Bug#921688: NMU Diff
Thank you for taking care of this; I plan to package a new upstream version when I can, but the need to package new dependencies makes this non-trivial and due to personal circumstances I have not yet had the opportunity to handle this. On Tue, 7 May 2019 at 04:30, Sam Hartman wrote: > > Dear maintainer. > I made the following 0-day NMU of electrum. > I suspect that once you update to a new version you will not wish to > include these changes, but in the interest of awareness of your package > I wanted to make sure you were aware. > > diff --git a/debian/changelog b/debian/changelog > index 4ff..c30a279 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +electrum (3.2.3-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * On startup print a warning that this version in insecure and then > +exit, Closes: #928518 > + > + > + -- Sam Hartman Mon, 06 May 2019 22:11:19 -0400 > + > electrum (3.2.3-1) unstable; urgency=medium > >* New upstream release. > diff --git a/debian/patches/replace-with-security-warning.patch > b/debian/patches/replace-with-security-warning.patch > new file mode 100644 > index 000..e8f409e > --- /dev/null > +++ b/debian/patches/replace-with-security-warning.patch > @@ -0,0 +1,60 @@ > +From: Sam Hartman > +Date: Mon, 6 May 2019 22:10:51 -0400 > +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9 > +Subject: Replace with security warning > + > +On startup print to GUI and stdio a security warning and then exit. > + > +--- > + > +--- electrum-3.2.3.orig/electrum/electrum > electrum-3.2.3/electrum/electrum > +@@ -1,4 +1,4 @@ > +-#!/usr/bin/env python3 > ++#!/usr/bin/python3 > + # -*- mode: python -*- > + # > + # Electrum - lightweight Bitcoin client > +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea > + is_bundle = getattr(sys, 'frozen', False) > + is_local = not is_bundle and os.path.exists(os.path.join(script_dir, > "electrum.desktop")) > + is_android = 'ANDROID_DATA' in os.environ > ++try: > ++import PyQt5 > ++except Exception: > ++sys.exit("Error: Could not import PyQt5 on Linux systems, you may > try 'sudo apt-get install python3-pyqt5'") > + > ++from PyQt5.QtGui import * > ++from PyQt5.QtWidgets import * > ++from PyQt5.QtCore import * > ++import PyQt5.QtCore as QtCore > + # move this back to gui/kivy/__init.py once plugins are moved > + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) > + '/electrum/gui/kivy/data/' > + > + if is_local or is_android: > + sys.path.insert(0, os.path.join(script_dir, 'packages')) > + > ++security_message = ''' \ > ++This version of Electrum is vulnerable to malicious code inserted by > ++attackers and is being actively exploited to try and convince users to > ++give their private credentials to attackers. See > ++https://bugs.debian.org/921688 for details. Until the version in > ++Debian is updated, please see https://electrum.org/download.html > ++''' > ++sys.stderr.write(security_message) > ++ > ++ > ++from electrum.gui.qt.util import MessageBoxMixin > ++class Window(QMainWindow, MessageBoxMixin): > ++ > ++def __init__(self, *args, **kwargs): > ++super().__init__(*args, **kwargs) > ++self.show_warning(msg = security_message, title = "THIS > APPLICATION is INSECURE") > ++ > ++ > ++app = QApplication(["electrum", "gui"]) > ++window = Window() > ++sys.exit(2) > + > + def check_imports(): > + # pure-python dependencies need to be imported here for pyinstaller > diff --git a/debian/patches/series b/debian/patches/series > new file mode 100644 > index 000..8ffe66a > --- /dev/null > +++ b/debian/patches/series > @@ -0,0 +1 @@ > +replace-with-security-warning.patch > diff --git a/electrum/electrum b/electrum/electrum > index dd35c35..8c5ef37 100755 > --- a/electrum/electrum > +++ b/electrum/electrum > @@ -1,4 +1,4 @@ > -#!/usr/bin/env python3 > +#!/usr/bin/python3 > # -*- mode: python -*- > # > # Electrum - lightweight Bitcoin client > @@ -30,13 +30,42 @@ script_dir = > os.path.dirname(os.path.realpath(__file__)) > is_bundle = getattr(sys, 'frozen', False) > is_local = not is_bundle and os.path.exists(os.path.join(script_dir, > "electrum.desktop")) > is_android = 'ANDROID_DATA' in os.environ > - > +try: > +import PyQt5 > +except Exception: > +sys.exit("Error: Could not import PyQt5 on Linux systems, you may try > 'sudo apt-get install python3-pyqt5'") > + > +from PyQt5.QtGui import * > +from PyQt5.QtWidgets import * > +from PyQt5.QtCore import * > +import PyQt5.QtCore as QtCore > # move this back to gui/kivy/__init.py once plugins are moved > os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) > + '/electrum/gui/kivy/data/' > > if is_local or is_android: > sys.path.insert(0, os.path.join(script_dir, 'packages')) > > +security_message = ''' \ > +This version of Electrum is vulnerable to malicious code inserted by > +attackers and is being actively
