Thank you for taking care of this; I plan to package a new upstream version
when I can, but the need to package new dependencies makes this non-trivial
and due to personal circumstances I have not yet had the opportunity to
handle this.
On Tue, 7 May 2019 at 04:30, Sam Hartman <hartm...@debian.org> wrote:
>
> Dear maintainer.
> I made the following 0-day NMU of electrum.
> I suspect that once you update to a new version you will not wish to
> include these changes, but in the interest of awareness of your package
> I wanted to make sure you were aware.
>
> diff --git a/debian/changelog b/debian/changelog
> index 4aaaaff..c30a279 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +electrum (3.2.3-1.1) unstable; urgency=medium
> +
> + * Non-maintainer upload.
> + * On startup print a warning that this version in insecure and then
> + exit, Closes: #928518
> +
> +
> + -- Sam Hartman <hartm...@debian.org> Mon, 06 May 2019 22:11:19 -0400
> +
> electrum (3.2.3-1) unstable; urgency=medium
>
> * New upstream release.
> diff --git a/debian/patches/replace-with-security-warning.patch
> b/debian/patches/replace-with-security-warning.patch
> new file mode 100644
> index 0000000..e8f409e
> --- /dev/null
> +++ b/debian/patches/replace-with-security-warning.patch
> @@ -0,0 +1,60 @@
> +From: Sam Hartman <hartm...@debian.org>
> +Date: Mon, 6 May 2019 22:10:51 -0400
> +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9
> +Subject: Replace with security warning
> +
> +On startup print to GUI and stdio a security warning and then exit.
> +
> +---
> +
> +--- electrum-3.2.3.orig/electrum/electrum
> ++++ electrum-3.2.3/electrum/electrum
> +@@ -1,4 +1,4 @@
> +-#!/usr/bin/env python3
> ++#!/usr/bin/python3
> + # -*- mode: python -*-
> + #
> + # Electrum - lightweight Bitcoin client
> +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea
> + is_bundle = getattr(sys, 'frozen', False)
> + is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
> + is_android = 'ANDROID_DATA' in os.environ
> ++try:
> ++ import PyQt5
> ++except Exception:
> ++ sys.exit("Error: Could not import PyQt5 on Linux systems, you may
> try 'sudo apt-get install python3-pyqt5'")
> +
> ++from PyQt5.QtGui import *
> ++from PyQt5.QtWidgets import *
> ++from PyQt5.QtCore import *
> ++import PyQt5.QtCore as QtCore
> + # move this back to gui/kivy/__init.py once plugins are moved
> + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
> +
> + if is_local or is_android:
> + sys.path.insert(0, os.path.join(script_dir, 'packages'))
> +
> ++security_message = ''' \
> ++This version of Electrum is vulnerable to malicious code inserted by
> ++attackers and is being actively exploited to try and convince users to
> ++give their private credentials to attackers. See
> ++https://bugs.debian.org/921688 for details. Until the version in
> ++Debian is updated, please see https://electrum.org/download.html
> ++'''
> ++sys.stderr.write(security_message)
> ++
> ++
> ++from electrum.gui.qt.util import MessageBoxMixin
> ++class Window(QMainWindow, MessageBoxMixin):
> ++
> ++ def __init__(self, *args, **kwargs):
> ++ super().__init__(*args, **kwargs)
> ++ self.show_warning(msg = security_message, title = "THIS
> APPLICATION is INSECURE")
> ++
> ++
> ++app = QApplication(["electrum", "gui"])
> ++window = Window()
> ++sys.exit(2)
> +
> + def check_imports():
> + # pure-python dependencies need to be imported here for pyinstaller
> diff --git a/debian/patches/series b/debian/patches/series
> new file mode 100644
> index 0000000..8ffe66a
> --- /dev/null
> +++ b/debian/patches/series
> @@ -0,0 +1 @@
> +replace-with-security-warning.patch
> diff --git a/electrum/electrum b/electrum/electrum
> index dd35c35..8c5ef37 100755
> --- a/electrum/electrum
> +++ b/electrum/electrum
> @@ -1,4 +1,4 @@
> -#!/usr/bin/env python3
> +#!/usr/bin/python3
> # -*- mode: python -*-
> #
> # Electrum - lightweight Bitcoin client
> @@ -30,13 +30,42 @@ script_dir =
> os.path.dirname(os.path.realpath(__file__))
> is_bundle = getattr(sys, 'frozen', False)
> is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
> is_android = 'ANDROID_DATA' in os.environ
> -
> +try:
> + import PyQt5
> +except Exception:
> + sys.exit("Error: Could not import PyQt5 on Linux systems, you may try
> 'sudo apt-get install python3-pyqt5'")
> +
> +from PyQt5.QtGui import *
> +from PyQt5.QtWidgets import *
> +from PyQt5.QtCore import *
> +import PyQt5.QtCore as QtCore
> # move this back to gui/kivy/__init.py once plugins are moved
> os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
>
> if is_local or is_android:
> sys.path.insert(0, os.path.join(script_dir, 'packages'))
>
> +security_message = ''' \
> +This version of Electrum is vulnerable to malicious code inserted by
> +attackers and is being actively exploited to try and convince users to
> +give their private credentials to attackers. See
> +https://bugs.debian.org/921688 for details. Until the version in
> +Debian is updated, please see https://electrum.org/download.html
> +'''
> +sys.stderr.write(security_message)
> +
> +
> +from electrum.gui.qt.util import MessageBoxMixin
> +class Window(QMainWindow, MessageBoxMixin):
> +
> + def __init__(self, *args, **kwargs):
> + super().__init__(*args, **kwargs)
> + self.show_warning(msg = security_message, title = "THIS
> APPLICATION is INSECURE")
> +
> +
> +app = QApplication(["electrum", "gui"])
> +window = Window()
> +sys.exit(2)
>
> def check_imports():
> # pure-python dependencies need to be imported here for pyinstaller
>
--
mithrandi, i Ainil en-Balandor, a faer Ambar
