git: 9376c665d645 - main - security/vuxml: document borgbackup < 1.2.5 archive spoofing

From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Thu, 31 Aug 2023 20:43:36 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9376c665d645e6086ca0c979b0c3e869d0710835

commit 9376c665d645e6086ca0c979b0c3e869d0710835
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-08-31 20:39:54 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-08-31 20:42:59 +0000

    security/vuxml: document borgbackup < 1.2.5 archive spoofing
    
    Security:       b8a52e5a-483d-11ee-971d-3df00e0f9020
    Security:       CVE-2023-36811
    Security:       https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
---
 archivers/py-borgbackup125/Makefile    | 72 ++++++++++++++++++++++++++++++++++
 archivers/py-borgbackup125/distinfo    |  3 ++
 archivers/py-borgbackup125/pkg-descr   |  9 +++++
 archivers/py-borgbackup125/pkg-message | 28 +++++++++++++
 archivers/py-borgbackup125/pkg-plist   | 35 +++++++++++++++++
 security/vuxml/vuln/2023.xml           | 35 +++++++++++++++++
 6 files changed, 182 insertions(+)

diff --git a/archivers/py-borgbackup125/Makefile b/archivers/py-borgbackup125/Makefile
new file mode 100644
index 000000000000..e932bc8f404e
--- /dev/null
+++ b/archivers/py-borgbackup125/Makefile
@@ -0,0 +1,72 @@
+PORTNAME=	borgbackup
+DISTVERSION=	1.2.5
+CATEGORIES=	archivers python
+MASTER_SITES=	PYPI \
+		https://github.com/${PORTNAME}/borg/releases/download/${PORTVERSION}/
+PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
+
+MAINTAINER=	mandree@FreeBSD.org
+COMMENT=	Deduplicating backup program
+WWW=		https://pypi.org/project/borgbackup/
+
+LICENSE=	BSD3CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+# note that borgbackup pins the msgpack version range per patchlevel version!
+_BB_DEPENDS=	${PYTHON_PKGNAMEPREFIX}msgpack>=1.0.2<1.0.5_99:devel/py-msgpack@${PY_FLAVOR}
+BUILD_DEPENDS=	${PYTHON_PKGNAMEPREFIX}setuptools_scm>=1.7:devel/py-setuptools_scm@${PY_FLAVOR} \
+		${_BB_DEPENDS}
+LIB_DEPENDS=	liblz4.so:archivers/liblz4 \
+		libzstd.so:archivers/zstd \
+		libxxhash.so:devel/xxhash
+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}packaging>=19.0:devel/py-packaging@${PY_FLAVOR} \
+		${_BB_DEPENDS}
+TEST_DEPENDS=	${RUN_DEPENDS} \
+		${PYTHON_PKGNAMEPREFIX}tox>3.2:devel/py-tox@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}virtualenv>=0:devel/py-virtualenv@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pkgconfig>=0:devel/py-pkgconfig@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}wheel>=0:devel/py-wheel@${PY_FLAVOR} \
+		fakeroot:security/fakeroot
+USES=		pkgconfig python ssl
+USE_PYTHON=	autoplist distutils
+MAKE_ENV=	BORG_OPENSSL_PREFIX=${OPENSSLBASE}
+
+OPTIONS_DEFINE=		FUSE
+OPTIONS_DEFAULT=	FUSE
+
+FUSE_DESC=	Support to mount locally borg backup files
+FUSE_RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}llfuse>0:devel/py-llfuse@${PY_FLAVOR}
+
+_BORGHOME=${WRKDIR}/testhome
+_BORGENV=-i BORG_PASSPHRASE=secret123 PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} HOME=${_BORGHOME}
+post-install:
+	${MKDIR} ${STAGEDIR}${MAN1PREFIX}/share/man/man1/
+	${INSTALL_MAN} ${WRKSRC}/docs/man/* ${STAGEDIR}${MAN1PREFIX}/share/man/man1/
+	${FIND} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/borg/ -name "*.so" \
+		-exec ${STRIP_CMD} {} \;
+	@${ECHO_MSG} "----> running borg smoke tests"
+	${MKDIR} ${_BORGHOME}
+	${SETENV} PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} ${STAGEDIR}${PREFIX}/bin/borg -V
+	${RM} -r ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg init --encryption=repokey ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg key export ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test1 ${WRKSRC}
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg create ${WRKDIR}/borgrepo::test2 ${WRKSRC} ${STAGEDIR}
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg prune --keep-last 1 ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
+	${ECHO_CMD} YES \
+	| ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --repair ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg compact --progress ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg check --verify-data ${WRKDIR}/borgrepo
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg extract --dry-run --progress ${WRKDIR}/borgrepo::test2
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg export-tar ${WRKDIR}/borgrepo::test2 - >/dev/null
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo
+	# long output - ${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg list ${WRKDIR}/borgrepo::test2 | ${GREP} -v ^d
+	${SETENV} ${_BORGENV} ${STAGEDIR}${PREFIX}/bin/borg info ${WRKDIR}/borgrepo
+
+do-test:
+	cd ${WRKSRC} && ${SETENV} ${_BORGENV} ${TEST_ENV} tox-${PYTHON_VER} -e ${PY_FLAVOR} -vv
