Skip to content

Build with Alpine v3.21 to get rclone-1.68.2-r0 to fix CVE-2024-52522 #512

New issue
New issue
Open
Open
Build with Alpine v3.21 to get rclone-1.68.2-r0 to fix CVE-2024-52522#512
@henrahmagix

Description

@henrahmagix
henrahmagix
opened on Jan 14, 2025

rclone-1.66.0-r5 has a vulnerability CVE-2024-52522, which is fixed in rclone-1.68.2-r0.

I use gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine with rclone installed, and it's being marked as vulnerable to that CVE. Unfortunately I can't upgrade rclone because Alpine v3.20 doesn't have the fix available: the latest rclone in Alpine v3.20 is rclone-1.66.0-r5, whilst Alpine v3.21 has rclone-1.68.2-r0.

Is it possible please to build an image on Alpine v3.21?

Image

My dockerfile:

FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
RUN apk upgrade -a
RUN apk --update add coreutils pcre-tools date sed jq curl rclone
RUN gcloud components install gsutil core beta
COPY script.sh .
RUN chmod +x script.sh
CMD ["script.sh"]
Show apk info for latest rclone available in this and alpine 3.21

This image: max allowed rclone-1.66.0-r5

$ docker run --rm -it --platform=linux/amd64 gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine sh
Unable to find image 'gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine' locally
506.0.0-alpine: Pulling from google.com/cloudsdktool/google-cloud-cli
Digest: sha256:f4937a724282e908da616ac8b7d8c20776bdb643c4dba8611d39158166e4a703
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
v3.20.5-12-gd1bff4aa572 [https://dl-cdn.alpinelinux.org/alpine/v3.20/main]
v3.20.5-12-gd1bff4aa572 [https://dl-cdn.alpinelinux.org/alpine/v3.20/community]
OK: 24170 distinct packages available
/ # apk add --upgrade rclone
(1/1) Installing rclone (1.66.0-r5)
Executing busybox-1.36.1-r29.trigger
OK: 168 MiB in 87 packages
/ # apk info rclone
rclone-1.66.0-r5 description:
Rsync for cloud storage

rclone-1.66.0-r5 webpage:
https://rclone.org/

rclone-1.66.0-r5 installed size:
81 MiB

Alpine v3.21: max allowed rclone-1.68.2-r0, which fixes CVE-2024-52522

$ docker run --rm -it --platform=linux/amd64 alpine:3.21 sh
Unable to find image 'alpine:3.21' locally
3.21: Pulling from library/alpine
1f3e46996e29: Pull complete
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:3.21
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/x86_64/APKINDEX.tar.gz
v3.21.2-61-g6f8f5025aa0 [https://dl-cdn.alpinelinux.org/alpine/v3.21/main]
v3.21.2-60-g4cba7e3c0b2 [https://dl-cdn.alpinelinux.org/alpine/v3.21/community]
OK: 25393 distinct packages available
/ # apk add --upgrade rclone
(1/1) Installing rclone (1.68.2-r0)
Executing busybox-1.37.0-r9.trigger
OK: 91 MiB in 16 packages
/ # apk info rclone
rclone-1.68.2-r0 description:
Rsync for cloud storage

rclone-1.68.2-r0 webpage:
https://rclone.org/

rclone-1.68.2-r0 installed size:
84 MiB

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions