Update Electron with security fix for remote code execution vulnerability

[chrmarti]

A remote code execution vulnerability exists in VS Code 1.80.1 and earlier versions where opening a maliciously crafted workspace from the command line code <attacker-controlled-workspace> can result in executing commands locally. Specifically this issue can only be exploited if the following conditions are met:

• VS Code is launched with an attacker-controlled working directory
• The attacker has the ability to write files to that working directory

Patches

The fix is available starting with VS Code 1.80.2. The fix (2ccd690) mitigates
the attack by updating to a newer version of Electron that contains the security fix.

Workarounds

There are no application side workarounds other than updating VS Code to the fixed version.

References

• The patch for this can be found at 2ccd690
• An advisory for this can be found at GHSA-5cm6-54wm-6gg6
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-39956
• Electron's advisory can be found at GHSA-7x97-j373-85x5