2018-02-07 16:31:49 |
Uli Tillich |
bug |
|
|
added bug |
2018-02-07 16:33:05 |
Uli Tillich |
description |
Description
===========
It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04)
Impact
======
Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass.
References
==========
http://www.openwall.com/lists/oss-security/2018/01/05/5 https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787 https://security.archlinux.org/CVE-2017-18021 |
Description
===========
It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04)
Impact
======
Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass.
References
==========
http://www.openwall.com/lists/oss-security/2018/01/05/5
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787
https://security.archlinux.org/CVE-2017-18021 |
|
2018-02-07 16:33:16 |
Uli Tillich |
description |
Description
===========
It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04)
Impact
======
Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass.
References
==========
http://www.openwall.com/lists/oss-security/2018/01/05/5
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787
https://security.archlinux.org/CVE-2017-18021 |
Description
===========
It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04)
Impact
======
Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass.
References
==========
http://www.openwall.com/lists/oss-security/2018/01/05/5
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338
https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787
https://security.archlinux.org/CVE-2017-18021 |
|
2018-02-26 09:58:21 |
Philip Rinn |
cve linked |
|
2017-18021 |
|
2018-02-27 10:09:54 |
Philip Rinn |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886593 |
|
2018-02-27 10:09:54 |
Philip Rinn |
attachment added |
|
qtpass.debdiff https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+attachment/5064303/+files/qtpass.debdiff |
|
2018-02-27 10:10:39 |
Philip Rinn |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2018-02-27 10:10:52 |
Philip Rinn |
bug |
|
|
added subscriber Philip Rinn |
2018-02-27 10:11:17 |
Philip Rinn |
qtpass (Ubuntu): status |
New |
In Progress |
|
2018-02-27 10:11:17 |
Philip Rinn |
qtpass (Ubuntu): assignee |
|
Philip Rinn (rinni) |
|
2018-03-01 01:34:39 |
Launchpad Janitor |
qtpass (Ubuntu): status |
In Progress |
Fix Released |
|