CVE-2024-52522

Name	CVE-2024-52522
Description	Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1088107

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rclone (PTS)	stretch (security), stretch (lts), stretch	1.35-1+deb8u1	fixed
	buster (security), buster, buster (lts)	1.45-3+deb10u1	fixed
	bullseye	1.53.3-1	fixed
	bookworm	1.60.1+dfsg-2	vulnerable
	sid, trixie	1.60.1+dfsg-4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
rclone	source	jessie	(not affected)
rclone	source	stretch	(not affected)
rclone	source	buster	(not affected)
rclone	source	bullseye	(not affected)
rclone	source	(unstable)	(unfixed)	1088107

Notes

[bookworm] - rclone <no-dsa> (Minor issue)
[bullseye] - rclone <not-affected> (--metadata added in 1.59.0)
https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0 (master)
https://github.com/rclone/rclone/commit/669b2f2669cacd634faa2bcecb589b76e1402533 (v1.68.2)
[buster] - rclone <not-affected> (--metadata added in 1.59.0)
[stretch] - rclone <not-affected> (--metadata added in 1.59.0)
[jessie] - rclone <not-affected> (--metadata added in 1.59.0)