vulnerability
Arch Linux: Private key recovery (CVE-2017-18021)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Jan 5, 2018 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Jan 5, 2018
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
Solution
arch-linux-upgrade-latest
References
- CVE-2017-18021
- https://attackerkb.com/topics/CVE-2017-18021
- URL-https://github.com/IJHack/QtPass/issues/338
- URL-https://github.com/IJHack/QtPass/releases/tag/v1.2.1
- URL-https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html
- URL-https://qtpass.org/
- URL-https://security.archlinux.org/ASA-201801-11
- CWE-338
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.