fix CVE-2020-13430

Resolves: #1850427
Fixes: CVE-2020-13430
This commit is contained in:
Andreas Gerstmayr 2020-08-19 17:20:29 +02:00
parent 171ce90ada
commit 077561a443
4 changed files with 30 additions and 2 deletions

21
010-CVE-2020-13430.patch Normal file
View File

@ -0,0 +1,21 @@
diff --git a/public/app/plugins/datasource/opentsdb/query_ctrl.ts b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
index 8569de2eb0..cbb1790625 100644
--- a/public/app/plugins/datasource/opentsdb/query_ctrl.ts
+++ b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
@@ -2,6 +2,7 @@ import _ from 'lodash';
import kbn from 'app/core/utils/kbn';
import { QueryCtrl } from 'app/plugins/sdk';
import { auto } from 'angular';
+import { escapeHtml } from 'app/core/utils/text';
export class OpenTsQueryCtrl extends QueryCtrl {
static templateUrl = 'partials/query.editor.html';
@@ -90,7 +91,7 @@ export class OpenTsQueryCtrl extends QueryCtrl {
getTextValues(metricFindResult: any) {
return _.map(metricFindResult, value => {
- return value.text;
+ return escapeHtml(value.text);
});
}

View File

@ -24,7 +24,7 @@ end}
Name: grafana
Version: 6.7.4
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Metrics dashboard and graph editor
License: ASL 2.0
URL: https://grafana.org
@ -58,6 +58,7 @@ Patch6: 006-pkg-setting-ini-default-section.patch
Patch7: 007-pkg-prometheus-client-query-range.patch
Patch8: 008-pkg-services-notifications-codes-Unknwon.patch
Patch9: 009-pkg-fix-xorm-import.patch
Patch10: 010-CVE-2020-13430.patch
# Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches}
@ -631,6 +632,9 @@ export GO111MODULE=off
%changelog
* Wed Aug 19 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-2
- security fix for CVE-2020-13430
* Fri Jun 05 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-1
- update to 6.7.4 tagged upstream community sources, see CHANGELOG
- security fix for CVE-2020-13379

View File

@ -26,6 +26,9 @@ git clone https://github.com/grafana/grafana grafana-$VER
cd grafana-$VER
git checkout -b v$VER v$VER
# applying webpack patches
patch -p1 < ../010-CVE-2020-13430.patch
# exclude the phantomjs-prebuilt binary module from the webpack
sed -i '/phantomjs-prebuilt/d' package.json

View File

@ -1,2 +1,2 @@
b9331a128ccb918cb3b9f8c5180eea93 grafana-6.7.4.tar.gz
5bdff3edbc6d875600b9c61fb5055f07 grafana_webpack-6.7.4.tar.gz
91f7f66148b5e4c24890c47b85f223e3 grafana_webpack-6.7.4.tar.gz