security/vuxml: document borgbackup < 1.2.5 archive spoofing
Security: b8a52e5a-483d-11ee-971d-3df00e0f9020 Security: CVE-2023-36811 Security: https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
This commit is contained in:
Matthias Andree
parent
0d9d25c217
commit
9376c665d6
6 changed files with 182 additions and 0 deletions
72
archivers/py-borgbackup125/Makefile
Normal file
72
archivers/py-borgbackup125/Makefile
Normal file
|
|
@ -0,0 +1,72 @@
|
|||
PORTNAME= borgbackup
|
||||
DISTVERSION= 1.2.5
|
||||
CATEGORIES= archivers python
|
||||
MASTER_SITES= PYPI \
|
||||
https://github.com/${PORTNAME}/borg/releases/download/${PORTVERSION}/
|
||||
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
|
||||
|
||||
MAINTAINER= mandree@FreeBSD.org
|
||||
COMMENT= Deduplicating backup program
|
||||
WWW= https://pypi.org/project/borgbackup/
|
||||
|
||||
LICENSE= BSD3CLAUSE
|
||||
LICENSE_FILE= ${WRKSRC}/LICENSE
|
||||
|
||||
# note that borgbackup pins the msgpack version range per patchlevel version!
|
||||
_BB_DEPENDS= ${PYTHON_PKGNAMEPREFIX}msgpack>=1.0.2<1.0.5_99:devel/py-msgpack@${PY_FLAVOR}
|
||||
BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}setuptools_scm>=1.7:devel/py-setuptools_scm@${PY_FLAVOR} \
|
||||
${_BB_DEPENDS}
|
||||
LIB_DEPENDS= liblz4.so:archivers/liblz4 \
|
||||
libzstd.so:archivers/zstd \
|
||||
libxxhash.so:devel/xxhash
|
||||
RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}packaging>=19.0:devel/py-packaging@${PY_FLAVOR} \
|
||||
${_BB_DEPENDS}
|
||||
TEST_DEPENDS= ${RUN_DEPENDS} \
|
||||
${PYTHON_PKGNAMEPREFIX}tox>3.2:devel/py-tox@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}virtualenv>=0:devel/py-virtualenv@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}pkgconfig>=0:devel/py-pkgconfig@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}wheel>=0:devel/py-wheel@${PY_FLAVOR} \
|
||||
fakeroot:security/fakeroot
|
||||
USES= pkgconfig python ssl
|
||||
USE_PYTHON= autoplist distutils
|
||||
MAKE_ENV= BORG_OPENSSL_PREFIX=${OPENSSLBASE}
|
||||
|
||||
OPTIONS_DEFINE= FUSE
|
||||
OPTIONS_DEFAULT= FUSE
|
||||
|
||||
FUSE_DESC= Support to mount locally borg backup files
|
||||
FUSE_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}llfuse>0:devel/py-llfuse@${PY_FLAVOR}
|
||||
|
||||
_BORGHOME=${WRKDIR}/testhome
|
||||
_BORGENV=-i BORG_PASSPHRASE=secret123 PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} HOME=${_BORGHOME}
|
||||
post-install:
|
||||
${MKDIR} ${STAGEDIR}${MAN1PREFIX}/share/man/man1/
|
||||
${INSTALL_MAN} ${WRKSRC}/docs/man/* ${STAGEDIR}${MAN1PREFIX}/share/man/man1/
|
||||
${FIND} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/borg/ -name "*.so" \
|
||||
-exec ${STRIP_CMD} {} \;
|
||||
@${ECHO_MSG} "----> running borg smoke tests"
|
||||
${MKDIR} ${_BORGHOME}
|
||||
${SETENV} PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} ${STAGEDIR}${PREFIX}/bin/borg -V
|
||||
${RM} -r ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg init --encryption=repokey ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg key export ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test1 ${WRKSRC}
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test2 ${WRKSRC} ${STAGEDIR}
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg prune --keep-last 1 ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
|
||||
${ECHO_CMD} YES \
|
||||
| ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --repair ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg compact --progress ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg extract --dry-run --progress ${WRKDIR}/borgrepo::test2
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg export-tar ${WRKDIR}/borgrepo::test2 - >/dev/null
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo
|
||||
# long output - ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo::test2 | ${GREP} -v ^d
|
||||
${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo
|
||||
|
||||
do-test:
|
||||
cd ${WRKSRC} && ${SETENV} ${_BORGENV} ${TEST_ENV} tox-${PYTHON_VER} -e ${PY_FLAVOR} -vv
|
||||
|
||||
.include <bsd.port.mk>
|
||||
3
archivers/py-borgbackup125/distinfo
Normal file
3
archivers/py-borgbackup125/distinfo
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
TIMESTAMP = 1693512928
|
||||
SHA256 (borgbackup-1.2.5.tar.gz) = 72580779459ba72ea7e7d2e2a2ebd4f377c403236dd0ea148606036e4b631876
|
||||
SIZE (borgbackup-1.2.5.tar.gz) = 4074588
|
||||
9
archivers/py-borgbackup125/pkg-descr
Normal file
9
archivers/py-borgbackup125/pkg-descr
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
[excerpt from borgbackup web site]
|
||||
|
||||
BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it
|
||||
supports compression and authenticated encryption.
