Bugzilla – Bug 1214809
VUL-0: CVE-2023-36811: borgbackup: spoofed archive leads to data loss
Last modified: 2024-04-26 10:27:45 UTC
CVE-2023-36811 borgbackup is an opensource, deduplicating archiver with compression and authenticated encryption. A flaw in the cryptographic authentication scheme in borgbackup allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository. The attack requires an attacker to be able to: 1. insert files (with no additional headers) into backups and 2. gain write access to the repository. This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives. The issue has been fixed in borgbackup 1.2.5. Users are advised to upgrade. Additionally to installing the fixed code, users must follow the upgrade procedure as documented in the change log. Data loss after being attacked can be avoided by reviewing the archives (timestamp and contents valid and as expected) after any "borg check --repair" and before "borg prune". There are no known workarounds for this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36811 https://bugzilla.redhat.com/show_bug.cgi?id=2236303 https://www.cve.org/CVERecord?id=CVE-2023-36811 https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811 https://github.com/borgbackup/borg/commit/3eb070191da10c2d3f7bc6484cf3d51c3045f884 https://github.com/borgbackup/borg/security/advisories/GHSA-8fjr-hghr-4m99
Affected: - openSUSE:Factory/borgbackup - openSUSE:Backports:SLE-15-SP4/borgbackup
*** Bug 1223404 has been marked as a duplicate of this bug. ***
TW openSUSE:Factory/borgbackup 1.2.7 Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup https://build.opensuse.org/request/show/1170250 Needs fixing: openSUSE:Backports:SLE-15-SP5:Update/borgbackup Maintainers can you please action that?
(In reply to Andreas Stieger from comment #3) > Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup > https://build.opensuse.org/request/show/1170250 Won't build. Please check. We can't really release a new stable distribution release with last year's vulnerabilities on a non-stable upstream release
(In reply to Andreas Stieger from comment #4) > (In reply to Andreas Stieger from comment #3) > > Submitted 1.2.7 to openSUSE:Backports:SLE-15-SP6/borgbackup > > https://build.opensuse.org/request/show/1170250 > > Won't build. Please check. We can't really release a new stable distribution > release with last year's vulnerabilities on a non-stable upstream release The reason why it won't build is because suse 15.6 by default ships python 3.6. Which reached EOL 3 years ago. I'm new to suse so I don't really what to change inside specs file to build with python3.11 not with python3.6. Borg 1.2.7 is used by oracle in EL by the way....
Probably something from the wiki below is needed to use Leap's updated python. https://en.opensuse.org/openSUSE:Packaging_Python#Python_3_Leap Looks like a nice weekend project.
(In reply to Andreas Stieger from comment #6) > Probably something from the wiki below is needed to use Leap's updated > python. > https://en.opensuse.org/openSUSE:Packaging_Python#Python_3_Leap > Looks like a nice weekend project. Give me one more hour.
Created attachment 874518 [details] spec file that works Edited spec file from suse Tumbleweed. Updated to latest upstream. https://github.com/borgbackup/borg/releases/download/1.2.8/borgbackup-1.2.8.tar.gz https://github.com/borgbackup/borg/releases/download/1.2.8/borgbackup-1.2.8.tar.gz.asc Also python-pyfuse3 required for borg mount, so I ported python-pyfuse3 from suse Tumbleweed too.
Created attachment 874519 [details] python-pyfuse3 https://build.opensuse.org/package/show/home%3Aalarrosa%3Abranches%3Adevel%3Alanguages%3Apython/python-pyfuse3