[Lubuntu-admins] [Bug 1747954] Re: qtpass generates possibly predictable and enumerable passwords
I prepared a debdiff against the package in artful. It's the same patch as for the version in Debian stable (which was already approved and is in stable proposed updates now -> https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=886593). ** Bug watch added: Debian Bug tracker #886593 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886593 ** Patch added: "qtpass.debdiff" https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+attachment/5064303/+files/qtpass.debdiff ** Changed in: qtpass (Ubuntu) Status: New => In Progress ** Changed in: qtpass (Ubuntu) Assignee: (unassigned) => Philip Rinn (rinni) -- You received this bug notification because you are a member of Lubuntu Packages Team, which is subscribed to qtpass in Ubuntu. https://bugs.launchpad.net/bugs/1747954 Title: qtpass generates possibly predictable and enumerable passwords Status in qtpass package in Ubuntu: In Progress Bug description: Description === It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords. The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04) Impact == Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass. References == http://www.openwall.com/lists/oss-security/2018/01/05/5 https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787 https://security.archlinux.org/CVE-2017-18021 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+subscriptions -- Mailing list: https://launchpad.net/~lubuntu-admins Post to : lubuntu-admins@lists.launchpad.net Unsubscribe : https://launchpad.net/~lubuntu-admins More help : https://help.launchpad.net/ListHelp
[Lubuntu-admins] [Bug 1747954] Re: qtpass generates possibly predictable and enumerable passwords
Hi, QtPass uses `pwgen` to generate passwords by default. This means, if you didn't change the configuration to use the built-in password generator your passwords are safe. If you used the built-in password generator, change all passwords you generated with QtPass. So, the number of affected people using the Ubuntu/Debian version should be rather low. Nonetheless there are fixed version available in bionic and I prepared a fix for qtpass 1.1.6 (the version in artful) which Ubuntu could copy from Debian stable-proposed-updates. You should point the Ubuntu security team to the fixed version for artful (1.1.6-1+deb9u1) and ask them to copy it from Debian s-p-u. Hope that helps Philip ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18021 -- You received this bug notification because you are a member of Lubuntu Packages Team, which is subscribed to qtpass in Ubuntu. https://bugs.launchpad.net/bugs/1747954 Title: qtpass generates possibly predictable and enumerable passwords Status in qtpass package in Ubuntu: New Bug description: Description === It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords. The problem has been fixed upstream in version 1.2.1. (planned to be shipped with ubuntu 18.04) Impact == Passwords generated using QtPass can potentially be recovered by an attacker due to the use of a non-cryptographically secure random number generator with a predictable seed. It is recommend to change all passwords created by QtPass. References == http://www.openwall.com/lists/oss-security/2018/01/05/5 https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html https://github.com/IJHack/QtPass/issues/338 https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787 https://security.archlinux.org/CVE-2017-18021 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+subscriptions -- Mailing list: https://launchpad.net/~lubuntu-admins Post to : lubuntu-admins@lists.launchpad.net Unsubscribe : https://launchpad.net/~lubuntu-admins More help : https://help.launchpad.net/ListHelp
