Bug 33808 - rclone new security issues CVE-2024-52522 and CVE-2024-4533[78]
Summary: rclone new security issues CVE-2024-52522 and CVE-2024-4533[78]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 35181
Blocks:
  Show dependency treegraph
 
Reported: 2024-11-27 16:05 CET by Nicolas Salguero
Modified: 2026-05-18 21:14 CEST (History)
5 users (show)

See Also:
Source RPM: rclone-1.62.1-1.mga9.src.rpm
CVE: , CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, CVE-2026-27144, CVE-2026-27143, CVE-2026-32288, CVE-2026-32283, CVE-2026-27140, CVE-2026-32280, CVE-2026-32281, CVE-2026-41179, CVE-2026-41176, CVE-2026-33186, CVE-2026-27137, CVE-2026-27138, CVE-2026-25679
Status comment: Package to test in comment 20
j.alberto.vc: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-11-27 16:05:52 CET

Source RPM: (none) => rclone-1.68.1-1.mga10.src.rpm, rclone-1.62.1-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.68.2 and patch available from upstream
CVE: (none) => CVE-2024-52522

Comment 1 Lewis Smith 2024-11-27 21:16:47 CET 
Assigning to Stig who looks after this package.

Assignee: bugsquad => smelror

Comment 2 Nicolas Salguero 2025-01-15 15:37:53 CET 
openSUSE has issued an advisory on January 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MCLAZVPDAT5UFMI67YRTRQBKGNJYHBIS/

Summary: rclone new security issue CVE-2024-52522 => rclone new security issues CVE-2024-52522 and CVE-2024-4533[78]
Status comment: Fixed upstream in 1.68.2 and patch available from upstream => Fixed upstream in 1.69
CVE: CVE-2024-52522 => CVE-2024-52522, CVE-2024-45337, CVE-2024-45338

Nicolas Salguero 2025-11-12 10:22:25 CET

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: rclone-1.68.1-1.mga10.src.rpm, rclone-1.62.1-1.mga9.src.rpm => rclone-1.62.1-1.mga9.src.rpm

Comment 3 Lewis Smith 2026-04-16 22:07:24 CEST 
(In reply to Lewis Smith from comment #1)
> Assigning to Stig who looks after this package.
Or did...
Which is why this bug has hung around nearly 18m.
Re-assigning it to Bruno, who looks to have taken over managing rclone - and recently.
Stig had in fact update Cauldron to version 1.69.2 nearly a year ago. Since then, we have 1.72.x.
So Mageia 9 needs updating.

Assignee: smelror => bruno

Comment 4 Bruno Cornec 2026-04-16 22:55:00 CEST 
Trying to update to the 1.73.4 version leads to an issue reported upstream: https://github.com/rclone/rclone/issues/9351

CC: (none) => bruno
Status: NEW => ASSIGNED

Comment 5 Bruno Cornec 2026-05-01 16:31:04 CEST 
caldron updated to 1.73.5
Comment 6 Bruno Cornec 2026-05-01 16:34:06 CEST 
Same version submitted to mga9.

Assignee: bruno => qa-bugs

PC LX 2026-05-01 23:36:45 CEST

CC: (none) => mageia

Comment 7 katnatek 2026-05-02 18:27:18 CEST 
Can please explain the inclusion of CVE-2024-4533[78]? they look as go issues.
Thank you

Keywords: (none) => feedback

Comment 8 PC LX 2026-05-04 03:04:36 CEST 
(In reply to Bruno Cornec from comment #6)
> Same version submitted to mga9.

I'm not seeing an rclone update in the updates_testing repository.
Is the update package not yet available or am I locking in the wrong repo?

$ urpmf -fm --name rclone
Core Release:rclone-1.62.1-1.mga9.x86_64
Core Updates Testing:rclone-1.62.1-1.mga9.x86_64
Core 32bit Release:rclone-1.62.1-1.mga9.i586
Comment 9 Bruno Cornec 2026-05-04 11:56:58 CEST 
That's odd as the build page tells it was uploaded:
https://pkgsubmit.mageia.org/
https://pkgsubmit.mageia.org/uploads/done/cauldron/core/release/20260501141812.bcornec.duvel.4012488/status.log

I'll remove 1.62.1 already in release and build again 1.73.5
Comment 10 Bruno Cornec 2026-05-04 11:58:22 CEST 
Hummm, my fault (as usual). svn ci wasn't done.
Comment 11 Bruno Cornec 2026-05-04 12:00:10 CEST 
Build in progress.
Comment 12 PC LX 2026-05-07 18:50:17 CEST 
Installed and tested without issues.

