Date: Thu, 31 Aug 2023 20:43:36 GMT From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 9376c665d645 - main - security/vuxml: document borgbackup < 1.2.5 archive spoofing Message-ID: <202308312043.37VKhac5062226@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=9376c665d645e6086ca0c979b0c3e869d0710835 commit 9376c665d645e6086ca0c979b0c3e869d0710835 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-08-31 20:39:54 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-08-31 20:42:59 +0000 security/vuxml: document borgbackup < 1.2.5 archive spoofing Security: b8a52e5a-483d-11ee-971d-3df00e0f9020 Security: CVE-2023-36811 Security: https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811 --- archivers/py-borgbackup125/Makefile | 72 ++++++++++++++++++++++++++++++++++ archivers/py-borgbackup125/distinfo | 3 ++ archivers/py-borgbackup125/pkg-descr | 9 +++++ archivers/py-borgbackup125/pkg-message | 28 +++++++++++++ archivers/py-borgbackup125/pkg-plist | 35 +++++++++++++++++ security/vuxml/vuln/2023.xml | 35 +++++++++++++++++ 6 files changed, 182 insertions(+) diff --git a/archivers/py-borgbackup125/Makefile b/archivers/py-borgbackup125/Makefile new file mode 100644 index 000000000000..e932bc8f404e --- /dev/null +++ b/archivers/py-borgbackup125/Makefile @@ -0,0 +1,72 @@ +PORTNAME= borgbackup +DISTVERSION= 1.2.5 +CATEGORIES= archivers python +MASTER_SITES= PYPI \ + https://github.com/${PORTNAME}/borg/releases/download/${PORTVERSION}/ +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} + +MAINTAINER= mandree@FreeBSD.org +COMMENT= Deduplicating backup program +WWW= https://pypi.org/project/borgbackup/ + +LICENSE= BSD3CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE + +# note that borgbackup pins the msgpack version range per patchlevel version! +_BB_DEPENDS= ${PYTHON_PKGNAMEPREFIX}msgpack>=1.0.2<1.0.5_99:devel/py-msgpack@${PY_FLAVOR} +BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}setuptools_scm>=1.7:devel/py-setuptools_scm@${PY_FLAVOR} \ + ${_BB_DEPENDS} +LIB_DEPENDS= liblz4.so:archivers/liblz4 \ + libzstd.so:archivers/zstd \ + libxxhash.so:devel/xxhash +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}packaging>=19.0:devel/py-packaging@${PY_FLAVOR} \ + ${_BB_DEPENDS} +TEST_DEPENDS= ${RUN_DEPENDS} \ + ${PYTHON_PKGNAMEPREFIX}tox>3.2:devel/py-tox@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}virtualenv>=0:devel/py-virtualenv@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pkgconfig>=0:devel/py-pkgconfig@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}wheel>=0:devel/py-wheel@${PY_FLAVOR} \ + fakeroot:security/fakeroot +USES= pkgconfig python ssl +USE_PYTHON= autoplist distutils +MAKE_ENV= BORG_OPENSSL_PREFIX=${OPENSSLBASE} + +OPTIONS_DEFINE= FUSE +OPTIONS_DEFAULT= FUSE + +FUSE_DESC= Support to mount locally borg backup files +FUSE_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}llfuse>0:devel/py-llfuse@${PY_FLAVOR} + +_BORGHOME=${WRKDIR}/testhome +_BORGENV=-i BORG_PASSPHRASE=secret123 PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} HOME=${_BORGHOME} +post-install: + ${MKDIR} ${STAGEDIR}${MAN1PREFIX}/share/man/man1/ + ${INSTALL_MAN} ${WRKSRC}/docs/man/* ${STAGEDIR}${MAN1PREFIX}/share/man/man1/ + ${FIND} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/borg/ -name "*.so" \ + -exec ${STRIP_CMD} {} \; + @${ECHO_MSG} "----> running borg smoke tests" + ${MKDIR} ${_BORGHOME} + ${SETENV} PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} ${STAGEDIR}${PREFIX}/bin/borg -V + ${RM} -r ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg init --encryption=repokey ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg key export ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test1 ${WRKSRC} + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test2 ${WRKSRC} ${STAGEDIR} + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg prune --keep-last 1 ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${ECHO_CMD} YES \ + | ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --repair ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg compact --progress ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg extract --dry-run --progress ${WRKDIR}/borgrepo::test2 + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg export-tar ${WRKDIR}/borgrepo::test2 - >/dev/null + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo + # long output - ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo::test2 | ${GREP} -v ^d + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo + +do-test: + cd ${WRKSRC} && ${SETENV} ${_BORGENV} ${TEST_ENV} tox-${PYTHON_VER} -e ${PY_FLAVOR} -vv + +.include <bsd.port.mk> diff --git