Build with Alpine v3.21 to get rclone-1.68.2-r0 to fix CVE-2024-52522

[henrahmagix]

rclone-1.66.0-r5 has a vulnerability CVE-2024-52522, which is fixed in rclone-1.68.2-r0.

I use gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine with rclone installed, and it's being marked as vulnerable to that CVE. Unfortunately I can't upgrade rclone because Alpine v3.20 doesn't have the fix available: the latest rclone in Alpine v3.20 is rclone-1.66.0-r5, whilst Alpine v3.21 has rclone-1.68.2-r0.

Is it possible please to build an image on Alpine v3.21?

My dockerfile:

FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
RUN apk upgrade -a
RUN apk --update add coreutils pcre-tools date sed jq curl rclone
RUN gcloud components install gsutil core beta
COPY script.sh .
RUN chmod +x script.sh
CMD ["script.sh"]

Show apk info for latest rclone available in this and alpine 3.21

This image: max allowed rclone-1.66.0-r5

$ docker run --rm -it --platform=linux/amd64 gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine sh
Unable to find image 'gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine' locally
506.0.0-alpine: Pulling from google.com/cloudsdktool/google-cloud-cli
Digest: sha256:f4937a724282e908da616ac8b7d8c20776bdb643c4dba8611d39158166e4a703
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/google-cloud-cli:506.0.0-alpine
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
v3.20.5-12-gd1bff4aa572 [https://dl-cdn.alpinelinux.org/alpine/v3.20/main]
v3.20.5-12-gd1bff4aa572 [https://dl-cdn.alpinelinux.org/alpine/v3.20/community]
OK: 24170 distinct packages available
/ # apk add --upgrade rclone
(1/1) Installing rclone (1.66.0-r5)
Executing busybox-1.36.1-r29.trigger
OK: 168 MiB in 87 packages
/ # apk info rclone
rclone-1.66.0-r5 description:
Rsync for cloud storage

rclone-1.66.0-r5 webpage:
https://rclone.org/

rclone-1.66.0-r5 installed size:
81 MiB

Alpine v3.21: max allowed rclone-1.68.2-r0, which fixes CVE-2024-52522

$ docker run --rm -it --platform=linux/amd64 alpine:3.21 sh
Unable to find image 'alpine:3.21' locally
3.21: Pulling from library/alpine
1f3e46996e29: Pull complete
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:3.21
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/x86_64/APKINDEX.tar.gz
v3.21.2-61-g6f8f5025aa0 [https://dl-cdn.alpinelinux.org/alpine/v3.21/main]
v3.21.2-60-g4cba7e3c0b2 [https://dl-cdn.alpinelinux.org/alpine/v3.21/community]
OK: 25393 distinct packages available
/ # apk add --upgrade rclone
(1/1) Installing rclone (1.68.2-r0)
Executing busybox-1.37.0-r9.trigger
OK: 91 MiB in 16 packages
/ # apk info rclone
rclone-1.68.2-r0 description:
Rsync for cloud storage

rclone-1.68.2-r0 webpage:
https://rclone.org/

rclone-1.68.2-r0 installed size:
84 MiB

[henrahmagix]

Thanks in advance! 🙌