Tested:
- backups upload to backblaze;
- encrypted remotes;
- list, upload, download, remove, sync;
- remotes: backblaze, google drive.
All that was tested worked without issues.
rclone supports lost of other remotes but backblaze and google drive.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using the amdgpu driver.



$ uname -a
Linux jupiter 6.6.137-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Apr 30 22:24:10 UTC 2026 x86_64 GNU/Linux
$ rpm -q rclone
rclone-1.73.5-1.mga9
Comment 13 PC LX 2026-05-10 19:04:04 CEST 
I was waiting for some more test but this is a security issue and needs to be pushed forward, so I'm giving it the OK for x86_64.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK

Comment 14 Thomas Andrews 2026-05-13 02:34:05 CEST 
Validating.

Katnatek still needs an answer to his question in comment 7 so he can write the advisory.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 15 Bruno Cornec 2026-05-15 15:30:45 CEST 
(In reply to katnatek from comment #7)
> Can please explain the inclusion of CVE-2024-4533[78]? they look as go
> issues.
> Thank you

I'm not a go dev, but I guess that routing people to read the CVE descriptions at https://nvd.nist.gov/vuln/detail/CVE-2024-45337 and https://nvd.nist.gov/vuln/detail/CVE-2024-45338 is the right thing to do.
Comment 16 katnatek 2026-05-15 18:40:40 CEST 
(In reply to Bruno Cornec from comment #15)
> (In reply to katnatek from comment #7)
> > Can please explain the inclusion of CVE-2024-4533[78]? they look as go
> > issues.
> > Thank you
> 
> I'm not a go dev, but I guess that routing people to read the CVE
> descriptions at https://nvd.nist.gov/vuln/detail/CVE-2024-45337 and
> https://nvd.nist.gov/vuln/detail/CVE-2024-45338 is the right thing to do.

That is the information that I find, and still not clear to me how this affect to rclone, rclone is written in go and/or make use of the affected go features?

I should not have to dig in source code or spec to write advisory.

opensuse reference just list CVE-2024-52522

And upstream advisory not list cve's ids

https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
Comment 17 katnatek 2026-05-15 18:42:35 CEST 
(In reply to katnatek from comment #16)
> I should not have to dig in source code or spec to write advisory.
> 
> opensuse reference just list CVE-2024-52522
> 
> And upstream advisory not list cve's ids
> 
My bad list only CVE-2024-52522, un right part of the page
Comment 18 katnatek 2026-05-15 19:00:14 CEST 
https://rclone.org/changelog/#v1-73-5-2026-04-19

List CVE-2026-41179,CVE-2026-41176

https://rclone.org/changelog/#v1-73-4-2026-04-08

CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, CVE-2026-27144,
CVE-2026-27143, CVE-2026-32288, CVE-2026-32283, CVE-2026-27140, 
CVE-2026-32280, CVE-2026-32281

https://rclone.org/changelog/#v1-73-3-2026-03-23

CVE-2026-33186

https://rclone.org/changelog/#v1-73-2-2026-03-06

CVE-2026-27137, CVE-2026-27138, CVE-2026-25679, CVE-2026-27142,
CVE-2026-1229, CVE-2026-27141

https://rclone.org/changelog/#v1-73-1-2026-02-17

CVE-2025-68121 (for this golang should be updated in mageia 9 to >=1.25.7 if I understand well)

https://rclone.org/changelog/#v1-73-0-2026-01-30

https://rclone.org/changelog/#v1-72-1-2025-12-10
CVE-2025-61729 (need new golang)

https://rclone.org/changelog/#v1-72-0-2025-11-21

CVE-2025-58181 

I'll continue latter but look for me that validation should be removed and 
we most update golang in mageia 9
Comment 19 katnatek 2026-05-15 19:43:11 CEST 
https://rclone.org/changelog/#v1-71-2-2025-10-20

