Bug 225379

Summary: sysutils/qtpass: Update to 1.2.1
Product: Ports & Packages Reporter: Anne Jan Brouwer <brouwer>
Component: Individual Port(s)Assignee: Yuri Victorovich <yuri>
Status: Closed FIXED    
Severity: Affects Only Me CC: rm, yuri
Priority: --- Flags: rm: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch from 1.1.6 to 1.2.1
brouwer: maintainer-approval+, brouwer: maintainer-approval+
Patch from 1.1.6 to 1.2.1 (now with added testlib) brouwer: maintainer-approval+

Description Anne Jan Brouwer 2018-01-22 14:31:49 UTC 
Created attachment 189966 [details]
patch from 1.1.6 to 1.2.1
Comment 1 Anne Jan Brouwer 2018-01-22 14:32:52 UTC 
The way QtPass prior to 1.2.1 generates passwords is insecure.
---

All passwords generated with QtPass's built-in password generator are possibly predictable and enumerable by hackers. The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second.
This means there are only 1000 different sequences of generated passwords.

All passwords that have been generated with QtPass prior to 1.2.1 should be regenerated and changed.

* Insecure password generation #338 #342
* Version 1.2.0 leaks passwords #334
* When importing settings from 1.1.5 or older clipboard settings revert to No Clipboard #232
* Add Catalan translation #336 (rbuj)
Comment 2 Anne Jan Brouwer 2018-01-22 14:35:06 UTC 
Comment on attachment 189966 [details]
patch from 1.1.6 to 1.2.1

Tested with portlint and poudriere
Comment 3 Anne Jan Brouwer 2018-01-22 14:43:51 UTC 
Comment on attachment 189966 [details]
patch from 1.1.6 to 1.2.1

Index: Makefile
===================================================================
--- Makefile	(revision 459655)
+++ Makefile	(working copy)
@@ -1,8 +1,7 @@
# $FreeBSD$

PORTNAME=	qtpass
-PORTVERSION=	1.1.6
-PORTREVISION=	1
+PORTVERSION=	1.2.1
DISTVERSIONPREFIX=v
CATEGORIES=	sysutils

@@ -19,7 +18,7 @@
GH_ACCOUNT=	IJhack
GH_PROJECT=	QtPass

-USE_QT5=	buildtools_build core gui linguisttools_build network widgets
+USE_QT5=	buildtools_build core gui linguisttools_build network widgets testlib
USE_GL=		gl

PLIST_FILES=	bin/qtpass \
Index: distinfo
===================================================================
--- distinfo	(revision 459655)
+++ distinfo	(working copy)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1483466358
-SHA256 (IJhack-QtPass-v1.1.6_GH0.tar.gz) = d24d95de129ce716b9b0fde6114407f860ce8c77106bd0ee6a12e8e4e0deb42b
-SIZE (IJhack-QtPass-v1.1.6_GH0.tar.gz) = 325329
+TIMESTAMP = 1516634686
+SHA256 (IJhack-QtPass-v1.2.1_GH0.tar.gz) = f2aa1a54ed273546aab8933e560218b7b59f7f07000d93c018ec8d6ccdedcd5d
+SIZE (IJhack-QtPass-v1.2.1_GH0.tar.gz) = 361147
Comment 4 Anne Jan Brouwer 2018-01-22 14:48:53 UTC 
Created attachment 189968 [details]
Patch from 1.1.6 to 1.2.1 (now with added testlib)
Comment 5 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2018-01-22 16:54:20 UTC 
I'll take it.
Comment 6 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2018-01-22 18:07:34 UTC 
Hello,

qtpass doesn't package with the latest patch:


====> Compressing man pages (compress-man)
===========================================================================
====> Running Q/A tests (stage-qa)
====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
Error: Orphaned: %%QT_TESTDIR%%/qtpass/util/tst_util
===> Checking for items in pkg-plist which are not in STAGEDIR
===> Error: Plist issues found.
*** Error code 1

So or fix pkg-plist or remove the testlib component.

And please do not include the windows carriage return chars into your patches - patch fails to apply with them inside:


Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: Makefile
|===================================================================
|--- Makefile	(revision 459655)
|+++ Makefile	(working copy)
--------------------------
Patching file Makefile using Plan A...
patch: **** malformed patch at line 6: # $FreeBSD$

Thank you!
Comment 7 Anne Jan Brouwer 2018-01-22 18:44:45 UTC 
I'll look into making it possible to disable `testlib` (currently not working from base source)

> And please do not include the windows carriage return chars into your patches

That must have been my `svn diff | mail diff@annejan.com` command, will take care of removing them next round.
Comment 8 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2018-01-22 19:45:43 UTC 
Great, looking forward to updated patch. Thank you!
Comment 9 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2018-02-03 12:34:30 UTC 
Hello, any news on this one?
Comment 10 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2018-02-11 19:47:49 UTC 
Back to the pool.
Comment 11 Yuri Victorovich freebsd_committer freebsd_triage 2018-02-22 07:07:15 UTC 
Committed with small changes.
Thank you for your update!
Comment 12 commit-hook freebsd_committer freebsd_triage 2018-02-22 07:07:50 UTC 
A commit references this bug:

Author: yuri
Date: Thu Feb 22 07:07:10 UTC 2018
New revision: 462563
URL: https://svnweb.freebsd.org/changeset/ports/462563

Log:
  sysutils/qtpass: Update to 1.2.1

  Changelog:
  https://github.com/IJHack/QtPass/blob/master/CHANGELOG.md

  Additional port changes:
  * Changed to DISTVERSION
  * Added to and sorted USE_QT5

  PR:		225379
  Submitted by:	Anne Jan Brouwer <brouwer@annejan.com> (maintainer)
  Approved by:	tcberner (mentor, implicit)

Changes:
  head/sysutils/qtpass/Makefile
  head/sysutils/qtpass/distinfo