Bug #15207: JSONRPC vulnerability in Electrum 2.6 to 3.0.4

Bug #15207

JSONRPC vulnerability in Electrum 2.6 to 3.0.4

Added by humanrightsdefender 2018-01-21 20:10:08 . Updated 2018-01-22 09:27:35 .

Status:

Duplicate

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2018-01-21

Due date:

2018-01-22

% Done:

Feature Branch:

Type of work:

Debian

Blueprint:

Starter:

Affected tool:

Electrum

Deliverable for:

Description

On January 6th, a vulnerability was disclosed in the Electrum wallet software, that allows malicious websites to execute wallet commands through JSONRPC executed in a web browser. The bug affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

Tails users in my opinion must be forced to upgrade Electrum by rolling out a new build and this must be done urgently since the vulnerability is very serious!

For more information about the vulnerability please visit:
https://github.com/spesmilo/electrum-docs/blob/master/cve.rst or https://electrum.org

Subtasks

Related issues

Is duplicate of Tails - ~~Feature #15022~~: Electrum package update to version 3.0.6

Resolved

2017-12-07

History

#1 Updated by humanrightsdefender 2018-01-21 20:12:33

amnesia@amnesia:~$ uname -a
Linux amnesia 4.14.0-3-amd64 #1 SMP Debian 4.14.12-2 (2018-01-06) x86_64 GNU/Linux

amnesia@amnesia:~$ electrum version
2.7.9

#2 Updated by humanrightsdefender 2018-01-21 20:44:51

A reminder!

What should users do?

All users should upgrade their Electrum software, and stop using old versions.

Users who did not protect their wallet with a password should create a new wallet, and move their funds to that wallet. Even if it never received any funds, a wallet without password should not be used anymore, because its seed might have been compromised.

In addition, users should review their settings, and delete all contacts from their contacts list, because the Bitcoin addresses of their contacts might have been modified.
https://github.com/spesmilo/electrum-docs/blob/master/cve.rst#what-should-users-do

#3 Updated by Dr_Whax 2018-01-21 21:52:36

Category deleted (~~Build system~~)
Status changed from New to Confirmed
Priority changed from Urgent to Normal

Thanks for creating a ticket, as far as I can see, this is a little complicated, see https://packages.debian.org/search?keywords=electrum. Someone would have to upload the latest package to sid and create a stretch-backport. Also, there’s an thread about something related to this that is maybe worth following for you: https://mailman.boum.org/pipermail/tails-dev/2017-December/011933.html

Or, if the CVE gets requested as indicated in this upstream issue (https://github.com/spesmilo/electrum/issues/3374), the fix can get backported.

Ps: i’m still no debian expert, so please take my comments with a grain of salt.

However, not sure what’s best to do, at this very point, it would be nice to notify users to not have a browser and electrum open.

#4 Updated by goupille 2018-01-22 00:27:44

Status changed from Confirmed to Duplicate

Duplicates ~~Feature #15022~~

Tails Users are not affected by this issue (if I understand the comments on ~~Bug #15151~~)

#5 Updated by intrigeri 2018-01-22 09:23:55

I’ve deleted a few comments that did not add any useful information but clearly violated https://tails.boum.org/contribute/working_together/code_of_conduct/.

#6 Updated by intrigeri 2018-01-22 09:25:13

is duplicate of ~~Feature #15022~~: Electrum package update to version 3.0.6 added

#7 Updated by intrigeri 2018-01-22 09:27:35

This is a duplicate of ~~Feature #15022~~. We don’t need a 3rd ticket, two of them being duplicates, to track this potential issue.
As explained on ~~Feature #15022~~, our analysis concluded that Tails is not affected. If you think that’s wrong, please demonstrates why on ~~Feature #15022~~.