Borg 1.4.5 release for msgpack vulnerability?

[nijel]

Do you have plans to release 1.4.5 with updated msgpack dependency? I believe the changes are already done via #9790.

msgpack versions supported by the 1.4.4 release have high severity vulnerability GHSA-6v7p-g79w-8964.

I have no clue if the vulnerability actually affects borgbackup or not, but even if not, it would be great to resolve as the security scanners do complain on this.

[ThomasWaldmann]

I don't think it is of practical relevance. borg <= 1.4.4 only reuses the Unpacker at one place (borg delete/prune) and it would need a corrupted/tampered archive to crash the Unpacker (that needs at least fs access to the repository). For encrypted repositories it might even require the borg key to create an archive triggering this, because if you would just flip some bits in an archive metadata chunk, that chunk would fail AEAD authenticated decryption already and not even reach the problematic code.

dist package maintainers can just patch the version check if they want to make borg work with msgpack 1.2.1.

Since borg 1.4.2, there is also BORG_MSGPACK_VERSION_CHECK=no env var to optionally disable the msgpack version check; default is "yes"; use at your own risk, #9109.

But I might release 1.4.5 for other reasons, yet to be determined.

[nijel]

Thanks for claryfing the severity, that makes me feel safe to ignore this vulnerability for now.

PS: We install via PyPI (borgbackup is our dependency), so deps override is not really an option for us.