Conversation

Notices

1. Embed this notice
   srslypascal (srslypascal@chaos.social)'s status on Friday, 27-Oct-2023 18:17:05 JST srslypascal

   in reply to

   • Alexandre Dulaunoy

   @adulau

   They should just get rid altogether of the liability/technical debt that is Electron.

   As of signal-desktop 6.36.0, they still use Electron 25.8.4, which is affected by at least 8 different security issues according to the release notes of Electron 25.9.0 through 25.9.3.

   https://github.com/signalapp/Signal-Desktop/blob/v6.36.0/package.json#L275

   And on top of all of these issues, there remains the issue of the disabled sandbox, which they haven't bothered to fix in over 4 years.

   https://github.com/signalapp/Signal-Desktop/issues/3573

   • Embed this notice
     Alexandre Dulaunoy (adulau@infosec.exchange)'s status on Friday, 27-Oct-2023 18:17:10 JST Alexandre Dulaunoy

     • Signal
     • jvoisin

     Digging a little bit in the some ICC profiles added in signal-app, I updated the original issue and there is clearly an issue where new ICC profiles are created from the Google skia library.

     https://github.com/signalapp/Signal-Desktop/issues/6031#issuecomment-1702432836

     This issue only appears when the media-quality is to high. Maybe an allow-list strategy like the mat2 tool written by @jvoisin would be better to be sure that new metadata created are discarded by default.

     @signalapp

     #privacy #signal #signalapp #metadata

     pettter repeated this.