-apps/tauri/pull/7227
- https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
Пакеты
tauri
= 1.4.0
1.4.1
Связанные уязвимости
Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. The regression has been patched on version 1.4.1.
Уязвимость фреймворка создания кроссплатформенных десктопных приложений Tauri, связанная с недостатками процедуры авторизации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации