PyPi: Cryptoadvance.Specter

CVE-2023-39956

Transitive

Safety vulnerability ID: 67912

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 06, 2023 Updated at Jun 25, 2024
Scan your Python projects for vulnerabilities →

Advisory

Cryptoadvance.specter version 2.0.2 has updated its Electron dependency from version 22.1.0 to 22.3.21 to address security concerns outlined in CVE-2023-39956.

Affected package

cryptoadvance.specter

Latest version: 2.0.5

A GUI for Bitcoin Core & Electrum optimised to work with airgapped hardware wallets

Affected versions

Fixed versions

Vulnerability changelog

*Please create a full backup* before migrating or any major internal changes like switching to an electrum based installation. You can easily create a backup in Settings --> Backup Specter (zip file).

Artifacts

Specter is available in several forms: as a GUI application, as a binary that can be executed like a web app, and as a PyPI package. Additionally, Specter is available as a Docker image via the awesome [Chiang Mai LN devs](https://github.com/lncm/docker-specter-desktop).

Signed hashsum files are available for all binaries.

GUI Application

This is a GUI application with a windowed interface, which includes the Specter server.
Supported platforms: [Windows](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/Specter-Setup-v2.0.2.exe), [MacOS](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/Specter-v2.0.2.dmg), [Linux (x86_64)](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/specter_desktop-v2.0.2-x86_64-linux-gnu.tar.gz)

**Note on Linux**: you need to set up udev rules (included in the archive). Check out the [readme](https://github.com/cryptoadvance/specter-desktop/blob/master/udev/README.md#usage).

**Note on macOS**: The current build supports only macOS Catalina (10.15) or higher. If you'd like to run Specter on an older macOS version, you can [install Specter from Pip](https://github.com/cryptoadvance/specter-desktop#installing-specter-from-pip).


specterd
Specterd is a command-line program that runs only the Specter server, behaving like a traditional web application.
Supported platforms: [Windows](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/specterd-v2.0.2-win64.zip), [MacOS](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/specterd-v2.0.2-osx.zip), [Linux (x86_64)](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/specterd-v2.0.2-x86_64-linux-gnu.zip)

PyPi Packages

If you’re experienced Python user and/or developer, you might appreciate the [pypi-packages](https://pypi.org/project/cryptoadvance.specter/) which are also available on our github-release-page.

Signatures and hashes
[SHA256SUMS](https://github.com/cryptoadvance/specter-desktop/releases/download/v2.0.2/SHA256SUMS) file contains sha256 hashes of all binary files and signed with "Specter Signer's" GPG key.
You can get the public key from [here](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x785a2269ee3a9736ac1a4f4c864b7cf9a811fef7).
Fingerprint of the key is `785A 2269 EE3A 9736 AC1A 4F4C 864B 7CF9 A811 FEF7`
This key has been signed by k9ert's key. For more information about Verifying signatures, see, e.g. this video.

Release notes
- Bugfix: Add missing signet key 2368 (Manolis Mandrapilias)
- Bugfix: Jade displaying wrong multisig addresses for descriptors using multi() 2366 (Manolis Mandrapilias)
- Bugfix: JSON parsing issues when copy & pasting wallet data from PDF 2355 (Manolis Mandrapilias)
- Bugfix: 2319 2330 (k9ert)
- Bugfix: fix specter.node has no _get_rpc() 2327 (k9ert)
- Bugfix: Update spotbit api url and path 2372 (Benjamin B)
- Chore(deps): Bump semver from 5.7.1 to 5.7.2 2353 (dependabot[bot])
- Chore(deps): Bump semver from 6.3.0 to 6.3.1 in /pyinstaller/electron 2352 (dependabot[bot])
- Chore: Regex change to capture labels in wallet data imports better 2357 (Manolis Mandrapilias)
- Chore: Use prettier for Electron app 2347 (Manolis Mandrapilias)
- Chore: Optional ENFORCE_HWI_INITIALISATION_AT_STARTUP 2383 (k9ert)
- Chore: remove SpecterUri 2358 (k9ert)
- Chore: updating flask_babel fixes 2218 2359 (k9ert)
- Feature: Enable import of a multisig wallet that uses a multi-descriptor 2349 (Manolis Mandrapilias)
- Feature: Implement automatic wallet import via Specter URI for MacOS 2344 (Manolis Mandrapilias)
- Security: Patched Fix Electron vulnerable to out-of-package code execution when launched with arbitrary cwd 2380 (Sergev ₱)
- Security: Fix login open redirect due to next parameter manipulation 2350 (zealsham)

Remarks
We fixed 2343 and that fix did, in some cases, cause trouble when signing transactions with Jades. If you're suffering that issue, you can enforce an hwi-initialisation which is known to fix that issue. This might then have the downside to with usb-devices being plugged in at startup.
In order to do that, you need to setup the env-var ENFORCE_HWI_INITIALISATION_AT_STARTUP to true. This is currently not that easy if you run Specter via an Application.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.6

CVSS v3 Details

MEDIUM 6.6
Attack Vector (AV)
LOCAL
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
LOW
Integrity Impact (I)
HIGH
Availability Availability (A)
LOW