https://rclone.org/changelog/#v1-71-1-2025-09-24

https://rclone.org/changelog/#v1-71-0-2025-08-22

https://rclone.org/changelog/#v1-70-3-2025-07-09

https://rclone.org/changelog/#v1-70-2-2025-06-27

https://rclone.org/changelog/#v1-70-1-2025-06-19

https://rclone.org/changelog/#v1-70-0-2025-06-17

https://rclone.org/changelog/#v1-69-3-2025-05-21

https://rclone.org/changelog/#v1-69-2-2025-05-01

CVE-2025-30204, CVE-2025-30204, CVE-2025-22869, CVE-2025-22870,
CVE-2025-22869, 

https://rclone.org/changelog/#v1-69-1-2025-02-14

https://rclone.org/changelog/#v1-69-0-2025-01-12

CVE-2024-45337 & CVE-2024-45338 (at last)

https://rclone.org/changelog/#v1-68-2-2024-11-15

CVE-2024-52522

https://rclone.org/changelog/#v1-68-1-2024-09-24

https://rclone.org/changelog/#v1-68-0-2024-09-08

https://rclone.org/changelog/#v1-67-0-2024-06-14

CVE-2023-45288, CVE-2024-35255, 

https://rclone.org/changelog/#v1-66-0-2024-03-10

https://rclone.org/changelog/#v1-65-2-2024-01-24

https://rclone.org/changelog/#v1-65-1-2024-01-08

CVE-2023-48795

https://rclone.org/changelog/#v1-65-0-2023-11-26

https://rclone.org/changelog/#v1-64-2-2023-10-19

https://rclone.org/changelog/#v1-64-1-2023-10-17

https://rclone.org/changelog/#v1-64-0-2023-09-11

https://rclone.org/changelog/#v1-63-1-2023-07-17

https://rclone.org/changelog/#v1-63-0-2023-06-30

https://rclone.org/changelog/#v1-62-2-2023-03-16

So the list of cve was uncomplete due the version selected to fix the listed vulnerabilities, and some vulnerabilities require update golang first.

I'll work on that, and then rebuild rclone

Keywords: feedback, validated_update => (none)
Depends on: (none) => 35181
Whiteboard: MGA9-64-OK => (none)

Comment 20 katnatek 2026-05-16 00:40:19 CEST 
[S]RPM: rclone-1.73.5-1.1.mga9

PC LX Please test this package.

Flags: test_passed_mga9_64+ => (none)
Status comment: Fixed upstream in 1.69 => Package to test in comment 20

katnatek 2026-05-16 01:09:03 CEST

CVE: CVE-2024-52522, CVE-2024-45337, CVE-2024-45338 => , CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, CVE-2026-27144, CVE-2026-27143, CVE-2026-32288, CVE-2026-32283, CVE-2026-27140, CVE-2026-32280, CVE-2026-32281, CVE-2026-41179, CVE-2026-41176, CVE-2026-33186, CVE-2026-27137, CVE-2026-27138, CVE-2026-25679

katnatek 2026-05-16 01:30:25 CEST

Keywords: (none) => advisory

Comment 21 Herman Viaene 2026-05-16 15:28:16 CEST 
Tried rclone config to get a remote on Google Drive, but got lost on all options of which at least half I do not understand.
But at least no crashes or obviously nonsense behavior.

CC: (none) => herman.viaene

Comment 22 PC LX 2026-05-17 18:13:44 CEST 
The second update has been in use for about two days without issues.
I also repeated the tests (see comment 12), and it is working OK.
It get an OK from me for x86_64.

$ rpm -q rclone
rclone-1.73.5-1.1.mga9
Comment 23 katnatek 2026-05-17 18:37:04 CEST 
(In reply to PC LX from comment #22)
> The second update has been in use for about two days without issues.
> I also repeated the tests (see comment 12), and it is working OK.
> It get an OK from me for x86_64.

Thanks, @Thomas, please set validation again

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 24 Thomas Andrews 2026-05-18 03:14:26 CEST 
Validating.

Keywords: (none) => validated_update

Comment 25 Mageia Robot 2026-05-18 21:14:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0147.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.