CVE-2023-36811

NameCVE-2023-36811
Descriptionborgbackup is an opensource, deduplicating archiver with compression and authenticated encryption. A flaw in the cryptographic authentication scheme in borgbackup allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository. The attack requires an attacker to be able to: 1. insert files (with no additional headers) into backups and 2. gain write access to the repository. This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives. The issue has been fixed in borgbackup 1.2.5. Users are advised to upgrade. Additionally to installing the fixed code, users must follow the upgrade procedure as documented in the change log. Data loss after being attacked can be avoided by reviewing the archives (timestamp and contents valid and as expected) after any "borg check --repair" and before "borg prune". There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
borgbackup (PTS)buster1.1.9-2+deb10u1vulnerable
bullseye1.1.16-3vulnerable
bookworm1.2.4-1vulnerable
sid, trixie1.2.7-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
borgbackupsource(unstable)1.2.5-1

Notes

[bookworm] - borgbackup <ignored> (Minor issue)
[bullseye] - borgbackup <ignored> (Minor issue)
[buster] - borgbackup <ignored> (Minor issue)
https://github.com/borgbackup/borg/security/advisories/GHSA-8fjr-hghr-4m99
https://github.com/borgbackup/borg/commit/a2ee13fd341dcd004b4a06b17d6f2fc759327861
https://github.com/borgbackup/borg/commit/bfead4b288833f890523d8881797ff6b345edaf9
https://github.com/borgbackup/borg/commit/462c1bdf2e597bd2e276c8fea82c84fabc0b7244
https://github.com/borgbackup/borg/commit/277b0b81a860f4518d7bf0cc0951e77f9c99336d
https://github.com/borgbackup/borg/commit/b23e6cb73da01df038f7bd10c34a91c7187817b0
https://github.com/borgbackup/borg/commit/95b560442284eda3ffae403c3086d549f6e121b8
https://github.com/borgbackup/borg/commit/5cd2060345f38f2e0324ab178f847c2f45598b12
https://github.com/borgbackup/borg/commit/56da3987111eb80b4ca38ac3e6aaa7953c61d2e3
https://github.com/borgbackup/borg/commit/449cd51b73b0710a940af8cefe74793ce81563f4
https://github.com/borgbackup/borg/commit/f334ef1b4de2f8a359ededa41ce13358b81e63c1
https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811
Requires significant work to check and repair a repo after the upgrade.

Search for package or bug name: Reporting problems