CVE-2022-31246: paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=209997f21d87a7cc8435b33385adb3e42baed79a commit 209997f21d87a7cc8435b33385adb3e42baed79a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-06-19 05:04:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-06-19 05:04:38 +0000 net-misc/electrum: Remove old Bug: https://bugs.gentoo.org/852842 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-misc/electrum/Manifest | 1 - net-misc/electrum/electrum-4.2.1-r2.ebuild | 99 ------------------------------ 2 files changed, 100 deletions(-)
Thanks! Hard to exploit and limited impact anyway, so no GLSA. All done!