electron-cash: 2.9.4 -> 3.1.2

Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS) in the JSONRPC interface. Previous versions of Electrum are vulnerable to port scanning and deanonimization attacks from malicious websites. Wallets that are not password-protected are vulnerable to theft. (cherry picked from commit 34c776e)
NixOS · Jan 9, 2018 · 58ad926 · 58ad926
1 parent 5603b46
commit 58ad926
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 13 deletions.
diff --git a/pkgs/applications/misc/electron-cash/default.nix b/pkgs/applications/misc/electron-cash/default.nix
@@ -1,24 +1,31 @@
-{ stdenv, fetchurl, python2Packages }:
+{ stdenv, fetchurl, python3Packages, qtbase }:
 
-python2Packages.buildPythonApplication rec {
-  version = "2.9.4";
+let
+
+  python = python3Packages.python;
+
+in
+
+python3Packages.buildPythonApplication rec {
+  version = "3.1.2";
   name = "electron-cash-${version}";
 
   src = fetchurl {
-    url = "https://electroncash.org/downloads/${version}/win-linux/Electron-Cash-${version}.tar.gz";
+    url = "https://electroncash.org/downloads/${version}/win-linux/ElectronCash-${version}.tar.gz";
     # Verified using official SHA-1 and signature from
     # https://github.com/fyookball/keys-n-hashes
-    sha256 = "1y8mzwa6bb8zj4l92wm4c2icnr42wmhbfz6z5ymh356gwll914vh";
+    sha256 = "18h44jfbc2ksj34hdzgszvvq82xi28schl3wp3lkq9fjp7ny0mf3";
   };
 
-  propagatedBuildInputs = with python2Packages; [
-    dns
+  propagatedBuildInputs = with python3Packages; [
+    dns  # dnspython
     ecdsa
-    jsonrpclib
+    jsonrpclib-pelix
+    matplotlib
     pbkdf2
     pyaes
     pycrypto
-    pyqt4
+    pyqt5
     pysocks
     qrcode
     requests
@@ -29,18 +36,25 @@ python2Packages.buildPythonApplication rec {
     trezor
   ];
 
+  postPatch = ''
+    # Remove pyqt5 check
+    sed -i '/pyqt5/d' setup.py
+  '';
+
   preBuild = ''
     sed -i 's,usr_share = .*,usr_share = "'$out'/share",g' setup.py
-    pyrcc4 icons.qrc -o gui/qt/icons_rc.py
+    pyrcc5 icons.qrc -o gui/qt/icons_rc.py
     # Recording the creation timestamps introduces indeterminism to the build
     sed -i '/Created: .*/d' gui/qt/icons_rc.py
   '';
 
+  doCheck = false;
+
   postInstall = ''
     # Despite setting usr_share above, these files are installed under
     # $out/nix ...
-    mv $out/lib/python2.7/site-packages/nix/store"/"*/share $out
-    rm -rf $out/lib/python2.7/site-packages/nix
+    mv $out/${python.sitePackages}/nix/store"/"*/share $out
+    rm -rf $out/${python.sitePackages}/nix
 
     substituteInPlace $out/share/applications/electron-cash.desktop \
       --replace "Exec=electron-cash %u" "Exec=$out/bin/electron-cash %u"

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -14066,7 +14066,7 @@ with pkgs;
 
   ekho = callPackage ../applications/audio/ekho { };
 
-  electron-cash = callPackage ../applications/misc/electron-cash { };
+  electron-cash = libsForQt5.callPackage ../applications/misc/electron-cash { };
 
   electrum = callPackage ../applications/misc/electrum { };