|
||||
|
||||
The main goal of Borg is to provide an efficient and secure way to backup data.
|
||||
The data deduplication technique used makes Borg suitable for daily backups
|
||||
since only changes are stored. The authenticated encryption technique makes it
|
||||
suitable for backups to not fully trusted targets.
|
||||
28
archivers/py-borgbackup125/pkg-message
Normal file
28
archivers/py-borgbackup125/pkg-message
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
[
|
||||
{ type: install
|
||||
message: <<EOM
|
||||
In order to mount locally a remote archive or an entire repository as a FUSE
|
||||
filesystem, it is required to load fusefs module:
|
||||
|
||||
# kldload fusefs
|
||||
|
||||
To load the module at boot time, add
|
||||
|
||||
fusefs_load="YES"
|
||||
|
||||
to /boot/loader.conf by running:
|
||||
|
||||
sysrc fusefs_load="YES"
|
||||
|
||||
Also, if you plan to mount borg repositories as non root user, you need to run
|
||||
|
||||
# sysctl vfs.usermount=1
|
||||
|
||||
and add the line
|
||||
|
||||
vfs.usermount=1
|
||||
|
||||
to /etc/sysctl.conf to ensure the setting is loaded at boot time.
|
||||
EOM
|
||||
}
|
||||
]
|
||||
35
archivers/py-borgbackup125/pkg-plist
Normal file
35
archivers/py-borgbackup125/pkg-plist
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
share/man/man1/borg-benchmark-crud.1.gz
|
||||
share/man/man1/borg-benchmark.1.gz
|
||||
share/man/man1/borg-break-lock.1.gz
|
||||
share/man/man1/borg-change-passphrase.1.gz
|
||||
share/man/man1/borg-check.1.gz
|
||||
share/man/man1/borg-common.1.gz
|
||||
share/man/man1/borg-compact.1.gz
|
||||
share/man/man1/borg-compression.1.gz
|
||||
share/man/man1/borg-config.1.gz
|
||||
share/man/man1/borg-create.1.gz
|
||||
share/man/man1/borg-delete.1.gz
|
||||
share/man/man1/borg-diff.1.gz
|
||||
share/man/man1/borg-export-tar.1.gz
|
||||
share/man/man1/borg-extract.1.gz
|
||||
share/man/man1/borg-import-tar.1.gz
|
||||
share/man/man1/borg-info.1.gz
|
||||
share/man/man1/borg-init.1.gz
|
||||
share/man/man1/borg-key-change-passphrase.1.gz
|
||||
share/man/man1/borg-key-export.1.gz
|
||||
share/man/man1/borg-key-import.1.gz
|
||||
share/man/man1/borg-key-migrate-to-repokey.1.gz
|
||||
share/man/man1/borg-key.1.gz
|
||||
share/man/man1/borg-list.1.gz
|
||||
share/man/man1/borg-mount.1.gz
|
||||
share/man/man1/borg-patterns.1.gz
|
||||
share/man/man1/borg-placeholders.1.gz
|
||||
share/man/man1/borg-prune.1.gz
|
||||
share/man/man1/borg-recreate.1.gz
|
||||
share/man/man1/borg-rename.1.gz
|
||||
share/man/man1/borg-serve.1.gz
|
||||
share/man/man1/borg-umount.1.gz
|
||||
share/man/man1/borg-upgrade.1.gz
|
||||
share/man/man1/borg-with-lock.1.gz
|
||||
share/man/man1/borg.1.gz
|
||||
share/man/man1/borgfs.1.gz
|
||||
|
|
@ -1,3 +1,38 @@
|
|||
<vuln vid="b8a52e5a-483d-11ee-971d-3df00e0f9020">
|
||||
<topic>Borg (Backup) -- flaw in cryptographic authentication scheme in Borg allowed an attacker to fake archives and indirectly cause backup data loss.</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>py37-borgbackup</name>
|
||||
<name>py38-borgbackup</name>
|
||||
<name>py39-borgbackup</name>
|
||||
<name>py310-borgbackup</name>
|
||||
<name>py311-borgbackup</name>
|
||||
<name>py312-borgbackup</name>
|
||||
<range><lt>1.2.5</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>Thomas Waldmann reports:</p>
|
||||
<blockquote cite="https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811">
|
||||
<p>A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.</p>
|
||||
<p>The attack requires an attacker to be able to</p>
|
||||
<ul><li>insert files (with no additional headers) into backups</li>
|
||||
<li>gain write access to the repository</li></ul>
|
||||
<p>This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<cvename>CVE-2023-36811</cvename>
|
||||
<url>https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811</url>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2023-06-13</discovery>
|
||||
<entry>2023-08-31</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="970dcbe0-a947-41a4-abe9-7aaba87f41fe">
|
||||
<topic>electron25 -- multiple vulnerabilities</topic>
|
||||
<affects>
|
||||
|
|
|
|||
Loading…
Reference in a new issue