Bug#921688: NMU Diff
Thank you for taking care of this; I plan to package a new upstream version
when I can, but the need to package new dependencies makes this non-trivial
and due to personal circumstances I have not yet had the opportunity to
handle this.
On Tue, 7 May 2019 at 04:30, Sam Hartman wrote:
>
> Dear maintainer.
> I made the following 0-day NMU of electrum.
> I suspect that once you update to a new version you will not wish to
> include these changes, but in the interest of awareness of your package
> I wanted to make sure you were aware.
>
> diff --git a/debian/changelog b/debian/changelog
> index 4ff..c30a279 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +electrum (3.2.3-1.1) unstable; urgency=medium
> +
> + * Non-maintainer upload.
> + * On startup print a warning that this version in insecure and then
> +exit, Closes: #928518
> +
> +
> + -- Sam Hartman Mon, 06 May 2019 22:11:19 -0400
> +
> electrum (3.2.3-1) unstable; urgency=medium
>
>* New upstream release.
> diff --git a/debian/patches/replace-with-security-warning.patch
> b/debian/patches/replace-with-security-warning.patch
> new file mode 100644
> index 000..e8f409e
> --- /dev/null
> +++ b/debian/patches/replace-with-security-warning.patch
> @@ -0,0 +1,60 @@
> +From: Sam Hartman
> +Date: Mon, 6 May 2019 22:10:51 -0400
> +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9
> +Subject: Replace with security warning
> +
> +On startup print to GUI and stdio a security warning and then exit.
> +
> +---
> +
> +--- electrum-3.2.3.orig/electrum/electrum
> electrum-3.2.3/electrum/electrum
> +@@ -1,4 +1,4 @@
> +-#!/usr/bin/env python3
> ++#!/usr/bin/python3
> + # -*- mode: python -*-
> + #
> + # Electrum - lightweight Bitcoin client
> +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea
> + is_bundle = getattr(sys, 'frozen', False)
> + is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
> + is_android = 'ANDROID_DATA' in os.environ
> ++try:
> ++import PyQt5
> ++except Exception:
> ++sys.exit("Error: Could not import PyQt5 on Linux systems, you may
> try 'sudo apt-get install python3-pyqt5'")
> +
> ++from PyQt5.QtGui import *
> ++from PyQt5.QtWidgets import *
> ++from PyQt5.QtCore import *
> ++import PyQt5.QtCore as QtCore
> + # move this back to gui/kivy/__init.py once plugins are moved
> + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
> +
> + if is_local or is_android:
> + sys.path.insert(0, os.path.join(script_dir, 'packages'))
> +
> ++security_message = ''' \
> ++This version of Electrum is vulnerable to malicious code inserted by
> ++attackers and is being actively exploited to try and convince users to
> ++give their private credentials to attackers. See
> ++https://bugs.debian.org/921688 for details. Until the version in
> ++Debian is updated, please see https://electrum.org/download.html
> ++'''
> ++sys.stderr.write(security_message)
> ++
> ++
> ++from electrum.gui.qt.util import MessageBoxMixin
> ++class Window(QMainWindow, MessageBoxMixin):
> ++
> ++def __init__(self, *args, **kwargs):
> ++super().__init__(*args, **kwargs)
> ++self.show_warning(msg = security_message, title = "THIS
> APPLICATION is INSECURE")
> ++
> ++
> ++app = QApplication(["electrum", "gui"])
> ++window = Window()
> ++sys.exit(2)
> +
> + def check_imports():
> + # pure-python dependencies need to be imported here for pyinstaller
> diff --git a/debian/patches/series b/debian/patches/series
> new file mode 100644
> index 000..8ffe66a
> --- /dev/null
> +++ b/debian/patches/series
> @@ -0,0 +1 @@
> +replace-with-security-warning.patch
> diff --git a/electrum/electrum b/electrum/electrum
> index dd35c35..8c5ef37 100755
> --- a/electrum/electrum
> +++ b/electrum/electrum
> @@ -1,4 +1,4 @@
> -#!/usr/bin/env python3
> +#!/usr/bin/python3
> # -*- mode: python -*-
> #
> # Electrum - lightweight Bitcoin client
> @@ -30,13 +30,42 @@ script_dir =
> os.path.dirname(os.path.realpath(__file__))
> is_bundle = getattr(sys, 'frozen', False)
> is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
> is_android = 'ANDROID_DATA' in os.environ
> -
> +try:
> +import PyQt5
> +except Exception:
> +sys.exit("Error: Could not import PyQt5 on Linux systems, you may try
> 'sudo apt-get install python3-pyqt5'")
> +
> +from PyQt5.QtGui import *
> +from PyQt5.QtWidgets import *
> +from PyQt5.QtCore import *
> +import PyQt5.QtCore as QtCore
> # move this back to gui/kivy/__init.py once plugins are moved
> os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
>
> if is_local or is_android:
> sys.path.insert(0, os.path.join(script_dir, 'packages'))
>
> +security_message = ''' \
> +This version of Electrum is vulnerable to malicious code inserted by
> +attackers and is being actively
Bug#921688: NMU Diff
Dear maintainer.
