[manjaro-security] [ASA-202011-17] rclone: private key recovery

Morten Linderud foxboron at archlinux.org
Sun Nov 29 18:18:16 CET 2020

Arch Linux Security Advisory ASA-202011-17

Severity: Medium
Date    : 2020-11-19
CVE-ID  : CVE-2020-28924
Package : rclone
Type    : private key recovery
Remote  : No
Link    : https://security.archlinux.org/AVG-1286


The package rclone before version 1.53.3-1 is vulnerable to private key


Upgrade to 1.53.3-1.

# pacman -Syu "rclone>=1.53.3-1"

The problem has been fixed upstream in version 1.53.3.


All passwords generated by rclone 1.49.0 up to 1.53.2 should be
changed. Rclone provides a password checker to find weak passwords as a
separate tool called passwordcheck.


An issue was discovered in rclone 1.49.0 up to 1.53.2. Due to the use
of a weak random number generator, the password generator has been
producing weak passwords with much less entropy than advertised. The
suggested passwords depend deterministically on the time rclone was
started. This limits the entropy of the passwords enormously. These
passwords are often used in the crypt backend for encryption of data.
It would be possible to make a dictionary of all possible passwords
with about 38 million entries per password length. This would make
decryption of secret material possible with a plausible amount of
effort. NOTE: all passwords generated by affected versions should be


A malicious user might be able to brute force the weak passwords.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20201129/7d5296bf/attachment.sig>

More information about the manjaro-security mailing list