From f1a300715e460c6dbcd52735652877d447b88b63 Mon Sep 17 00:00:00 2001 From: Sri Aakash Mandavilli Date: Tue, 24 Feb 2026 22:43:18 +0000 Subject: [PATCH] Update the Electron version to 40.6.0 to resolve the CVE-2026-2441 **Description** -Update the Electron version to 40.6.0 to resolve the CVE-2026-2441 **Motivation** - Security Fix **Testing Done** - BYOI using the current image **Backwards Compatibility Criteria (if any)** - NA --- patched-vscode/package.json | 2 +- .../electron-main/utilityProcess.ts | 2 +- patched-vscode/yarn.lock | 18 +- patches/electron-update.patch | 201 +++++++++--------- patches/tar-fs-upgrade.patch | 2 +- 5 files changed, 117 insertions(+), 108 deletions(-) diff --git a/patched-vscode/package.json b/patched-vscode/package.json index b7d6b2854..fd855d510 100644 --- a/patched-vscode/package.json +++ b/patched-vscode/package.json @@ -149,7 +149,7 @@ "cssnano": "^6.0.3", "debounce": "^1.0.0", "deemon": "^1.8.0", - "electron": "38.7.1", + "electron": "40.6.0", "eslint": "8.36.0", "eslint-plugin-header": "3.1.1", "eslint-plugin-jsdoc": "^46.5.0", diff --git a/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts b/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts index bfa2c0cb4..9e65cff8c 100644 --- a/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +++ b/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts @@ -128,7 +128,7 @@ export interface IUtilityProcessCrashEvent extends IUtilityProcessExitBaseEvent /** * The reason of the utility process crash. */ - readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure'; + readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure' | 'memory-eviction'; } export interface IUtilityProcessInfo { diff --git a/patched-vscode/yarn.lock b/patched-vscode/yarn.lock index 8c7669c8f..04ea9592e 100644 --- a/patched-vscode/yarn.lock +++ b/patched-vscode/yarn.lock @@ -4732,9 +4732,9 @@ form-data@^3.0.0: mime-types "^2.1.12" form-data@^4.0.0: - version "4.0.4" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4" - integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow== + version "4.0.0" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452" + integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww== dependencies: asynckit "^0.4.0" combined-stream "^1.0.8" @@ -9605,9 +9605,9 @@ tapable@^2.1.1, tapable@^2.2.0: integrity sha512-FBk4IesMV1rBxX2tfiK8RAmogtWn53puLOQlvO8XuwlgxcYbP4mVPS9Ph4aeamSyyVjOl24aYWAuc8U5kCVwMw== tar-fs@^2.0.0: - version "2.1.4" - resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.4.tgz#800824dbf4ef06ded9afea4acafe71c67c76b930" - integrity sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ== + version "2.1.1" + resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.1.tgz#489a15ab85f1f0befabb370b7de4f9eb5cbe8784" + integrity sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng== dependencies: chownr "^1.1.1" mkdirp-classic "^0.5.2" @@ -10665,9 +10665,9 @@ write@1.0.3: mkdirp "^0.5.1" ws@^7.2.0: - version "8.17.1" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" - integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== + version "7.4.6" + resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c" + integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A== xml2js@^0.4.19: version "0.4.23" diff --git a/patches/electron-update.patch b/patches/electron-update.patch index 72c655925..f94dd1216 100644 --- a/patches/electron-update.patch +++ b/patches/electron-update.patch @@ -2,12 +2,12 @@ Index: sagemaker-code-editor/vscode/package.json =================================================================== --- sagemaker-code-editor.orig/vscode/package.json +++ sagemaker-code-editor/vscode/package.json -@@ -149,7 +149,7 @@ "devDependencies": { +@@ -149,7 +149,7 @@ "cssnano": "^6.0.3", "debounce": "^1.0.0", "deemon": "^1.8.0", - "electron": "29.4.0", -+ "electron": "38.7.1", ++ "electron": "40.6.0", "eslint": "8.36.0", "eslint-plugin-header": "3.1.1", "eslint-plugin-jsdoc": "^46.5.0", @@ -15,7 +15,7 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/platform/dnd/browser/dnd.ts +++ sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts -@@ -12,7 +12,7 @@ +@@ -12,7 +12,7 @@ import { VSBuffer } from 'vs/base/common import { ResourceMap } from 'vs/base/common/map'; import { parse } from 'vs/base/common/marshalling'; import { Schemas } from 'vs/base/common/network'; @@ -24,11 +24,10 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts import { URI } from 'vs/base/common/uri'; import { localize } from 'vs/nls'; import { IDialogService } from 'vs/platform/dialogs/common/dialogs'; -@@ -406,6 +406,18 @@ - } - } +@@ -407,4 +407,16 @@ export class LocalSelectionTransfer { + } } -+ + +/** + * A helper to get access to