+
+.include <bsd.port.mk>
diff --git a/archivers/py-borgbackup125/distinfo b/archivers/py-borgbackup125/distinfo
new file mode 100644
index 000000000000..abb3ca268ca2
--- /dev/null
+++ b/archivers/py-borgbackup125/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1693512928
+SHA256 (borgbackup-1.2.5.tar.gz) = 72580779459ba72ea7e7d2e2a2ebd4f377c403236dd0ea148606036e4b631876
+SIZE (borgbackup-1.2.5.tar.gz) = 4074588
diff --git a/archivers/py-borgbackup125/pkg-descr b/archivers/py-borgbackup125/pkg-descr
new file mode 100644
index 000000000000..f2e09ee51b29
--- /dev/null
+++ b/archivers/py-borgbackup125/pkg-descr
@@ -0,0 +1,9 @@
+[excerpt from borgbackup web site]
+
+BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it
+supports compression and authenticated encryption.
+
+The main goal of Borg is to provide an efficient and secure way to backup data.
+The data deduplication technique used makes Borg suitable for daily backups
+since only changes are stored. The authenticated encryption technique makes it
+suitable for backups to not fully trusted targets.
diff --git a/archivers/py-borgbackup125/pkg-message b/archivers/py-borgbackup125/pkg-message
new file mode 100644
index 000000000000..8fcc0ba5f821
--- /dev/null
+++ b/archivers/py-borgbackup125/pkg-message
@@ -0,0 +1,28 @@
+[
+{ type: install
+  message: <<EOM
+In order to mount locally a remote archive or an entire repository as a FUSE
+filesystem, it is required to load fusefs module:
+
+# kldload fusefs
+
+To load the module at boot time, add
+
+fusefs_load="YES"
+
+to /boot/loader.conf by running:
+
+sysrc fusefs_load="YES"
+
+Also, if you plan to mount borg repositories as non root user, you need to run
+
+# sysctl vfs.usermount=1
+
+and add the line
+
+vfs.usermount=1
+
+to /etc/sysctl.conf to ensure the setting is loaded at boot time.
+EOM
+}
+]
diff --git a/archivers/py-borgbackup125/pkg-plist b/archivers/py-borgbackup125/pkg-plist
new file mode 100644
index 000000000000..8582338afb36
--- /dev/null
+++ b/archivers/py-borgbackup125/pkg-plist
@@ -0,0 +1,35 @@
+share/man/man1/borg-benchmark-crud.1.gz
+share/man/man1/borg-benchmark.1.gz
+share/man/man1/borg-break-lock.1.gz
+share/man/man1/borg-change-passphrase.1.gz
+share/man/man1/borg-check.1.gz
+share/man/man1/borg-common.1.gz
+share/man/man1/borg-compact.1.gz
+share/man/man1/borg-compression.1.gz
+share/man/man1/borg-config.1.gz
+share/man/man1/borg-create.1.gz
+share/man/man1/borg-delete.1.gz
+share/man/man1/borg-diff.1.gz
+share/man/man1/borg-export-tar.1.gz
+share/man/man1/borg-extract.1.gz
+share/man/man1/borg-import-tar.1.gz
+share/man/man1/borg-info.1.gz
+share/man/man1/borg-init.1.gz
+share/man/man1/borg-key-change-passphrase.1.gz
+share/man/man1/borg-key-export.1.gz
+share/man/man1/borg-key-import.1.gz
+share/man/man1/borg-key-migrate-to-repokey.1.gz
+share/man/man1/borg-key.1.gz
+share/man/man1/borg-list.1.gz
+share/man/man1/borg-mount.1.gz
+share/man/man1/borg-patterns.1.gz
+share/man/man1/borg-placeholders.1.gz
+share/man/man1/borg-prune.1.gz
+share/man/man1/borg-recreate.1.gz
+share/man/man1/borg-rename.1.gz
+share/man/man1/borg-serve.1.gz
+share/man/man1/borg-umount.1.gz
+share/man/man1/borg-upgrade.1.gz
+share/man/man1/borg-with-lock.1.gz
+share/man/man1/borg.1.gz
+share/man/man1/borgfs.1.gz
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 96fb30337271..902e6a2dbd4b 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,38 @@
+  <vuln vid="b8a52e5a-483d-11ee-971d-3df00e0f9020">
+    <topic>Borg (Backup) -- flaw in cryptographic authentication scheme in Borg allowed an attacker to fake archives and indirectly cause backup data loss.</topic>
+    <affects>
+      <package>
+	<name>py37-borgbackup</name>
+	<name>py38-borgbackup</name>
+	<name>py39-borgbackup</name>
+	<name>py310-borgbackup</name>
+	<name>py311-borgbackup</name>
+	<name>py312-borgbackup</name>
+	<range><lt>1.2.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Thomas Waldmann reports:</p>
+	<blockquote cite="https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811">
+	  <p>A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.</p>
+	  <p>The attack requires an attacker to be able to</p>
+	  <ul><li>insert files (with no additional headers) into backups</li>
+	    <li>gain write access to the repository</li></ul>
+	  <p>This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives.  Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-36811</cvename>
+      <url>https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811</url>
+    </references>
+    <dates>
+      <discovery>2023-06-13</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="970dcbe0-a947-41a4-abe9-7aaba87f41fe">
     <topic>electron25 -- multiple vulnerabilities</topic>
     <affects>