search

paolostivanin / OTPClient

Highly secure and easy to use OTP client written in C/GTK3 that supports both TOTP and HOTP
GNU General Public License v3.0
481 stars 47 forks source link

Segfault on importing encrypted Aegis #385

Closed pepa65 closed 2 weeks ago

pepa65 commented 1 month ago

Built from git repo 3cdc0e7 according to instructions (but using /usr/local for CMAKE_INSTALL_PREFIX), no errors reported.

ulimit -l: 1000000

Running: otpclient-cli -t aegis_encrypted --import -f aegis.json segfaults.

Running with gdb:

Starting program: /usr/local/bin/otpclient-cli -t aegis_encrypted --import -f aegis.json
warning: could not find '.gnu_debugaltlink' file for /lib/x86_64-linux-gnu/libgobject-2.0.so.0
warning: could not find '.gnu_debugaltlink' file for /lib/x86_64-linux-gnu/libglib-2.0.so.0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: could not find '.gnu_debugaltlink' file for /lib/x86_64-linux-gnu/libgmodule-2.0.so.0
[New Thread 0x7ffff74006c0 (LWP 1281361)]
[New Thread 0x7ffff6a006c0 (LWP 1281362)]
[New Thread 0x7ffff60006c0 (LWP 1281363)]
[New Thread 0x7ffff56006c0 (LWP 1281364)]
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so
Type the password for the file you want to import: 

Thread 1 "otpclient-cli" received signal SIGSEGV, Segmentation fault.
__strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex-base.S:81
warning: 81     ../sysdeps/x86_64/multiarch/strlen-evex-base.S: No such file or directory

Am I missing some dependency still??

paolostivanin commented 3 weeks ago

Hello, thanks for reporting this! I'll have a look at it ASAP.

What OS are you using?

pepa65 commented 3 weeks ago

Linux Mint 22 (based on Ubuntu 24.04)

paolostivanin commented 2 weeks ago

I've just installed LM 22 on a VM and tried to import an Aegis backup, it worked well, no issues. I did install the package from the official PPA though: https://launchpad.net/~polslinux/+archive/ubuntu/otpclient/+packages

pepa65 commented 2 weeks ago

If you want to reproduce it, you should build from the repo. But I'll try the PPA, didn't know about that.

pepa65 commented 2 weeks ago

OK, the import seems to work with the deb packages from the PPA. When running the GUI client, it seems you have to click on the entry you'd like to see the OTP and Validity for. The shocking thing is, it never asked for a password!! I am inclined to incinerate all OTP.enc files and remove all binaries, or is there a reasonable explanation??

paolostivanin commented 2 weeks ago

Don't incinerate anything :smile: it's a feature that was introduced a long time ago: https://github.com/paolostivanin/OTPClient/issues/275

pepa65 commented 2 weeks ago

Ah, I was wondering what Secret Service meant... But if you claim that OTPClient is secure, the least you can do is to turn the Secret Service off by default. Any security breach of someone's system would give an attacker instant access to all their OTPclient secrets, no password needed...