armcord,mailspring: mark as insecure (CVE-2023-4863)

[delroth]

Description of changes

See #254798. Upstream has not provided any update for this critical vulnerability in > 2 weeks. These programs are also likely vulnerable to many more old vulnerabilities due to using EOL versions of Electron.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[MikaelFangel]

To provide a little more context on mailspring I looked at their current version of Electron, and it runs 17.4.0 with an 8-month-old open PR with an attempt to upgrade to 22.x. Foundry376/Mailspring#2449

When googling the Electron version 17.x it becomes apparent that it has numerous vulnerabilities.

[github-actions]

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-258217-to-release-23.05 origin/release-23.05
cd .worktree/backport-258217-to-release-23.05
git checkout -b backport-258217-to-release-23.05
ancref=$(git merge-base efb9f8b2dc98338f1c6827487ad7fc8bbeb4f9f0 dddf103e809579a24346098f49fc9530454a492d)
git cherry-pick -x $ancref..dddf103e809579a24346098f49fc9530454a492d

[github-actions]

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-258217-to-release-23.05 origin/release-23.05
cd .worktree/backport-258217-to-release-23.05
git checkout -b backport-258217-to-release-23.05
ancref=$(git merge-base efb9f8b2dc98338f1c6827487ad7fc8bbeb4f9f0 dddf103e809579a24346098f49fc9530454a492d)
git cherry-pick -x $ancref..dddf103e809579a24346098f49fc9530454a492d

[tshipenchko]

Hello @delroth, thanks for your hard work!
Looks like they bumped electron version: "electron": "22.3.26", by Foundry376/Mailspring#2444
As I see in CVE-2023-4863, only >= 22.0.0, < 22.3.24 are insecure

[delroth]

You're correct, though it's only a matter of time until this comes back to being insecure: Electron 22.x is EOL since October 10th and is not receiving any more security updates. See https://www.electronjs.org/docs/latest/tutorial/electron-timelines

Actually, it might already be insecure - since the Electron devs aren't tracking CVEs anymore for it, it's anyone's guess.