Bug 1214809 (CVE-2023-36811)

Summary: VUL-0: CVE-2023-36811: borgbackup: spoofed archive leads to data loss
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: alarrosa, Andreas.Stieger, hpj, karol, Oruriz, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/376776/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: spec file that works
python-pyfuse3

Description Cathy Hu 2023-08-31 07:23:19 UTC 
CVE-2023-36811

borgbackup is an opensource, deduplicating archiver with compression and
authenticated encryption. A flaw in the cryptographic authentication scheme in
borgbackup allowed an attacker to fake archives and potentially indirectly cause
backup data loss in the repository. The attack requires an attacker to be able
to: 1. insert files (with no additional headers) into backups and 2. gain write
access to the repository. This vulnerability does not disclose plaintext to the
attacker, nor does it affect the authenticity of existing archives. Creating
plausible fake archives may be feasible for empty or small archives, but is
unlikely for large archives. The issue has been fixed in borgbackup 1.2.5. Users
are advised to upgrade. Additionally to installing the fixed code, users must
follow the upgrade procedure as documented in the change log. Data loss after
being attacked can be avoided by reviewing the archives (timestamp and contents
valid and as expected) after any "borg check --repair" and before "borg prune".
There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36811
https://bugzilla.redhat.com/show_bug.cgi?id=2236303
https://www.cve.org/CVERecord?id=CVE-2023-36811
https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
https://github.com/borgbackup/borg/commit/3eb070191da10c2d3f7bc6484cf3d51c3045f884
https://github.com/borgbackup/borg/security/advisories/GHSA-8fjr-hghr-4m99
Comment 1 Cathy Hu 2023-08-31 07:24:31 UTC 
Affected:
- openSUSE:Factory/borgbackup
- openSUSE:Backports:SLE-15-SP4/borgbackup
Comment 2 Andreas Stieger 2024-04-26 06:20:43 UTC 
*** Bug 1223404 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Stieger 2024-04-26 06:25:47 UTC 
TW openSUSE:Factory/borgbackup 1.2.7
Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup
https://build.opensuse.org/request/show/1170250

Needs fixing: openSUSE:Backports:SLE-15-SP5:Update/borgbackup
Maintainers can you please action that?
Comment 4 Andreas Stieger 2024-04-26 06:34:04 UTC 
(In reply to Andreas Stieger from comment #3)
> Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup
> https://build.opensuse.org/request/show/1170250

Won't build. Please check. We can't really release a new stable distribution release with last year's vulnerabilities on a non-stable upstream release
Comment 5 Oruriz Kurado 2024-04-26 06:53:42 UTC 
(In reply to Andreas Stieger from comment #4)
> (In reply to Andreas Stieger from comment #3)
> > Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup
> > https://build.opensuse.org/request/show/1170250
> 
> Won't build. Please check. We can't really release a new stable distribution
> release with last year's vulnerabilities on a non-stable upstream release

The reason why it won't build is because suse 15.6 by default ships python 3.6. Which reached EOL 3 years ago.  
I'm new to suse so I don't really what to change inside specs file to build with python3.11 not with python3.6.

Borg 1.2.7 is used by oracle in EL by the way....
Comment 6 Andreas Stieger 2024-04-26 08:31:36 UTC 
Probably something from the wiki below is needed to use Leap's updated python.
https://en.opensuse.org/openSUSE:Packaging_Python#Python_3_Leap
Looks like a nice weekend project.
Comment 7 Oruriz Kurado 2024-04-26 09:04:43 UTC 
(In reply to Andreas Stieger from comment #6)
> Probably something from the wiki below is needed to use Leap's updated
> python.
> https://en.opensuse.org/openSUSE:Packaging_Python#Python_3_Leap
> Looks like a nice weekend project.

Give me one more hour.
Comment 8 Oruriz Kurado 2024-04-26 10:26:36 UTC 
Created attachment 874518 [details]
spec file that works

Edited spec file from suse Tumbleweed. 
Updated to latest upstream.
https://github.com/borgbackup/borg/releases/download/1.2.8/borgbackup-1.2.8.tar.gz
https://github.com/borgbackup/borg/releases/download/1.2.8/borgbackup-1.2.8.tar.gz.asc

Also python-pyfuse3 required for borg mount, so I ported python-pyfuse3 from suse Tumbleweed too.