[ASA-201801-11] qtpass: private key recovery

Jelle van der Waa jelle at archlinux.org
Sun Jan 14 20:18:11 UTC 2018


Arch Linux Security Advisory ASA-201801-11
==========================================

Severity: High
Date    : 2018-01-11
CVE-ID  : CVE-2017-18021
Package : qtpass
Type    : private key recovery
Remote  : Yes
Link    : https://security.archlinux.org/AVG-576

Summary
=======

The package qtpass before version 1.2.1-1 is vulnerable to private key
recovery.

Resolution
==========

Upgrade to 1.2.1-1.

# pacman -Syu "qtpass>=1.2.1-1"

The problem has been fixed upstream in version 1.2.1.

Workaround
==========

Use pwgen for generating new passwords.

Description
===========

It was discovered that QtPass before 1.2.1, when using the built-in
password generator, generates possibly predictable and enumerable
passwords. This only applies to the QtPass GUI. The generator used
libc's random(), seeded with srand(msecs), where msecs is not the msecs
since 1970 (not that that'd be secure anyway), but rather the msecs
since the last second. This means there are only 1000 different
sequences of generated passwords.

Impact
======

Passwords generated using QtPass can potentially be recovered by an
attacker due to the use of a non-cryptographically secure random number
generator with a predictable seed. It is recommend to change all
passwords created by QtPass.

References
==========

http://www.openwall.com/lists/oss-security/2018/01/05/5
https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
https://github.com/IJHack/QtPass/issues/338
https://github.com/IJHack/QtPass/commit/e7bd0651335e1bf4f01512d1555fe0b960ff1787
https://security.archlinux.org/CVE-2017-18021
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180114/8b4d9804/attachment.asc>


More information about the arch-security mailing list