Bug#921688: NMU Diff

Mon, 06 May 2019 19:31:01 -0700 

Dear maintainer.
I made the following 0-day NMU of electrum.
I suspect that once you update to a new version you will not wish to
include these changes, but in the interest of awareness of your package
I wanted to make sure you were aware.

diff --git a/debian/changelog b/debian/changelog
index 4aaaaff..c30a279 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+electrum (3.2.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * On startup print a warning that this version in insecure and then
+    exit, Closes: #928518
+
+
+ -- Sam Hartman <hartm...@debian.org>  Mon, 06 May 2019 22:11:19 -0400
+
 electrum (3.2.3-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/replace-with-security-warning.patch 
b/debian/patches/replace-with-security-warning.patch
new file mode 100644
index 0000000..e8f409e
--- /dev/null
+++ b/debian/patches/replace-with-security-warning.patch
@@ -0,0 +1,60 @@
+From: Sam Hartman <hartm...@debian.org>
+Date: Mon, 6 May 2019 22:10:51 -0400
+X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9
+Subject: Replace with security warning
+
+On startup print to GUI and stdio a security warning and then exit.
+
+---
+
+--- electrum-3.2.3.orig/electrum/electrum
++++ electrum-3.2.3/electrum/electrum
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python3
++#!/usr/bin/python3
+ # -*- mode: python -*-
+ #
+ # Electrum - lightweight Bitcoin client
+@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea
+ is_bundle = getattr(sys, 'frozen', False)
+ is_local = not is_bundle and os.path.exists(os.path.join(script_dir, 
"electrum.desktop"))
+ is_android = 'ANDROID_DATA' in os.environ
++try:
++    import PyQt5
++except Exception:
++    sys.exit("Error: Could not import PyQt5 on Linux systems, you may try 
'sudo apt-get install python3-pyqt5'")
+ 
++from PyQt5.QtGui import *
++from PyQt5.QtWidgets import *
++from PyQt5.QtCore import *
++import PyQt5.QtCore as QtCore
+ # move this back to gui/kivy/__init.py once plugins are moved
+ os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) + 
'/electrum/gui/kivy/data/'
+ 
+ if is_local or is_android:
+     sys.path.insert(0, os.path.join(script_dir, 'packages'))
+ 
++security_message = ''' \
++This version of Electrum is vulnerable to malicious code inserted by
++attackers and is being actively exploited to try and convince users to
++give their private credentials to attackers.  See
++https://bugs.debian.org/921688 for details.  Until the version in
++Debian is updated, please see https://electrum.org/download.html
++'''
++sys.stderr.write(security_message)
++
++
++from electrum.gui.qt.util import MessageBoxMixin
++class Window(QMainWindow, MessageBoxMixin):
++
++    def __init__(self, *args, **kwargs):
++        super().__init__(*args, **kwargs)
++        self.show_warning(msg = security_message, title = "THIS APPLICATION 
is INSECURE")
++
++        
++app = QApplication(["electrum", "gui"])
++window = Window()
++sys.exit(2)
+ 
+ def check_imports():
+     # pure-python dependencies need to be imported here for pyinstaller
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8ffe66a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+replace-with-security-warning.patch
diff --git a/electrum/electrum b/electrum/electrum
index dd35c35..8c5ef37 100755
--- a/electrum/electrum
+++ b/electrum/electrum
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
 # -*- mode: python -*-
 #
 # Electrum - lightweight Bitcoin client
@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.realpath(__file__))
 is_bundle = getattr(sys, 'frozen', False)
 is_local = not is_bundle and os.path.exists(os.path.join(script_dir, 
"electrum.desktop"))
 is_android = 'ANDROID_DATA' in os.environ
-
+try:
+    import PyQt5
+except Exception:
+    sys.exit("Error: Could not import PyQt5 on Linux systems, you may try 
'sudo apt-get install python3-pyqt5'")
+
+from PyQt5.QtGui import *
+from PyQt5.QtWidgets import *
+from PyQt5.QtCore import *
+import PyQt5.QtCore as QtCore
 # move this back to gui/kivy/__init.py once plugins are moved
 os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) + 
'/electrum/gui/kivy/data/'
 
 if is_local or is_android:
     sys.path.insert(0, os.path.join(script_dir, 'packages'))
 
+security_message = ''' \
+This version of Electrum is vulnerable to malicious code inserted by
+attackers and is being actively exploited to try and convince users to
+give their private credentials to attackers.  See
+https://bugs.debian.org/921688 for details.  Until the version in
+Debian is updated, please see https://electrum.org/download.html
+'''
+sys.stderr.write(security_message)
+
+
+from electrum.gui.qt.util import MessageBoxMixin
+class Window(QMainWindow, MessageBoxMixin):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.show_warning(msg = security_message, title = "THIS APPLICATION is 
INSECURE")
+
+        
+app = QApplication(["electrum", "gui"])
+window = Window()
+sys.exit(2)
 
 def check_imports():
     # pure-python dependencies need to be imported here for pyinstaller

Attachment: signature.asc
Description: PGP signature

Reply via email to