Bug 1564211 - Package contains a serious bug (fixed in source already) that locks CLI on uploads/syncs, and bans the IP.
Summary: Package contains a serious bug (fixed in source already) that locks CLI on up...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: lastpass-cli
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Robert-André Mauchin 🐧
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-05 16:47 UTC by Ventz
Modified: 2020-07-01 18:11 UTC (History)
4 users (show)

Fixed In Version: 1.3.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-01 18:11:30 UTC
Type: Bug


Attachments (Terms of Use)

Description Ventz 2018-04-05 16:47:35 UTC
Description of problem:
Package is badly outdated (multi-years).
Developer has confirmed a serious bug in terms of the upload queue sync and backoff code.

The current code in the package DOS' their servers, and the servers will ban the IP of the client.


Version-Release number of selected component (if applicable):
Latest is: 1.3
RPM Package is: 0.8

How reproducible:
Logging into the CLI client with a LastPass Enterprise account, and trying to create multiple items which require a sync (explicit or inexplicit) will end up blocking the client and banning the IP address. The client does not back off properly, so the server interprets it as abuse.



Steps to Reproduce:
1. export LPASS_LOG_LEVEL=8 && export LPASS_HOME=/root/.lpass && export LPASS_AGENT_TIMEOUT=0 && && lpass login $LASTPASS_ACCOUNT_ADMIN

2. printf "Username: TEST\nPassword: TEST\nURL: TEST" | lpass add TEST --non-interactive

3. Repeat a few times

Actual results:

# lpass ls
(none)
    TEST [id: 0] <-- problem being the "ID: 0" -- means not uploaded/synced.

# ps aux | grep lpass
-> You will see an "upload" queue stuck

# cd /root/.lpass/

You will notice an "upload-queue" directory that is not empty. (stuck0

At last, the final test in this case when this happens:

# lpass sync
-> will hang indefinitely

At this point - it DOS' the server -- and the server bans the IP.

Expected results:
Upload should go through instantly, and lpass show will show an ID #.

# lpass sync
-> syncs perfectly and instantly.

# cd /root/.lpass

The upload queue will be empty.


Additional info:

We have been working with the LastPass CLI developer directly:

note: LogMeIn acquired LastPass and LastPass Enterprise
Andras Rutkai <Andras.Rutkai@logmein.com>
(and before that, the original developer who recently moved on - Bob Copeland)

Andras has confirmed that the EPEL package needs to be updated.
He has also confirmed that the github repository already contains the fix. We have tested, and it does in fact contains the fix.

See here: https://github.com/lastpass/lastpass-cli

Thanks.

Comment 1 András Rutkai 2018-04-06 11:33:01 UTC
Thank you for opening the ticket Ventz, this package is indeed very outdated and an update would be welcomed.

In case any more information would be needed from Lastpass side please let me know.

Comment 2 Ventz 2018-04-13 19:55:08 UTC
Just adding a comment that I tried emailing Tom directly, but have no heard back.

Wanted to see if anyone knows another way to get in touch with him.

Adding a comment as per the policy for nonresponsive package maintainers (https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers) -- it has now been 14 days (2 weeks)

Comment 3 Ventz 2018-04-19 00:59:02 UTC
Adding another re-try to the ticket -- trying to get a hold of Tom without any luck.

Adding a comment as per the policy for nonresponsive package maintainers (https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers) -- it has now been 14 days (2 weeks) here within bugzilla.

Comment 4 Ventz 2018-07-02 16:56:26 UTC
Providing an EPEL build in an alternative location (github) for anyone that runs into this until the package maintainer/builder can be sorted out:

https://github.com/harvard-itsecurity/rpm-lastpass-cli

We are committed to maintaining it and keeping it up to date, so you can always find the latest stable release there packaged.


Note You need to log in before you can comment on or make changes to this bug.