implement BORG_WORKAROUNDS=ignore_invalid_archive_tam, see borgbackup…

…#7791
ThomasWaldmann · Aug 30, 2023 · 8c084f0 · 8c084f0
1 parent 7ab2848
commit 8c084f0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/docs/usage/general/environment.rst.inc b/docs/usage/general/environment.rst.inc
@@ -116,6 +116,14 @@ General:
 
             Now you can init a fresh repo. Make sure you do not use the workaround any more.
 
+        ignore_invalid_archive_tam
+            Work around invalid archive TAMs created by borg < 1.2.5, see issue #7791.
+
+            This workaround likely needs to get used only once when following the upgrade
+            instructions for CVE-2023-36811, see :ref:`archives_tam_vuln`.
+
+            In normal production operations, this workaround should never be used.
+
 Some automatic "answerers" (if set, they automatically answer confirmation questions):
     BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
         For "Warning: Attempting to access a previously unknown unencrypted repository"

diff --git a/src/borg/crypto/key.py b/src/borg/crypto/key.py
@@ -285,7 +285,7 @@ def unpack_and_verify_manifest(self, data, force_tam_not_required=False):
         return unpacked, True
 
     def unpack_and_verify_archive(self, data, force_tam_not_required=False):
-        """Unpack msgpacked *data* and return (object, did_verify)."""
+        """Unpack msgpacked *data* and return (object, did_verify, salt)."""
         tam_required = self.tam_required
         if force_tam_not_required and tam_required:
             # for a long time, borg only checked manifest for "tam_required" and
@@ -322,7 +322,11 @@ def unpack_and_verify_archive(self, data, force_tam_not_required=False):
         tam_key = self._tam_key(tam_salt, context=b'archive')
         calculated_hmac = hmac.digest(tam_key, data, 'sha512')
         if not hmac.compare_digest(calculated_hmac, tam_hmac):
-            raise ArchiveTAMInvalid()
+            if 'ignore_invalid_archive_tam' in workarounds:
+                logger.debug('ignoring invalid archive TAM due to BORG_WORKAROUNDS')
+                return unpacked, False, None  # same as if no TAM is present
+            else:
+                raise ArchiveTAMInvalid()
         logger.debug('TAM-verified archive')
         return unpacked, True, tam_salt