Reported in [1]. Upstream issue [2]. Apparently Electrum used to accept rich text error messages from servers, and malicious server owners used that to display forged update message to users. 3.1.3 version in Gentoo is affected, and I'll remove it shortly. 3.3* versions we have are already fixed. [1] https://github.com/gentoo/gentoo/pull/12709 [2] https://github.com/spesmilo/electrum/issues/4968
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b541d3102f0e6c4ecf9ffba66eeb841c16fa03d commit 6b541d3102f0e6c4ecf9ffba66eeb841c16fa03d Author: Kristaps Kaupe <kristaps@blogiem.lv> AuthorDate: 2019-08-14 20:16:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-08-14 20:34:15 +0000 net-misc/electrum: remove vulnerable 3.1.3 See https://github.com/spesmilo/electrum/issues/4968 Signed-off-by: Kristaps Kaupe <kristaps@blogiem.lv> Bug: https://bugs.gentoo.org/692164 Closes: https://github.com/gentoo/gentoo/pull/12709 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-misc/electrum/Manifest | 1 - net-misc/electrum/electrum-3.1.3-r1.ebuild | 173 --------------------- .../electrum/files/3.1.2-pip-optional-pkgs.patch | 13 -- net-misc/electrum/files/3.1.3-desktop.patch | 21 --- 4 files changed, 208 deletions(-)
