Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2017-18021 - log back

CVE-2017-18021 created at 25 Sep 2019 19:31:40

Severity

+

High

Remote

+

Remote

Type

+	Private key recovery

Description

+

It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.

References

+	http://www.openwall.com/lists/oss-security/2018/01/05/5
+	https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
+	https://github.com/IJHack/QtPass/issues/338
+	https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787

Notes

+	It is advised to change all your passwords and regenerate them using a secure utility such as pass, or update to the latest version of QtPass and regenerate from there.