CVE-2017-18021 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Private key recovery
Description	It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-576	qtpass	1.2.0-1	1.2.1-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
11 Jan 2018	ASA-201801-11	AVG-576	qtpass	High	private key recovery

References
http://www.openwall.com/lists/oss-security/2018/01/05/5 https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787

References

http://www.openwall.com/lists/oss-security/2018/01/05/5
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338
https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787

Notes
It is advised to change all your passwords and regenerate them using a secure utility such as pass, or update to the latest version of QtPass and regenerate from there.