Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

btrbk: Remote Code Execution — GLSA 202402-32

A vulnerability has been discovered in btrbk which can lead to remote code execution.

Affected packages

Package app-backup/btrbk on all architectures
Affected versions < 0.31.2
Unaffected versions >= 0.31.2

Background

btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations.

Description

A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.

Impact

Specialy crafted commands may be executed without being propely checked. Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh in authorized_keys.

Workaround

There is no known workaround at this time.

Resolution

All btrbk users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"

References

Release date
February 26, 2024

Latest revision
February 26, 2024: 1

Severity
normal

Exploitable
remote

Bugzilla entries