Candidate: CVE-2020-28924
PublicDate: 2020-11-19 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28924
 https://rclone.org/downloads/
Description:
 An issue was discovered in Rclone before 1.53.3. Due to the use of a weak
 random number generator, the password generator has been producing weak
 passwords with much less entropy than advertised. The suggested passwords
 depend deterministically on the time the second rclone was started. This
 limits the entropy of the passwords enormously. These passwords are often
 used in the crypt backend for encryption of data. It would be possible to
 make a dictionary of all possible passwords with about 38 million entries
 per password length. This would make decryption of secret material possible
 with a plausible amount of effort. NOTE: all passwords generated by
 affected versions should be changed.
Ubuntu-Description:
Notes:
 sbeattie> debian asserts this was introduced in upstream in
   193c30d57038017370594d5bc8ee9bc32580ddf2 v1.49; needs verification.
Mitigation:
Bugs:
 https://github.com/rclone/rclone/issues/4783
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975324
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_rclone:
 upstream: https://github.com/rclone/rclone/commit/4c215cc81ec6143ae3c64633700cb341ca28df2d
 upstream: https://github.com/rclone/rclone/commit/c8b11d27e1fe261fdfba6b8910fda69356c9c777
upstream_rclone: released (1.53.3-1)
precise/esm_rclone: DNE
trusty_rclone: ignored (out of standard support)
trusty/esm_rclone: DNE
xenial_rclone: DNE
bionic_rclone: needs-triage
focal_rclone: needs-triage
groovy_rclone: ignored (reached end-of-life)
hirsute_rclone: not-affected (1.53.3-1)
impish_rclone: not-affected (1.53.3-1)
jammy_rclone: not-affected (1.53.3-1)
devel_rclone: not-affected (1.53.3-1)