Arch Linux 804 Published by

A rclone security update has been released for Arch Linux.



ASA-202011-17: rclone: private key recovery


Arch Linux Security Advisory ASA-202011-17
=========================================
Severity: Medium
Date : 2020-11-19
CVE-ID : CVE-2020-28924
Package : rclone
Type : private key recovery
Remote : No
Link :   https://security.archlinux.org/AVG-1286

Summary
======
The package rclone before version 1.53.3-1 is vulnerable to private key
recovery.

Resolution
=========
Upgrade to 1.53.3-1.

# pacman -Syu "rclone>=1.53.3-1"

The problem has been fixed upstream in version 1.53.3.

Workaround
=========
All passwords generated by rclone 1.49.0 up to 1.53.2 should be
changed. Rclone provides a password checker to find weak passwords as a
separate tool called passwordcheck.

Description
==========
An issue was discovered in rclone 1.49.0 up to 1.53.2. Due to the use
of a weak random number generator, the password generator has been
producing weak passwords with much less entropy than advertised. The
suggested passwords depend deterministically on the time rclone was
started. This limits the entropy of the passwords enormously. These
passwords are often used in the crypt backend for encryption of data.
It would be possible to make a dictionary of all possible passwords
with about 38 million entries per password length. This would make
decryption of secret material possible with a plausible amount of
effort. NOTE: all passwords generated by affected versions should be
changed.

Impact
=====
A malicious user might be able to brute force the weak passwords.

References
=========
  https://github.com/rclone/rclone/issues/4783
  https://github.com/rclone/rclone/commit/7985df37681f54d013816a4641da4f9b085b3aa5
  https://github.com/rclone/passwordcheck
  https://security.archlinux.org/CVE-2020-28924