a/archivers/py-borgbackup125/distinfo b/archivers/py-borgbackup125/distinfo new file mode 100644 index 000000000000..abb3ca268ca2 --- /dev/null +++ b/archivers/py-borgbackup125/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1693512928 +SHA256 (borgbackup-1.2.5.tar.gz) = 72580779459ba72ea7e7d2e2a2ebd4f377c403236dd0ea148606036e4b631876 +SIZE (borgbackup-1.2.5.tar.gz) = 4074588 diff --git a/archivers/py-borgbackup125/pkg-descr b/archivers/py-borgbackup125/pkg-descr new file mode 100644 index 000000000000..f2e09ee51b29 --- /dev/null +++ b/archivers/py-borgbackup125/pkg-descr @@ -0,0 +1,9 @@ +[excerpt from borgbackup web site] + +BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it +supports compression and authenticated encryption. + +The main goal of Borg is to provide an efficient and secure way to backup data. +The data deduplication technique used makes Borg suitable for daily backups +since only changes are stored. The authenticated encryption technique makes it +suitable for backups to not fully trusted targets. diff --git a/archivers/py-borgbackup125/pkg-message b/archivers/py-borgbackup125/pkg-message new file mode 100644 index 000000000000..8fcc0ba5f821 --- /dev/null +++ b/archivers/py-borgbackup125/pkg-message @@ -0,0 +1,28 @@ +[ +{ type: install + message: <<EOM +In order to mount locally a remote archive or an entire repository as a FUSE +filesystem, it is required to load fusefs module: + +# kldload fusefs + +To load the module at boot time, add + +fusefs_load="YES" + +to /boot/loader.conf by running: + +sysrc fusefs_load="YES" + +Also, if you plan to mount borg repositories as non root user, you need to run + +# sysctl vfs.usermount=1 + +and add the line + +vfs.usermount=1 + +to /etc/sysctl.conf to ensure the setting is loaded at boot time. +EOM +} +] diff --git a/archivers/py-borgbackup125/pkg-plist b/archivers/py-borgbackup125/pkg-plist new file mode 100644 index 000000000000..8582338afb36 --- /dev/null +++ b/archivers/py-borgbackup125/pkg-plist @@ -0,0 +1,35 @@ +share/man/man1/borg-benchmark-crud.1.gz +share/man/man1/borg-benchmark.1.gz +share/man/man1/borg-break-lock.1.gz +share/man/man1/borg-change-passphrase.1.gz +share/man/man1/borg-check.1.gz +share/man/man1/borg-common.1.gz +share/man/man1/borg-compact.1.gz +share/man/man1/borg-compression.1.gz +share/man/man1/borg-config.1.gz +share/man/man1/borg-create.1.gz +share/man/man1/borg-delete.1.gz +share/man/man1/borg-diff.1.gz +share/man/man1/borg-export-tar.1.gz +share/man/man1/borg-extract.1.gz +share/man/man1/borg-import-tar.1.gz +share/man/man1/borg-info.1.gz +share/man/man1/borg-init.1.gz +share/man/man1/borg-key-change-passphrase.1.gz +share/man/man1/borg-key-export.1.gz +share/man/man1/borg-key-import.1.gz +share/man/man1/borg-key-migrate-to-repokey.1.gz +share/man/man1/borg-key.1.gz +share/man/man1/borg-list.1.gz +share/man/man1/borg-mount.1.gz +share/man/man1/borg-patterns.1.gz +share/man/man1/borg-placeholders.1.gz +share/man/man1/borg-prune.1.gz +share/man/man1/borg-recreate.1.gz +share/man/man1/borg-rename.1.gz +share/man/man1/borg-serve.1.gz +share/man/man1/borg-umount.1.gz +share/man/man1/borg-upgrade.1.gz +share/man/man1/borg-with-lock.1.gz +share/man/man1/borg.1.gz +share/man/man1/borgfs.1.gz diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 96fb30337271..902e6a2dbd4b 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,38 @@ + <vuln vid="b8a52e5a-483d-11ee-971d-3df00e0f9020"> + <topic>Borg (Backup) -- flaw in cryptographic authentication scheme in Borg allowed an attacker to fake archives and indirectly cause backup data loss.</topic> + <affects> + <package> + <name>py37-borgbackup</name> + <name>py38-borgbackup</name> + <name>py39-borgbackup</name> + <name>py310-borgbackup</name> + <name>py311-borgbackup</name> + <name>py312-borgbackup</name> + <range><lt>1.2.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Thomas Waldmann reports:</p> + <blockquote cite="https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811">; + <p>A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.</p> + <p>The attack requires an attacker to be able to</p> + <ul><li>insert files (with no additional headers) into backups</li> + <li>gain write access to the repository</li></ul> + <p>This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-36811</cvename> + <url>https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811</url>; + </references> + <dates> + <discovery>2023-06-13</discovery> + <entry>2023-08-31</entry> + </dates> + </vuln> + <vuln vid="970dcbe0-a947-41a4-abe9-7aaba87f41fe"> <topic>electron25 -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308312043.37VKhac5062226>