Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755638 (CVE-2020-28924) - <net-misc/rclone-1.53.3: Insecure passwords generated by rclone config (CVE-2020-28924)
Summary: <net-misc/rclone-1.53.3: Insecure passwords generated by rclone config (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2020-28924
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/rclone/rclone/issu...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-19 21:48 UTC by filip ambroz
Modified: 2021-07-08 03:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-11-19 21:48:21 UTC
Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords.

It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort.

Reproducible: Always
Comment 1 filip ambroz 2020-11-19 21:50:08 UTC
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2020-28924
Comment 2 Sam James archtester gentoo-dev Security 2020-11-24 10:35:50 UTC
(We don't put versioned atoms in summary unless it's representing fixed versions in tree).

Please bump, maintainer.
Comment 3 Sam James archtester gentoo-dev Security 2020-12-16 07:09:10 UTC
ping perfinion
Comment 4 sharpshopter 2020-12-21 09:58:00 UTC
I've put up a version bump ebuild at https://bugs.gentoo.org/show_bug.cgi?id=759451 which should address this.
Comment 5 Larry the Git Cow gentoo-dev 2021-01-02 07:21:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0096c84f139b209ea27c3832e20724fff35b3bd9

commit 0096c84f139b209ea27c3832e20724fff35b3bd9
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2021-01-02 07:11:28 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2021-01-02 07:19:34 +0000

    net-misc/rclone: drop old
    
    Bug: https://bugs.gentoo.org/755638
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 net-misc/rclone/Manifest             |   2 -
 net-misc/rclone/rclone-1.52.2.ebuild |  36 --
 net-misc/rclone/rclone-1.53.0.ebuild | 835 -----------------------------------
 3 files changed, 873 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8958293c56dd55924d79042def525a597153fcd6

commit 8958293c56dd55924d79042def525a597153fcd6
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2021-01-02 07:09:09 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2021-01-02 07:19:33 +0000

    net-misc/rclone: Stable 1.53.3 for security fix
    
    Bug: https://bugs.gentoo.org/755638
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 net-misc/rclone/rclone-1.53.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13c182a7472d3b271f61411f2c4cc2947a0721ee

commit 13c182a7472d3b271f61411f2c4cc2947a0721ee
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2021-01-02 07:06:21 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2021-01-02 07:19:32 +0000

    net-misc/rclone: bump 1.53.3
    
    Closes: https://bugs.gentoo.org/759451
    Bug: https://bugs.gentoo.org/755638
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 net-misc/rclone/Manifest             |   1 +
 net-misc/rclone/rclone-1.53.3.ebuild | 835 +++++++++++++++++++++++++++++++++++
 2 files changed, 836 insertions(+)
Comment 6 John Helmert III gentoo-dev Security 2021-01-02 09:03:36 UTC
Thank you!
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-05-31 20:46:20 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 03:27:54 UTC
This issue was resolved and addressed in
 GLSA 202107-14 at https://security.gentoo.org/glsa/202107-14
by GLSA coordinator John Helmert III (ajak).