Nixpkgs security tracker
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse ignored
-
@LeSuisse
ignored
9 packages
- librclone
- rclone-ui
- syncrclone
- rclone-browser
- git-annex-remote-rclone
- gnomeExtensions.rclone-manager
- python312Packages.rclone-python
- python313Packages.rclone-python
- python314Packages.rclone-python
- @LeSuisse accepted
- @LeSuisse published on GitHub
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
References
-
https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q x_refsource_CONFIRM
Ignored references (3)
Affected products
- ==>= 1.48.0, < 1.73.5
Matching in nixpkgs
Ignored packages (9)
pkgs.librclone
Rclone as a C library
pkgs.rclone-ui
Cross-platform desktop GUI for rclone & S3
pkgs.syncrclone
Bidirectional sync tool for rclone
-
nixos-unstable 0-unstable-2023-03-23
- nixpkgs-unstable 0-unstable-2023-03-23
- nixos-unstable-small 0-unstable-2023-03-23
-
nixos-25.11 0-unstable-2023-03-23
- nixos-25.11-small 0-unstable-2023-03-23
- nixpkgs-25.11-darwin 0-unstable-2023-03-23
pkgs.rclone-browser
Graphical Frontend to Rclone written in Qt
pkgs.git-annex-remote-rclone
Use rclone supported cloud storage providers with git-annex
pkgs.gnomeExtensions.rclone-manager
Is like Dropbox sync client but for more than 30 services, adds an indicator to the top panel so you can manage the rclone profiles configured in your system, perform operations such as mount as remote, watch for file modifications, sync with remote storage, navigate it's main folder. Also, it shows the status of each profile so you can supervise the operations, and provides an easy access log of events. Backup and restore the rclone configuration file, so you won't have to configure all your devices one by one
pkgs.python312Packages.rclone-python
Python wrapper for rclone
pkgs.python313Packages.rclone-python
Python wrapper for rclone
pkgs.python314Packages.rclone-python
Python wrapper for rclone
Package maintainers
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>