Bug #15207
JSONRPC vulnerability in Electrum 2.6 to 3.0.4
0%
Description
On January 6th, a vulnerability was disclosed in the Electrum wallet software, that allows malicious websites to execute wallet commands through JSONRPC executed in a web browser. The bug affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.
Tails users in my opinion must be forced to upgrade Electrum by rolling out a new build and this must be done urgently since the vulnerability is very serious!
For more information about the vulnerability please visit:
https://github.com/spesmilo/electrum-docs/blob/master/cve.rst or https://electrum.org
Subtasks
Related issues
Is duplicate of Tails - |
Resolved | 2017-12-07 |
History
#1 Updated by humanrightsdefender 2018-01-21 20:12:33
amnesia@amnesia:~$ uname -a
Linux amnesia 4.14.0-3-amd64 #1 SMP Debian 4.14.12-2 (2018-01-06) x86_64 GNU/Linux
amnesia@amnesia:~$ electrum version
2.7.9
#2 Updated by humanrightsdefender 2018-01-21 20:44:51
A reminder!
What should users do?
All users should upgrade their Electrum software, and stop using old versions.
Users who did not protect their wallet with a password should create a new wallet, and move their funds to that wallet. Even if it never received any funds, a wallet without password should not be used anymore, because its seed might have been compromised.
In addition, users should review their settings, and delete all contacts from their contacts list, because the Bitcoin addresses of their contacts might have been modified.
https://github.com/spesmilo/electrum-docs/blob/master/cve.rst#what-should-users-do
#3 Updated by Dr_Whax 2018-01-21 21:52:36
- Category deleted (
Build system) - Status changed from New to Confirmed
- Priority changed from Urgent to Normal
Thanks for creating a ticket, as far as I can see, this is a little complicated, see https://packages.debian.org/search?keywords=electrum. Someone would have to upload the latest package to sid and create a stretch-backport. Also, there’s an thread about something related to this that is maybe worth following for you: https://mailman.boum.org/pipermail/tails-dev/2017-December/011933.html
Or, if the CVE gets requested as indicated in this upstream issue (https://github.com/spesmilo/electrum/issues/3374), the fix can get backported.
Ps: i’m still no debian expert, so please take my comments with a grain of salt.
However, not sure what’s best to do, at this very point, it would be nice to notify users to not have a browser and electrum open.
#4 Updated by goupille 2018-01-22 00:27:44
- Status changed from Confirmed to Duplicate
Duplicates Feature #15022
Tails Users are not affected by this issue (if I understand the comments on Bug #15151)
#5 Updated by intrigeri 2018-01-22 09:23:55
I’ve deleted a few comments that did not add any useful information but clearly violated https://tails.boum.org/contribute/working_together/code_of_conduct/.
#6 Updated by intrigeri 2018-01-22 09:25:13
- is duplicate of
Feature #15022: Electrum package update to version 3.0.6 added
#7 Updated by intrigeri 2018-01-22 09:27:35
- This is a duplicate of
Feature #15022. We don’t need a 3rd ticket, two of them being duplicates, to track this potential issue. - As explained on
Feature #15022, our analysis concluded that Tails is not affected. If you think that’s wrong, please demonstrates why onFeature #15022.