From 077561a443617c579dee6fabdf1c9473d8b0a7f1 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 19 Aug 2020 17:20:29 +0200 Subject: [PATCH] fix CVE-2020-13430 Resolves: #1850427 Fixes: CVE-2020-13430 --- 010-CVE-2020-13430.patch | 21 +++++++++++++++++++++ grafana.spec | 6 +++++- make_grafana_webpack.sh | 3 +++ sources | 2 +- 4 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 010-CVE-2020-13430.patch diff --git a/010-CVE-2020-13430.patch b/010-CVE-2020-13430.patch new file mode 100644 index 0000000..d9c3597 --- /dev/null +++ b/010-CVE-2020-13430.patch @@ -0,0 +1,21 @@ +diff --git a/public/app/plugins/datasource/opentsdb/query_ctrl.ts b/public/app/plugins/datasource/opentsdb/query_ctrl.ts +index 8569de2eb0..cbb1790625 100644 +--- a/public/app/plugins/datasource/opentsdb/query_ctrl.ts ++++ b/public/app/plugins/datasource/opentsdb/query_ctrl.ts +@@ -2,6 +2,7 @@ import _ from 'lodash'; + import kbn from 'app/core/utils/kbn'; + import { QueryCtrl } from 'app/plugins/sdk'; + import { auto } from 'angular'; ++import { escapeHtml } from 'app/core/utils/text'; + + export class OpenTsQueryCtrl extends QueryCtrl { + static templateUrl = 'partials/query.editor.html'; +@@ -90,7 +91,7 @@ export class OpenTsQueryCtrl extends QueryCtrl { + + getTextValues(metricFindResult: any) { + return _.map(metricFindResult, value => { +- return value.text; ++ return escapeHtml(value.text); + }); + } + diff --git a/grafana.spec b/grafana.spec index fa38f0f..c0c362d 100644 --- a/grafana.spec +++ b/grafana.spec @@ -24,7 +24,7 @@ end} Name: grafana Version: 6.7.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -58,6 +58,7 @@ Patch6: 006-pkg-setting-ini-default-section.patch Patch7: 007-pkg-prometheus-client-query-range.patch Patch8: 008-pkg-services-notifications-codes-Unknwon.patch Patch9: 009-pkg-fix-xorm-import.patch +Patch10: 010-CVE-2020-13430.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -631,6 +632,9 @@ export GO111MODULE=off %changelog +* Wed Aug 19 2020 Andreas Gerstmayr 6.7.4-2 +- security fix for CVE-2020-13430 + * Fri Jun 05 2020 Andreas Gerstmayr 6.7.4-1 - update to 6.7.4 tagged upstream community sources, see CHANGELOG - security fix for CVE-2020-13379 diff --git a/make_grafana_webpack.sh b/make_grafana_webpack.sh index 7baf487..6f95c3d 100755 --- a/make_grafana_webpack.sh +++ b/make_grafana_webpack.sh @@ -26,6 +26,9 @@ git clone https://github.com/grafana/grafana grafana-$VER cd grafana-$VER git checkout -b v$VER v$VER +# applying webpack patches +patch -p1 < ../010-CVE-2020-13430.patch + # exclude the phantomjs-prebuilt binary module from the webpack sed -i '/phantomjs-prebuilt/d' package.json diff --git a/sources b/sources index b8dbdff..2baa9e1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ b9331a128ccb918cb3b9f8c5180eea93 grafana-6.7.4.tar.gz -5bdff3edbc6d875600b9c61fb5055f07 grafana_webpack-6.7.4.tar.gz +91f7f66148b5e4c24890c47b85f223e3 grafana_webpack-6.7.4.tar.gz