Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. Reproducible: Always
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2020-28924
(We don't put versioned atoms in summary unless it's representing fixed versions in tree). Please bump, maintainer.
ping perfinion
I've put up a version bump ebuild at https://bugs.gentoo.org/show_bug.cgi?id=759451 which should address this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0096c84f139b209ea27c3832e20724fff35b3bd9 commit 0096c84f139b209ea27c3832e20724fff35b3bd9 Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2021-01-02 07:11:28 +0000 Commit: Jason Zaman <perfinion@gentoo.org> CommitDate: 2021-01-02 07:19:34 +0000 net-misc/rclone: drop old Bug: https://bugs.gentoo.org/755638 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Jason Zaman <perfinion@gentoo.org> net-misc/rclone/Manifest | 2 - net-misc/rclone/rclone-1.52.2.ebuild | 36 -- net-misc/rclone/rclone-1.53.0.ebuild | 835 ----------------------------------- 3 files changed, 873 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8958293c56dd55924d79042def525a597153fcd6 commit 8958293c56dd55924d79042def525a597153fcd6 Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2021-01-02 07:09:09 +0000 Commit: Jason Zaman <perfinion@gentoo.org> CommitDate: 2021-01-02 07:19:33 +0000 net-misc/rclone: Stable 1.53.3 for security fix Bug: https://bugs.gentoo.org/755638 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Jason Zaman <perfinion@gentoo.org> net-misc/rclone/rclone-1.53.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13c182a7472d3b271f61411f2c4cc2947a0721ee commit 13c182a7472d3b271f61411f2c4cc2947a0721ee Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2021-01-02 07:06:21 +0000 Commit: Jason Zaman <perfinion@gentoo.org> CommitDate: 2021-01-02 07:19:32 +0000 net-misc/rclone: bump 1.53.3 Closes: https://bugs.gentoo.org/759451 Bug: https://bugs.gentoo.org/755638 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Jason Zaman <perfinion@gentoo.org> net-misc/rclone/Manifest | 1 + net-misc/rclone/rclone-1.53.3.ebuild | 835 +++++++++++++++++++++++++++++++++++ 2 files changed, 836 insertions(+)
Thank you!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202107-14 at https://security.gentoo.org/glsa/202107-14 by GLSA coordinator John Helmert III (ajak).