Bug#921688: NMU Diff
Dear maintainer. I made the following 0-day NMU of electrum. I suspect that once you update to a new version you will not wish to include these changes, but in the interest of awareness of your package I wanted to make sure you were aware. diff --git a/debian/changelog b/debian/changelog index 4ff..c30a279 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +electrum (3.2.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * On startup print a warning that this version in insecure and then +exit, Closes: #928518 + + + -- Sam Hartman Mon, 06 May 2019 22:11:19 -0400 + electrum (3.2.3-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/replace-with-security-warning.patch b/debian/patches/replace-with-security-warning.patch new file mode 100644 index 000..e8f409e --- /dev/null +++ b/debian/patches/replace-with-security-warning.patch @@ -0,0 +1,60 @@ +From: Sam Hartman +Date: Mon, 6 May 2019 22:10:51 -0400 +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9 +Subject: Replace with security warning + +On startup print to GUI and stdio a security warning and then exit. + +--- + +--- electrum-3.2.3.orig/electrum/electrum electrum-3.2.3/electrum/electrum +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python3 ++#!/usr/bin/python3 + # -*- mode: python -*- + # + # Electrum - lightweight Bitcoin client +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea + is_bundle = getattr(sys, 'frozen', False) + is_local = not is_bundle and os.path.exists(os.path.join(script_dir, "electrum.desktop")) + is_android = 'ANDROID_DATA' in os.environ ++try: ++import PyQt5 ++except Exception: ++sys.exit("Error: Could not import PyQt5 on Linux systems, you may try 'sudo apt-get install python3-pyqt5'") + ++from PyQt5.QtGui import * ++from PyQt5.QtWidgets import * ++from PyQt5.QtCore import * ++import PyQt5.QtCore as QtCore + # move this back to gui/kivy/__init.py once plugins are moved + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) + '/electrum/gui/kivy/data/' + + if is_local or is_android: + sys.path.insert(0, os.path.join(script_dir, 'packages')) + ++security_message = ''' \ ++This version of Electrum is vulnerable to malicious code inserted by ++attackers and is being actively exploited to try and convince users to ++give their private credentials to attackers. See ++https://bugs.debian.org/921688 for details. Until the version in ++Debian is updated, please see https://electrum.org/download.html ++''' ++sys.stderr.write(security_message) ++ ++ ++from electrum.gui.qt.util import MessageBoxMixin ++class Window(QMainWindow, MessageBoxMixin): ++ ++def __init__(self, *args, **kwargs): ++super().__init__(*args, **kwargs) ++self.show_warning(msg = security_message, title = "THIS APPLICATION is INSECURE") ++ ++ ++app = QApplication(["electrum", "gui"]) ++window = Window() ++sys.exit(2) + + def check_imports(): + # pure-python dependencies need to be imported here for pyinstaller diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..8ffe66a --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +replace-with-security-warning.patch diff --git a/electrum/electrum b/electrum/electrum index dd35c35..8c5ef37 100755 --- a/electrum/electrum +++ b/electrum/electrum @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/python3 # -*- mode: python -*- # # Electrum - lightweight Bitcoin client @@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.realpath(__file__)) is_bundle = getattr(sys, 'frozen', False) is_local = not is_bundle and os.path.exists(os.path.join(script_dir, "electrum.desktop")) is_android = 'ANDROID_DATA' in os.environ - +try: +import PyQt5 +except Exception: +sys.exit("Error: Could not import PyQt5 on Linux systems, you may try 'sudo apt-get install python3-pyqt5'") + +from PyQt5.QtGui import * +from PyQt5.QtWidgets import * +from PyQt5.QtCore import * +import PyQt5.QtCore as QtCore # move this back to gui/kivy/__init.py once plugins are moved os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) + '/electrum/gui/kivy/data/' if is_local or is_android: sys.path.insert(0, os.path.join(script_dir, 'packages')) +security_message = ''' \ +This version of Electrum is vulnerable to malicious code inserted by +attackers and is being actively exploited to try and convince users to +give their private credentials to attackers. See +https://bugs.debian.org/921688 for details. Until the version in +Debian is updated, please see https://electrum.org/download.html +''' +sys.stderr.write(security_message) + + +from electrum.gui.qt.util import MessageBoxMixin +class Window(QMainWindow, MessageBoxMixin): + +def __init__(self, *args, **kwargs): +super().__init__(*args, **kwargs) +self.show_warning(msg = security_message, title = "THIS APPLICATION is INSECURE") + +