Bug#1052211: bookworm-pu: package electrum/4.0.9

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1052211: bookworm-pu: package electrum/4.0.9
From: Soren Stoutner <soren@stoutner.com>
Date: Mon, 18 Sep 2023 19:19:29 -0700
Message-id: <[🔎] 169508996914.515320.9389662509900053816.reportbug@soren-desktop.stoutner.com>
Reply-to: Soren Stoutner <soren@stoutner.com>, 1052211@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: electrum@packages.debian.org
Control: affects -1 + src:electrum

[ Reason ]
A bug was discovered in a component known as Lightning of Electrum 4.1.0 - 4.4.5.

https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

[ Impact ]
Users who opt to use the Lightning network (an optional component) can have portions
of their Bitcoin transactions stolen by malicious nodes on the network.

[ Tests ]
Upstream has a test framework that I plan to integrate into autotests, but currently
the Debian packages do not include those tests.

[ Risks ]
A cherry-picked fix was provided by upstream that patches 4.3.4 in bookworm.

https://github.com/spesmilo/electrum/commit/11fba68126f82d05de90efd67f2b43dfd1b8f22c

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
The patch fixes the Lightning client to verify that all the components of a transaction are
confirmed before releasing secrets to the Lightning node.

I have also updated the Uploaders field to be myself. If that is inappropriate for a point
release I can revert that change. See:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041171

[ Other info ]
Discussion with upstream is at:

https://github.com/spesmilo/electrum/issues/8588

This was discussed with Debian Security. I was going to attach a link to the public part
of the discussion on the mailing list, but it appears that the list server web interface
is currently down. However, there is some information on the security tracker.

https://security-tracker.debian.org/tracker/TEMP-0000000-1C589C

Note that the security tracker currently says that 4.0.9 in oldstable is affected.
I had initially thought it was and indicated so to the Debian Security team. However,
upstream recently confirmed that the bug wasn't introduced until 4.1.0, which is
documented in the first and third GitHub links above.

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package electrum/4.0.9
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052211: bookworm-pu: package electrum/4.0.9
  - From: Soren Stoutner <soren@stoutner.com>
- Bug#1052211: bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1
  - From: Soren Stoutner <soren@stoutner.com>
- Processed: Re: Bug#1052211: bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052211: electrum 4.3.4+dfsg1-1+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
  - From: Soren Stoutner <soren@stoutner.com>

Prev by Date: Processed: bookworm-pu: package electrum/4.0.9
Next by Date: Bug#1052211: bookworm-pu: package electrum/4.0.9
Previous by thread: Processed: forwarded
Next by thread: Processed: bookworm-pu: package electrum/4.0.9
Index(es):
- Date
- Thread