[Lubuntu-admins] [Bug 1747954] Re: qtpass generates possibly predictable and enumerable passwords

Wed, 28 Feb 2018 17:41:48 -0800 

This bug was fixed in the package qtpass - 1.1.6-1ubuntu0.1

---------------
qtpass (1.1.6-1ubuntu0.1) artful-security; urgency=low

  * SECURITY UPDATE: Insecure built-in password generator (LP: #1747954)
    - debian/patches/01-fix-password-generator.patch: Fix password generator
    - debian/NEWS: Warn users to eventually regenerate their passwords
    - CVE-2017-18021

 -- Philip Rinn <[email protected]>  Tue, 27 Feb 2018 10:45:10 +0100

** Changed in: qtpass (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Lubuntu
Packages Team, which is subscribed to qtpass in Ubuntu.
https://bugs.launchpad.net/bugs/1747954

Title:
  qtpass generates possibly predictable and enumerable passwords

Status in qtpass package in Ubuntu:
  Fix Released

Bug description:
  Description
  ===========
  It was discovered that QtPass before 1.2.1, when using the built-in password 
generator, generates possibly predictable and enumerable passwords. This only 
applies to the QtPass GUI. The generator used libc's random(), seeded with 
srand(msecs), where msecs is not the msecs since 1970 (not that that'd be 
secure anyway), but rather the msecs since the last second. This means there 
are only 1000 different sequences of generated passwords.

  The problem has been fixed upstream in version 1.2.1. (planned to be
  shipped with ubuntu 18.04)

  Impact
  ======
  Passwords generated using QtPass can potentially be recovered by an attacker 
due to the use of a non-cryptographically secure random number generator with a 
predictable seed. It is recommend to change all passwords created by QtPass.

  References
  ==========
  http://www.openwall.com/lists/oss-security/2018/01/05/5
  https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
  https://github.com/IJHack/QtPass/issues/338 
  
https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787
  https://security.archlinux.org/CVE-2017-18021

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+subscriptions

-- 
Mailing list: https://launchpad.net/~lubuntu-admins
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~lubuntu-admins
More help   : https://help.launchpad.net/ListHelp

Reply via email to