Related Vulnerabilities: CVE-2018-1000022

Source

Debian Bug report logs - #886683
electrum: CVE-2018-1000022

Package: electrum; Maintainer for electrum is Tristan Seligmann <mithrandi@debian.org>; Source for electrum is src:electrum (PTS, buildd, popcon).

Reported by: Daniel Koszta <daniel.koszta@gmail.com>

Date: Mon, 8 Jan 2018 22:21:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions electrum/2.4.2+dfsg1-1, electrum/3.0.3-1

Fixed in version electrum/3.0.5-1

Done: Tristan Seligmann <mithrandi@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/spesmilo/electrum/issues/3374

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, daniel.koszta@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#886683; Package electrum. (Mon, 08 Jan 2018 22:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Koszta <daniel.koszta@gmail.com>:
New Bug report received and forwarded. Copy sent to daniel.koszta@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Mon, 08 Jan 2018 22:21:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: electrum
Version: 3.0.3-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

Many Electrum versions are vulnerable, see
https://github.com/spesmilo/electrum/issues/3374.

A new, fixed version is already available in debian unstable, but it
should be included in stable and testing as soon as possible.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (500, 'stable'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=hu_HU.utf8, LC_CTYPE=hu_HU.utf8 (charmap=UTF-8), LANGUAGE=hu_HU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages electrum depends on:
ii  python3           3.6.4-1
ii  python3-electrum  3.0.3-1

Versions of packages electrum recommends:
ii  python3-pyqt5  5.9.2+dfsg-1

Versions of packages electrum suggests:
pn  python3-btchip  <none>
pn  python3-trezor  <none>
pn  python3-zbar    <none>

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#886683; Package electrum. (Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Tristan Seligmann <mithrandi@mithrandi.net>:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).

Message #10 received at 886683@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: found -1 2.4.2+dfsg1-1
Control: fixed -1 3.0.5-1

On Tue, 9 Jan 2018 at 00:21 Daniel Koszta <daniel.koszta@gmail.com> wrote:

> A new, fixed version is already available in debian unstable, but it
> should be included in stable and testing as soon as possible.
>

Unfortunately the version in stable is too old to be able to connect to the
current Electrum servers due to protocol incompatibilities; thus I do not
think there is a need to backport this fix to stable (if you are still
using this version successfully, it is most likely on an offline machine
that is not vulnerable to this exploit).

Testing should be updated shortly as nothing blocks the migration from
unstable: https://qa.debian.org/excuses.php?package=electrum

[Message part 2 (text/html, inline)]

Marked as found in versions electrum/2.4.2+dfsg1-1. Request was from Tristan Seligmann <mithrandi@mithrandi.net> to 886683-submit@bugs.debian.org. (Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).

Marked as fixed in versions electrum/3.0.5-1. Request was from Tristan Seligmann <mithrandi@mithrandi.net> to 886683-submit@bugs.debian.org. (Tue, 09 Jan 2018 03:27:04 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/spesmilo/electrum/issues/3374'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 09 Jan 2018 06:21:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 09 Jan 2018 06:21:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#886683; Package electrum. (Mon, 15 Jan 2018 20:21:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Mon, 15 Jan 2018 20:21:08 GMT) (full text, mbox, link).

Message #23 received at 886683@bugs.debian.org (full text, mbox, reply):

On Tue, Jan 09, 2018 at 03:22:41AM +0000, Tristan Seligmann wrote:
> Control: found -1 2.4.2+dfsg1-1
> Control: fixed -1 3.0.5-1
> 
> On Tue, 9 Jan 2018 at 00:21 Daniel Koszta <daniel.koszta@gmail.com> wrote:
> 
> > A new, fixed version is already available in debian unstable, but it
> > should be included in stable and testing as soon as possible.
> >
> 
> Unfortunately the version in stable is too old to be able to connect to the
> current Electrum servers due to protocol incompatibilities; thus I do not
> think there is a need to backport this fix to stable (if you are still
> using this version successfully, it is most likely on an offline machine
> that is not vulnerable to this exploit).