Electrons `webUtils.getPathForFile` function + * in a safe way without crashing the application when running in the web. @@ -40,14 +39,13 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts + + return undefined; +} - ++ //#endregion - Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts -@@ -38,7 +38,7 @@ +@@ -38,7 +38,7 @@ import { InputBox, MessageType } from 'v import { createSingleCallFunction } from 'vs/base/common/functional'; import { IKeyboardEvent } from 'vs/base/browser/keyboardEvent'; import { KeyCode } from 'vs/base/common/keyCodes'; @@ -56,24 +54,23 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/te import { terminalStrings } from 'vs/workbench/contrib/terminal/common/terminalStrings'; import { ILifecycleService } from 'vs/workbench/services/lifecycle/common/lifecycle'; import { IProcessDetails } from 'vs/platform/terminal/common/terminalProcess'; -@@ -733,9 +733,9 @@ class TerminalTabsDragAndDrop extends Disposable - resource = URI.file(JSON.parse(rawCodeFiles)[0]); - } - +@@ -733,9 +733,9 @@ class TerminalTabsDragAndDrop extends Di + resource = URI.file(JSON.parse(rawCodeFiles)[0]); + } + - if (!resource && e.dataTransfer.files.length > 0 && e.dataTransfer.files[0].path /* Electron only */) { -- // Check if the file was dragged from the filesystem -- resource = URI.file(e.dataTransfer.files[0].path); + if (!resource && e.dataTransfer.files.length > 0 && getPathForFile(e.dataTransfer.files[0])) { -+ // Check if the file was dragged from the filesystem + // Check if the file was dragged from the filesystem +- resource = URI.file(e.dataTransfer.files[0].path); + resource = URI.file(getPathForFile(e.dataTransfer.files[0])!); - } - - if (!resource) { + } + + if (!resource) { Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts -@@ -31,7 +31,7 @@ +@@ -31,7 +31,7 @@ import { IClipboardService } from 'vs/pl import { ICommandService } from 'vs/platform/commands/common/commands'; import { IConfigurationService } from 'vs/platform/configuration/common/configuration'; import { IContextKey, IContextKeyService } from 'vs/platform/contextkey/common/contextkey'; @@ -82,35 +79,34 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/te import { FileSystemProviderCapabilities, IFileService } from 'vs/platform/files/common/files'; import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation'; import { ServiceCollection } from 'vs/platform/instantiation/common/serviceCollection'; -@@ -2372,9 +2372,9 @@ class TerminalInstanceDragAndDropController extends Disposable - path = URI.file(JSON.parse(rawCodeFiles)[0]); - } - +@@ -2372,9 +2372,9 @@ class TerminalInstanceDragAndDropControl + path = URI.file(JSON.parse(rawCodeFiles)[0]); + } + - if (!path && e.dataTransfer.files.length > 0 && e.dataTransfer.files[0].path /* Electron only */) { -- // Check if the file was dragged from the filesystem -- path = URI.file(e.dataTransfer.files[0].path); + if (!path && e.dataTransfer.files.length > 0 && getPathForFile(e.dataTransfer.files[0])) { -+ // Check if the file was dragged from the filesystem + // Check if the file was dragged from the filesystem +- path = URI.file(e.dataTransfer.files[0].path); + path = URI.file(getPathForFile(e.dataTransfer.files[0])!); - } - - if (!path) { + } + + if (!path) { Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts -@@ -60,6 +60,7 @@ +@@ -60,6 +60,7 @@ import { KeyChord, KeyCode, KeyMod } fro import { Categories } from 'vs/platform/action/common/actionCommonCategories'; import { ILocalizedString } from 'vs/platform/action/common/action'; import { VSBuffer } from 'vs/base/common/buffer'; +import { getPathForFile } from '../../../../platform/dnd/browser/dnd'; - + export const NEW_FILE_COMMAND_ID = 'explorer.newFile'; export const NEW_FILE_LABEL = nls.localize2('newFile', "New File..."); -@@ -1121,7 +1122,20 @@ export const pasteFileHandler = async ( - const message = toPaste.files.length > 1 ? - nls.localize('confirmMultiPasteNative', "Are you sure you want to paste the following {0} items?", toPaste.files.length) : - nls.localize('confirmPasteNative', "Are you sure you want to paste '{0}'?", basename(toPaste.type === 'paths' ? toPaste.files[0].fsPath : toPaste.files[0].name)); +@@ -1121,7 +1122,20 @@ export const pasteFileHandler = async (a + const message = toPaste.files.length > 1 ? + nls.localize('confirmMultiPasteNative', "Are you sure you want to paste the following {0} items?", toPaste.files.length) : + nls.localize('confirmPasteNative', "Are you sure you want to paste '{0}'?", basename(toPaste.type === 'paths' ? toPaste.files[0].fsPath : toPaste.files[0].name)); - const detail = toPaste.files.length > 1 ? getFileNamesMessage(toPaste.files.map(item => toPaste.type === 'paths' ? item.path : (item as File).name)) : undefined; + const detail = toPaste.files.length > 1 ? getFileNamesMessage(toPaste.files.map(item => { + if (URI.isUri(item)) { @@ -126,99 +122,112 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileA + + return item.name; + })) : undefined; - const confirmation = await dialogService.confirm({ - message, - detail, -@@ -1273,13 +1287,13 @@ + const confirmation = await dialogService.confirm({ + message, + detail, +@@ -1273,13 +1287,13 @@ type FilesToPaste = async function getFilesToPaste(fileList: FileList | undefined, clipboardService: IClipboardService): Promise { - if (fileList && fileList.length > 0) { - // with a `fileList` we support natively pasting file from disk from clipboard + if (fileList && fileList.length > 0) { + // with a `fileList` we support natively pasting file from disk from clipboard - const resources = [...fileList].filter(file => !!file.path && isAbsolute(file.path)).map(file => URI.file(file.path)); + const resources = [...fileList].map(file => getPathForFile(file)).filter(filePath => !!filePath && isAbsolute(filePath)).map((filePath) => URI.file(filePath!)); - if (resources.length) { - return { type: 'paths', files: resources, }; - } - - // Support pasting files that we can't read from disk + if (resources.length) { + return { type: 'paths', files: resources, }; + } + + // Support pasting files that we can't read from disk - return { type: 'data', files: [...fileList].filter(file => !file.path) }; + return { type: 'data', files: [...fileList].filter(file => !getPathForFile(file)) }; - } else { - // otherwise we fallback to reading resources from our clipboard service - return { type: 'paths', files: resources.distinctParents(await clipboardService.readResources(), resource => resource) }; + } else { + // otherwise we fallback to reading resources from our clipboard service + return { type: 'paths', files: resources.distinctParents(await clipboardService.readResources(), resource => resource) }; Index: sagemaker-code-editor/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts +++ sagemaker-code-editor/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts -@@ -111,7 +111,7 @@ - - const sender = event.senderFrame; - +@@ -111,7 +111,7 @@ class ValidatedIpcMain implements Event. + + const sender = event.senderFrame; + - const url = sender.url; + const url = sender?.url; - // `url` can be `undefined` when running tests from playwright https://github.com/microsoft/vscode/issues/147301 - // and `url` can be `about:blank` when reloading the window - // from performance tab of devtools https://github.com/electron/electron/issues/39427. -@@ -133,7 +133,7 @@ - return false; // unexpected sender - } - + // `url` can be `undefined` when running tests from playwright https://github.com/microsoft/vscode/issues/147301 + // and `url` can be `about:blank` when reloading the window + // from performance tab of devtools https://github.com/electron/electron/issues/39427. +@@ -133,7 +133,7 @@ class ValidatedIpcMain implements Event. + return false; // unexpected sender + } + - if (sender.parent !== null) { + if (sender?.parent !== null) { - onUnexpectedError(`Refused to handle ipcMain event for channel '${channel}' because sender of origin '${host}' is not a main frame.`); - return false; // unexpected frame - } + onUnexpectedError(`Refused to handle ipcMain event for channel '${channel}' because sender of origin '${host}' is not a main frame.`); + return false; // unexpected frame + } Index: sagemaker-code-editor/vscode/src/vs/platform/menubar/electron-main/menubar.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/platform/menubar/electron-main/menubar.ts +++ sagemaker-code-editor/vscode/src/vs/platform/menubar/electron-main/menubar.ts @@ -3,7 +3,7 @@ - * Licensed under the MIT License. See License.txt in the project root for license information. - *--------------------------------------------------------------------------------------------*/ - + * Licensed under the MIT License. See License.txt in the project root for license information. + *--------------------------------------------------------------------------------------------*/ + -import { app, BrowserWindow, KeyboardEvent, Menu, MenuItem, MenuItemConstructorOptions, WebContents } from 'electron'; +import { app, BrowserWindow, BaseWindow, KeyboardEvent, Menu, MenuItem, MenuItemConstructorOptions, WebContents } from 'electron'; import { WorkbenchActionExecutedClassification, WorkbenchActionExecutedEvent } from 'vs/base/common/actions'; import { RunOnceScheduler } from 'vs/base/common/async'; import { CancellationToken } from 'vs/base/common/cancellation'; -@@ -62,7 +62,7 @@ - - private keybindings: { [commandId: string]: IMenubarKeybinding }; - +@@ -62,7 +62,7 @@ export class Menubar { + + private keybindings: { [commandId: string]: IMenubarKeybinding }; + - private readonly fallbackMenuHandlers: { [id: string]: (menuItem: MenuItem, browserWindow: BrowserWindow | undefined, event: KeyboardEvent) => void } = Object.create(null); + private readonly fallbackMenuHandlers: { [id: string]: (menuItem: MenuItem, browserWindow: BaseWindow | undefined, event: KeyboardEvent) => void } = Object.create(null); - - constructor( - @IUpdateService private readonly updateService: IUpdateService, -@@ -285,7 +285,7 @@ - const dockMenu = new Menu(); - dockMenu.append(new MenuItem({ label: this.mnemonicLabel(nls.localize({ key: 'miNewWindow', comment: ['&& denotes a mnemonic'] }, "New &&Window")), click: () => this.windowsMainService.openEmptyWindow({ context: OpenContext.DOCK }) })); - + + constructor( + @IUpdateService private readonly updateService: IUpdateService, +@@ -285,7 +285,7 @@ export class Menubar { + const dockMenu = new Menu(); + dockMenu.append(new MenuItem({ label: this.mnemonicLabel(nls.localize({ key: 'miNewWindow', comment: ['&& denotes a mnemonic'] }, "New &&Window")), click: () => this.windowsMainService.openEmptyWindow({ context: OpenContext.DOCK }) })); + - app.dock.setMenu(dockMenu); + app.dock!.setMenu(dockMenu); - } - - // File -@@ -741,8 +741,8 @@ - return new MenuItem(this.withKeybinding(commandId, options)); - } - + } + + // File +@@ -741,8 +741,8 @@ export class Menubar { + return new MenuItem(this.withKeybinding(commandId, options)); + } + - private makeContextAwareClickHandler(click: (menuItem: MenuItem, win: BrowserWindow, event: KeyboardEvent) => void, contextSpecificHandlers: IMenuItemClickHandler): (menuItem: MenuItem, win: BrowserWindow | undefined, event: KeyboardEvent) => void { - return (menuItem: MenuItem, win: BrowserWindow | undefined, event: KeyboardEvent) => { + private makeContextAwareClickHandler(click: (menuItem: MenuItem, win: BaseWindow, event: KeyboardEvent) => void, contextSpecificHandlers: IMenuItemClickHandler): (menuItem: MenuItem, win: BaseWindow | undefined, event: KeyboardEvent) => void { + return (menuItem: MenuItem, win: BaseWindow | undefined, event: KeyboardEvent) => { - - // No Active Window - const activeWindow = BrowserWindow.getFocusedWindow(); + + // No Active Window + const activeWindow = BrowserWindow.getFocusedWindow(); +Index: sagemaker-code-editor/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +=================================================================== +--- sagemaker-code-editor.orig/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts ++++ sagemaker-code-editor/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +@@ -128,7 +128,7 @@ export interface IUtilityProcessCrashEve + /** + * The reason of the utility process crash. + */ +- readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure'; ++ readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure' | 'memory-eviction'; + } + + export interface IUtilityProcessInfo { Index: sagemaker-code-editor/vscode/src/vs/code/electron-main/app.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/code/electron-main/app.ts +++ sagemaker-code-editor/vscode/src/vs/code/electron-main/app.ts -@@ -195,7 +195,7 @@ - const supportedSvgSchemes = new Set([Schemas.file, Schemas.vscodeFileResource, Schemas.vscodeRemoteResource, Schemas.vscodeManagedRemoteResource, 'devtools']); - - // But allow them if they are made from inside an webview +@@ -195,7 +195,7 @@ export class CodeApplication extends Dis + const supportedSvgSchemes = new Set([Schemas.file, Schemas.vscodeFileResource, Schemas.vscodeRemoteResource, Schemas.vscodeManagedRemoteResource, 'devtools']); + + // But allow them if they are made from inside an webview - const isSafeFrame = (requestFrame: WebFrameMain | undefined): boolean => { + const isSafeFrame = (requestFrame: WebFrameMain | null | undefined): boolean => { - for (let frame: WebFrameMain | null | undefined = requestFrame; frame; frame = frame.parent) { - if (frame.url.startsWith(`${Schemas.vscodeWebview}://`)) { - return true; \ No newline at end of file + for (let frame: WebFrameMain | null | undefined = requestFrame; frame; frame = frame.parent) { + if (frame.url.startsWith(`${Schemas.vscodeWebview}://`)) { + return true; diff --git a/patches/tar-fs-upgrade.patch b/patches/tar-fs-upgrade.patch index c4c6c706a..3715d2d64 100644 --- a/patches/tar-fs-upgrade.patch +++ b/patches/tar-fs-upgrade.patch @@ -31,4 +31,4 @@ Index: sagemaker-code-editor/vscode/remote/yarn.lock + integrity sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg== dependencies: chownr "^1.1.1" - mkdirp-classic "^0.5.2" \ No newline at end of file + mkdirp-classic "^0.5.2"