I made the following 0-day NMU of electrum.
I suspect that once you update to a new version you will not wish to
include these changes, but in the interest of awareness of your package
I wanted to make sure you were aware.
diff --git a/debian/changelog b/debian/changelog
index 4ff..c30a279 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+electrum (3.2.3-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * On startup print a warning that this version in insecure and then
+exit, Closes: #928518
+
+
+ -- Sam Hartman Mon, 06 May 2019 22:11:19 -0400
+
electrum (3.2.3-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/patches/replace-with-security-warning.patch
b/debian/patches/replace-with-security-warning.patch
new file mode 100644
index 000..e8f409e
--- /dev/null
+++ b/debian/patches/replace-with-security-warning.patch
@@ -0,0 +1,60 @@
+From: Sam Hartman
+Date: Mon, 6 May 2019 22:10:51 -0400
+X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9
+Subject: Replace with security warning
+
+On startup print to GUI and stdio a security warning and then exit.
+
+---
+
+--- electrum-3.2.3.orig/electrum/electrum
electrum-3.2.3/electrum/electrum
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python3
++#!/usr/bin/python3
+ # -*- mode: python -*-
+ #
+ # Electrum - lightweight Bitcoin client
+@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea
+ is_bundle = getattr(sys, 'frozen', False)
+ is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
"electrum.desktop"))
+ is_android = 'ANDROID_DATA' in os.environ
++try:
++import PyQt5
++except Exception:
++sys.exit("Error: Could not import PyQt5 on Linux systems, you may try
'sudo apt-get install python3-pyqt5'")
+
++from PyQt5.QtGui import *
++from PyQt5.QtWidgets import *
++from PyQt5.QtCore import *
++import PyQt5.QtCore as QtCore
+ # move this back to gui/kivy/__init.py once plugins are moved
+ os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) +
'/electrum/gui/kivy/data/'
+
+ if is_local or is_android:
+ sys.path.insert(0, os.path.join(script_dir, 'packages'))
+
++security_message = ''' \
++This version of Electrum is vulnerable to malicious code inserted by
++attackers and is being actively exploited to try and convince users to
++give their private credentials to attackers. See
++https://bugs.debian.org/921688 for details. Until the version in
++Debian is updated, please see https://electrum.org/download.html
++'''
++sys.stderr.write(security_message)
++
++
++from electrum.gui.qt.util import MessageBoxMixin
++class Window(QMainWindow, MessageBoxMixin):
++
++def __init__(self, *args, **kwargs):
++super().__init__(*args, **kwargs)
++self.show_warning(msg = security_message, title = "THIS APPLICATION
is INSECURE")
++
++
++app = QApplication(["electrum", "gui"])
++window = Window()
++sys.exit(2)
+
+ def check_imports():
+ # pure-python dependencies need to be imported here for pyinstaller
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..8ffe66a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+replace-with-security-warning.patch
diff --git a/electrum/electrum b/electrum/electrum
index dd35c35..8c5ef37 100755
--- a/electrum/electrum
+++ b/electrum/electrum
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
# -*- mode: python -*-
#
# Electrum - lightweight Bitcoin client
@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.realpath(__file__))
is_bundle = getattr(sys, 'frozen', False)
is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
"electrum.desktop"))
is_android = 'ANDROID_DATA' in os.environ
-
+try:
+import PyQt5
+except Exception:
+sys.exit("Error: Could not import PyQt5 on Linux systems, you may try
'sudo apt-get install python3-pyqt5'")
+
+from PyQt5.QtGui import *
+from PyQt5.QtWidgets import *
+from PyQt5.QtCore import *
+import PyQt5.QtCore as QtCore
# move this back to gui/kivy/__init.py once plugins are moved
os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) +
'/electrum/gui/kivy/data/'
if is_local or is_android:
sys.path.insert(0, os.path.join(script_dir, 'packages'))
+security_message = ''' \
+This version of Electrum is vulnerable to malicious code inserted by
+attackers and is being actively exploited to try and convince users to
+give their private credentials to attackers. See
+https://bugs.debian.org/921688 for details. Until the version in
+Debian is updated, please see https://electrum.org/download.html
+'''
+sys.stderr.write(security_message)
+
+
+from electrum.gui.qt.util import MessageBoxMixin
+class Window(QMainWindow, MessageBoxMixin):
+
+def __init__(self, *args, **kwargs):
+super().__init__(*args, **kwargs)
+self.show_warning(msg = security_message, title = "THIS APPLICATION is
INSECURE")
+
+