Ok, I'll update the Debian Security Tracker accordingly, but we also should
remove the package in the next stable point release.
Can you please also file a bug? (reportbug release.debian.org -> "rm")

Cheers,
        Moritz

Message #28 received at 886683@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:

> Ok, I'll update the Debian Security Tracker accordingly, but we also should
> remove the package in the next stable point release.
> Can you please also file a bug? (reportbug release.debian.org -> "rm")
>

Yes, good point; I have filed this as #887412.

[Message part 2 (text/html, inline)]

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Tue, 16 Jan 2018 07:12:03 GMT) (full text, mbox, link).

Message #33 received at 886683@bugs.debian.org (full text, mbox, reply):

Hi,

On Tue, Jan 16, 2018 at 06:56:19AM +0000, Tristan Seligmann wrote:
> On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> 
> > Ok, I'll update the Debian Security Tracker accordingly, but we also should
> > remove the package in the next stable point release.
> > Can you please also file a bug? (reportbug release.debian.org -> "rm")
> >
> 
> Yes, good point; I have filed this as #887412.

Does the same reasoning as well apply to the version in
oldstable/jessie? If so we might want to remove it from there as well
(just fill a second RM bug specific for the jessie version).

Regards,
Salvatore

Message #38 received at 886683@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, 16 Jan 2018 at 09:09 Salvatore Bonaccorso <carnil@debian.org> wrote:

> Hi,
>
> On Tue, Jan 16, 2018 at 06:56:19AM +0000, Tristan Seligmann wrote:
> > On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> >
> > > Ok, I'll update the Debian Security Tracker accordingly, but we also
> should
> > > remove the package in the next stable point release.
> > > Can you please also file a bug? (reportbug release.debian.org -> "rm")
> > >
> >
> > Yes, good point; I have filed this as #887412.
>
> Does the same reasoning as well apply to the version in
> oldstable/jessie? If so we might want to remove it from there as well
> (just fill a second RM bug specific for the jessie version).
>

Done (#887415). The jessie version is too old to be affected by the
security issue, but otherwise has the same problem (cannot connect to the
network) as well as probably calculating fees for offline transacting that
are way too low for the current situation.

[Message part 2 (text/html, inline)]

Changed Bug title to 'electrum: CVE-2018-1000022' from 'electrum: Security vulnerability in electrum'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 28 Jan 2018 11:54:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#886683; Package electrum. (Sun, 18 Feb 2018 01:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to melisa.mehmedt@gmail.com:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Sun, 18 Feb 2018 01:39:03 GMT) (full text, mbox, link).

Message #45 received at 886683@bugs.debian.org (full text, mbox, reply):


Hello Greetings to you i need your collaboration to invest in your region
i have some funds under my management please get back to me asap thanks

Regards
Melisa Mehmet

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#886683; Package electrum. (Wed, 21 Feb 2018 23:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to <melisa.mehmedt@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Wed, 21 Feb 2018 23:27:03 GMT) (full text, mbox, link).

Message #50 received at 886683@bugs.debian.org (full text, mbox, reply):

Hello

Greetings to you and everyone around you please did you get my previous email regarding my proposal ?
please let me know if we can work together on this.

Best Reagrds

Marked Bug as done Request was from Tristan Seligmann <mithrandi@debian.org> to control@bugs.debian.org. (Mon, 30 Jul 2018 01:39:02 GMT) (full text, mbox, link).

Notification sent to Daniel Koszta <daniel.koszta@gmail.com>:
Bug acknowledged by developer. (Mon, 30 Jul 2018 01:39:04 GMT) (full text, mbox, link).

Message sent on to Daniel Koszta <daniel.koszta@gmail.com>:
Bug#886683. (Mon, 30 Jul 2018 01:39:05 GMT) (full text, mbox, link).

Message #57 received at 886683-submitter@bugs.debian.org (full text, mbox, reply):

close 886683 3.0.5-1
thanks

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Aug 2018 07:32:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:59:31 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

electrum: CVE-2018-1000022

Debian Bug report logs - #886683
electrum: CVE-2018-1000022

Vulmon Search

About

Products

Connect

electrum: CVE-2018-1000022

Debian Bug report logs - #886683 electrum: CVE-2018-1000022

Vulmon Search

About

Products

Connect

Debian Bug report logs - #886683
electrum: CVE-2018-1000022