starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #4177] Year 2038 problem #1807

New issue
Closed
opened 2026-03-03 02:12:22 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 02:12:22 +03:00
Owner
Copy link

Originally created by @zacknewman on GitHub (Dec 17, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4177

This is not a "vulnerability" due to the fact that the issue is 14 years away*; furthermore Vaultwarden may not even be a thing then. Anyway, I am not sure why 32-bit timestamps are used for the TOTP code considering most OSes running on 64-bit systems have been using 64-bit timestamps for a decade or more (even 32-bit Linux has support since 5.6), chrono uses i64s, and totp-lite uses u64s. The change to u64/i64s is easy in code—I've done so on my personal fork—and SQLite has no issues either since INTEGER is a flexible-width data type (up to 64 bits) and DATETIME has type affinity NUMERIC which will store values as INTEGER so long as they are valid 64-bit signed integers. I'm not sure what if anything would be needed to "fix" PostgreSQL and MariaDB/MySQL.

* Technically a contrived setup where servers and clients have their clocks in-sync but set to beyond 2038 are vulnerable.

Originally created by @zacknewman on GitHub (Dec 17, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4177 This is not a "vulnerability" due to the fact that the issue is 14 years away*; furthermore Vaultwarden may not even be a thing then. Anyway, I am not sure why [32-bit timestamps](https://github.com/dani-garcia/vaultwarden/blob/main/src/api/core/two_factor/authenticator.rs#L121) are used for the TOTP code considering most OSes running on 64-bit systems have been using 64-bit timestamps for a decade or more (even 32-bit Linux has support since 5.6), `chrono` uses `i64`s, and `totp-lite` uses `u64`s. The change to `u64`/`i64`s is easy in code—I've done so on my personal fork—and SQLite has no issues either since `INTEGER` is a flexible-width data type (up to 64 bits) and `DATETIME` has type affinity `NUMERIC` which will store values as `INTEGER` so long as they are valid 64-bit signed integers. I'm not sure what if anything would be needed to "fix" PostgreSQL and MariaDB/MySQL. \* _Technically a contrived setup where servers and clients have their clocks in-sync but set to beyond 2038 are vulnerable._
kerem 2026-03-03 02:12:22 +03:00
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Dec 17, 2023):

If I'm correct, only the last used is stored in a i32, all other parts are 64 bit. Since 2038 is far away, i think we have time to fix this and convert this to 64bit.

Thanks for the report

<!-- gh-comment-id:1859271833 --> @BlackDex commented on GitHub (Dec 17, 2023): If I'm correct, only the last used is stored in a `i32`, all other parts are 64 bit. Since 2038 is far away, i think we have time to fix this and convert this to 64bit. Thanks for the report
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@zacknewman commented on GitHub (Dec 17, 2023):

Yes, only the last used is stored/retrieved as an i32; however that is enough to invalidate the entire thing.

i think we have time to fix this and convert this to 64bit.

Lol, I agree that 14 years is enough time.

<!-- gh-comment-id:1859272760 --> @zacknewman commented on GitHub (Dec 17, 2023): Yes, only the last used is stored/retrieved as an `i32`; however that is enough to invalidate the entire thing. > i think we have time to fix this and convert this to 64bit. Lol, I agree that 14 years is enough time.
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@LoiLock commented on GitHub (Jan 12, 2024):

You can have a kid in that time, only for your kid to then come back to this issue and reopen it again.

<!-- gh-comment-id:1889059331 --> @LoiLock commented on GitHub (Jan 12, 2024): You can have a kid in that time, only for your kid to then come back to this issue and reopen it again.
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jan 12, 2024):

Why re-open it? The kid can fix it and create a PR ;)

<!-- gh-comment-id:1889143382 --> @BlackDex commented on GitHub (Jan 12, 2024): Why re-open it? The kid can fix it and create a PR ;)
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@zacknewman commented on GitHub (Jan 12, 2024):

Why re-open it? The kid can fix it and create a PR ;)

The "kid" would use my fork which has it fixed, but they would use WebAuthn anyway so wouldn't matter.

I do believe that was a joke; but just in case it were not, let me state that my fork has diverged by 10s of thousands of lines if not over 100K. This means sending a git format-patch or PR would take time and not benefit me at all. I realize that's selfish, but I believe making an issue without a PR is better than not making an issue at all. I obviously benefited from the work of this project, so bug and security exploit reports are my contribution. Also note that I have offered PRs before privately and publicly that were rejected, so that also adds to the "waste of time" aspect.

<!-- gh-comment-id:1889620939 --> @zacknewman commented on GitHub (Jan 12, 2024): > Why re-open it? The kid can fix it and create a PR ;) The "kid" would use my fork which has it fixed, but they would use WebAuthn anyway so wouldn't matter. I do believe that was a joke; but just in case it were not, let me state that my fork has diverged by 10s of thousands of lines if not over 100K. This means sending a `git format-patch` or PR would take time and not benefit me at all. I realize that's selfish, but I believe making an issue without a PR is better than not making an issue at all. I obviously benefited from the work of this project, so bug and security exploit reports are my contribution. Also note that I have offered PRs before privately and publicly that were rejected, so that also adds to the "waste of time" aspect.
kerem commented 2026-03-03 02:12:23 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jan 12, 2024):

Why re-open it? The kid can fix it and create a PR ;)

The "kid" would use my fork which has it fixed, but they would use WebAuthn anyway so wouldn't matter.

I do believe that was a joke; but just in case it were not, let me state that my fork has diverged by 10s of thousands of lines if not over 100K. This means sending a git format-patch or PR would take time and not benefit me at all. I realize that's selfish, but I believe making an issue without a PR is better than not making an issue at all. I obviously benefited from the work of this project, so bug and security exploit reports are my contribution. Also note that I have offered PRs before privately and publicly that were rejected, so that also adds to the "waste of time" aspect.

It does mean a bit more work for us, but indeed all the items you send we (I) will try to address. From my point of view I'm happy with them, any insight and approvements are welcome!

<!-- gh-comment-id:1889628988 --> @BlackDex commented on GitHub (Jan 12, 2024): > > Why re-open it? The kid can fix it and create a PR ;) > > The "kid" would use my fork which has it fixed, but they would use WebAuthn anyway so wouldn't matter. > > I do believe that was a joke; but just in case it were not, let me state that my fork has diverged by 10s of thousands of lines if not over 100K. This means sending a `git format-patch` or PR would take time and not benefit me at all. I realize that's selfish, but I believe making an issue without a PR is better than not making an issue at all. I obviously benefited from the work of this project, so bug and security exploit reports are my contribution. Also note that I have offered PRs before privately and publicly that were rejected, so that also adds to the "waste of time" aspect. It does mean a bit more work for us, but indeed all the items you send we (I) will try to address. From my point of view I'm happy with them, any insight and approvements are welcome!
kerem commented 2026-03-03 02:12:24 +03:00
Author
Owner
Copy link

@gzfrozen commented on GitHub (Feb 15, 2024):

Hi, I create PR to fix this. Please check:
https://github.com/dani-garcia/vaultwarden/pull/4355

<!-- gh-comment-id:1946321931 --> @gzfrozen commented on GitHub (Feb 15, 2024): Hi, I create PR to fix this. Please check: https://github.com/dani-garcia/vaultwarden/pull/4355
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1807
No description provided.