Bug 692164

Summary:	~net-misc/electrum-3.1.3: vulnerable to phishing attacks by hostile servers
Product:	Gentoo Security	Reporter:	Michał Górny <mgorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	blueness, luke-jr+gentoobugs, mgorny
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Michał Górny archtester

2019-08-14 20:32:12 UTC

Reported in [1].  Upstream issue [2].

Apparently Electrum used to accept rich text error messages from servers, and malicious server owners used that to display forged update message to users.  3.1.3 version in Gentoo is affected, and I'll remove it shortly.  3.3* versions we have are already fixed.

[1] https://github.com/gentoo/gentoo/pull/12709
[2] https://github.com/spesmilo/electrum/issues/4968

Comment 1 Larry the Git Cow gentoo-dev

2019-08-14 20:36:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b541d3102f0e6c4ecf9ffba66eeb841c16fa03d

commit 6b541d3102f0e6c4ecf9ffba66eeb841c16fa03d
Author:     Kristaps Kaupe <kristaps@blogiem.lv>
AuthorDate: 2019-08-14 20:16:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-14 20:34:15 +0000

    net-misc/electrum: remove vulnerable 3.1.3
    
    See https://github.com/spesmilo/electrum/issues/4968
    
    Signed-off-by: Kristaps Kaupe <kristaps@blogiem.lv>
    Bug: https://bugs.gentoo.org/692164
    Closes: https://github.com/gentoo/gentoo/pull/12709
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-misc/electrum/Manifest                         |   1 -
 net-misc/electrum/electrum-3.1.3-r1.ebuild         | 173 ---------------------
 .../electrum/files/3.1.2-pip-optional-pkgs.patch   |  13 --
 net-misc/electrum/files/3.1.3-desktop.patch        |  21 ---
 4 files changed, 208 deletions(-)