From nobody Thu Aug 31 20:43:36 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RcCmn1dZ3z4rbdY; Thu, 31 Aug 2023 20:43:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RcCmn0zw1z3GpV; Thu, 31 Aug 2023 20:43:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693514617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/tsFzvMTUfELEy7yMZVjPzJG+ljD0N+ccQA59tsG7Vc=; b=XSpZQIoKnIcIBDiWRubS4ZOAt6E8BJPk0fKLMWLso1YJYi9847RLxHOUP4G+aSCLxnEuxn iOIWuuao2grWtfMp4VxgvvObj6W5dn4iXYA3tHppHCiRlZnOnW30EOK2C1DQuo8U5f8PuS 5Tnpvw7Bp/stt/2UwcdGBCIhlqT01/tgLGjC2hH/MQsPz6TXeWwv0QmDkq7nEj5aQ4NmFm 36rQlKvyAxka3Jcm+24zmA2k6iAJ9RGkIhKpRR4Uzwf/oE88k+4adAQRWOWcbMc18ZO6LD uQLAWoGJxtC/haM5cskFfRduBxPBdvseaDPud4P6Bs8xI1iSNjE9TCEcBoBkeg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693514617; a=rsa-sha256; cv=none; b=icKX5Gb88g/TklM1xytuxyvHinwIVNK/qc0R2WDirV4CFOVehrHIFffhyvcG5MhYacf6Cu GCDLxE/WhPLSlefx1XFpZnu+sMIuuGtW3l3EIYvEslO6q5eruFJiqlc9dj8U1UKztRkgm2 7dr142vhEzXnqxtAyD+gaxWjMJmdLLbTFz1NN3fW97a2GxIhkBgnA303PciP7t4qfkYlPC STNC6LaVy6a0Eh6qK1jCUYjweMyhznd335cHwFRt6lnirUs6GjbOrXnaI0It0N7AoGnChA SmxzDG0MPamZOQoCIMjHo7mgOjgoFpKq32AFROWCV5Sqmrc4CeOV0Y+Idnt3cA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693514617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/tsFzvMTUfELEy7yMZVjPzJG+ljD0N+ccQA59tsG7Vc=; b=BiYPBLm8JCjxvKG7OrblHGMRHXhIxWwvDvC0GJ0unXifdhsgK3aO0cCCKxEKurwIpq0Tsp pfW4O7e14btKY0GlcnwKQ8zb5+VbaSgC/5/GDh7RBAMUPzsUGZIwR/9pgsXRRzKN8OJ04Y g1W/FYUTZ0wMcwF1ENQ4eZrrp/Gd8rr/+kKqTJa7/Y51cBxxi6fVgKre/ZdYBFYV/Ejuk2 tydQhF0fLESGkmU0JmTz9MOnLXl1niT1NvGi4Ba+TB9GHSPelybmkbidWpAY/hjgKJRwtC JDgz8FL8yj0kYoxRgb+0Meh2zpDviAzQCayN9df+T8zS8pqvy8dqZpjwE6sJMA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RcCmn036dzXfp; Thu, 31 Aug 2023 20:43:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37VKhaN8062229; Thu, 31 Aug 2023 20:43:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37VKhac5062226; Thu, 31 Aug 2023 20:43:36 GMT (envelope-from git) Date: Thu, 31 Aug 2023 20:43:36 GMT Message-Id: <202308312043.37VKhac5062226@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 9376c665d645 - main - security/vuxml: document borgbackup < 1.2.5 archive spoofing List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9376c665d645e6086ca0c979b0c3e869d0710835 Auto-Submitted: auto-generated The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=9376c665d645e6086ca0c979b0c3e869d0710835 commit 9376c665d645e6086ca0c979b0c3e869d0710835 Author: Matthias Andree AuthorDate: 2023-08-31 20:39:54 +0000 Commit: Matthias Andree CommitDate: 2023-08-31 20:42:59 +0000 security/vuxml: document borgbackup < 1.2.5 archive spoofing Security: b8a52e5a-483d-11ee-971d-3df00e0f9020 Security: CVE-2023-36811 Security: https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811 --- archivers/py-borgbackup125/Makefile | 72 ++++++++++++++++++++++++++++++++++ archivers/py-borgbackup125/distinfo | 3 ++ archivers/py-borgbackup125/pkg-descr | 9 +++++ archivers/py-borgbackup125/pkg-message | 28 +++++++++++++ archivers/py-borgbackup125/pkg-plist | 35 +++++++++++++++++ security/vuxml/vuln/2023.xml | 35 +++++++++++++++++ 6 files changed, 182 insertions(+) diff --git a/archivers/py-borgbackup125/Makefile b/archivers/py-borgbackup125/Makefile new file mode 100644 index 000000000000..e932bc8f404e --- /dev/null +++ b/archivers/py-borgbackup125/Makefile @@ -0,0 +1,72 @@ +PORTNAME= borgbackup +DISTVERSION= 1.2.5 +CATEGORIES= archivers python +MASTER_SITES= PYPI \ + https://github.com/${PORTNAME}/borg/releases/download/${PORTVERSION}/ +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} + +MAINTAINER= mandree@FreeBSD.org +COMMENT= Deduplicating backup program +WWW= https://pypi.org/project/borgbackup/ + +LICENSE= BSD3CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE + +# note that borgbackup pins the msgpack version range per patchlevel version! +_BB_DEPENDS= ${PYTHON_PKGNAMEPREFIX}msgpack>=1.0.2<1.0.5_99:devel/py-msgpack@${PY_FLAVOR} +BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}setuptools_scm>=1.7:devel/py-setuptools_scm@${PY_FLAVOR} \ + ${_BB_DEPENDS} +LIB_DEPENDS= liblz4.so:archivers/liblz4 \ + libzstd.so:archivers/zstd \ + libxxhash.so:devel/xxhash +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}packaging>=19.0:devel/py-packaging@${PY_FLAVOR} \ + ${_BB_DEPENDS} +TEST_DEPENDS= ${RUN_DEPENDS} \ + ${PYTHON_PKGNAMEPREFIX}tox>3.2:devel/py-tox@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}virtualenv>=0:devel/py-virtualenv@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pkgconfig>=0:devel/py-pkgconfig@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}wheel>=0:devel/py-wheel@${PY_FLAVOR} \ + fakeroot:security/fakeroot +USES= pkgconfig python ssl +USE_PYTHON= autoplist distutils +MAKE_ENV= BORG_OPENSSL_PREFIX=${OPENSSLBASE} + +OPTIONS_DEFINE= FUSE +OPTIONS_DEFAULT= FUSE + +FUSE_DESC= Support to mount locally borg backup files +FUSE_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}llfuse>0:devel/py-llfuse@${PY_FLAVOR} + +_BORGHOME=${WRKDIR}/testhome +_BORGENV=-i BORG_PASSPHRASE=secret123 PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} HOME=${_BORGHOME} +post-install: + ${MKDIR} ${STAGEDIR}${MAN1PREFIX}/share/man/man1/ + ${INSTALL_MAN} ${WRKSRC}/docs/man/* ${STAGEDIR}${MAN1PREFIX}/share/man/man1/ + ${FIND} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/borg/ -name "*.so" \ + -exec ${STRIP_CMD} {} \; + @${ECHO_MSG} "----> running borg smoke tests" + ${MKDIR} ${_BORGHOME} + ${SETENV} PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} ${STAGEDIR}${PREFIX}/bin/borg -V + ${RM} -r ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg init --encryption=repokey ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg key export ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test1 ${WRKSRC} + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test2 ${WRKSRC} ${STAGEDIR} + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg prune --keep-last 1 ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${ECHO_CMD} YES \ + | ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --repair ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg compact --progress ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg extract --dry-run --progress ${WRKDIR}/borgrepo::test2 + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg export-tar ${WRKDIR}/borgrepo::test2 - >/dev/null + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo + # long output - ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo::test2 | ${GREP} -v ^d + ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo + +do-test: + cd ${WRKSRC} && ${SETENV} ${_BORGENV} ${TEST_ENV} tox-${PYTHON_VER} -e ${PY_FLAVOR} -vv + +.include diff --git a/archivers/py-borgbackup125/distinfo b/archivers/py-borgbackup125/distinfo new file mode 100644 index 000000000000..abb3ca268ca2 --- /dev/null +++ b/archivers/py-borgbackup125/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1693512928 +SHA256 (borgbackup-1.2.5.tar.gz) = 72580779459ba72ea7e7d2e2a2ebd4f377c403236dd0ea148606036e4b631876 +SIZE (borgbackup-1.2.5.tar.gz) = 4074588 diff --git a/archivers/py-borgbackup125/pkg-descr b/archivers/py-borgbackup125/pkg-descr new file mode 100644 index 000000000000..f2e09ee51b29 --- /dev/null +++ b/archivers/py-borgbackup125/pkg-descr @@ -0,0 +1,9 @@ +[excerpt from borgbackup web site] + +BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it +supports compression and authenticated encryption. + +The main goal of Borg is to provide an efficient and secure way to backup data. +The data deduplication technique used makes Borg suitable for daily backups +since only changes are stored. The authenticated encryption technique makes it +suitable for backups to not fully trusted targets. diff --git a/archivers/py-borgbackup125/pkg-message b/archivers/py-borgbackup125/pkg-message new file mode 100644 index 000000000000..8fcc0ba5f821 --- /dev/null +++ b/archivers/py-borgbackup125/pkg-message @@ -0,0 +1,28 @@ +[ +{ type: install + message: < + Borg (Backup) -- flaw in cryptographic authentication scheme in Borg allowed an attacker to fake archives and indirectly cause backup data loss. + + + py37-borgbackup + py38-borgbackup + py39-borgbackup + py310-borgbackup + py311-borgbackup + py312-borgbackup + 1.2.5 + + + + +

Thomas Waldmann reports:

+
+

A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.

+

The attack requires an attacker to be able to

+
  • insert files (with no additional headers) into backups
    • +
  • gain write access to the repository
+

This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.

+
+ + + + CVE-2023-36811 + https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811 + + + 2023-06-13 + 2023-08-31 + + + electron25 -- multiple vulnerabilities