Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715

Resolves: rhbz#2131192
Resolves: rhbz#2134475
Resolves: rhbz#2126766

0001-update-grafana-cli-script-with-distro-specific-paths.patch

@@ -1,4 +1,4 @@
-From 8ec3bc255d50a53ab206a59d9c0a5bd6560d12b1 Mon Sep 17 00:00:00 2001
+From 2ad9b1bd641eab2daae9c461656a56c8c2688485 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Wed, 22 Jun 2022 16:57:52 +0200
 Subject: [PATCH] update grafana-cli script with distro-specific paths and

0002-add-manpages.patch

@@ -1,4 +1,4 @@
-From 2af478556ea021b939381cdf69582cd045dd6c85 Mon Sep 17 00:00:00 2001
+From ecac3e25a416bd66b19bc3074f9583dfd965a919 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Wed, 22 Jun 2022 17:01:09 +0200
 Subject: [PATCH] add manpages
@@ -6,7 +6,7 @@ Subject: [PATCH] add manpages
 
 diff --git a/docs/man/man1/grafana-cli.1 b/docs/man/man1/grafana-cli.1
 new file mode 100644
-index 0000000000..2dc5073206
+index 0000000000..39c0d5cee0
 --- /dev/null
 +++ b/docs/man/man1/grafana-cli.1
 @@ -0,0 +1,63 @@
@@ -75,7 +75,7 @@ index 0000000000..2dc5073206
 +.BR http://docs.grafana.org/ .
 diff --git a/docs/man/man1/grafana-server.1 b/docs/man/man1/grafana-server.1
 new file mode 100644
-index 0000000000..7f33239ea4
+index 0000000000..683a2369cc
 --- /dev/null
 +++ b/docs/man/man1/grafana-server.1
 @@ -0,0 +1,80 @@

0003-update-default-configuration.patch

@@ -1,4 +1,4 @@
-From 1a5bc46ab64b80717ff9f17d194171db76a0507d Mon Sep 17 00:00:00 2001
+From a84194c2f7929bd78303daf04a56ab32cd9c4bb3 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Wed, 22 Jun 2022 17:05:48 +0200
 Subject: [PATCH] update default configuration

0004-remove-unused-backend-dependencies.patch

@@ -1,4 +1,4 @@
-From 9fa3bbb227b19b13b02fa7e24cb4331e4918cc06 Mon Sep 17 00:00:00 2001
+From 7139240c52b69fde8b893bf73fb6a4910d65f30b Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Wed, 22 Jun 2022 17:18:56 +0200
 Subject: [PATCH] remove unused backend dependencies

0005-remove-unused-frontend-crypto.patch

@@ -1,4 +1,4 @@
-From 8a665403e0dfad72eede05b6088a6851776a6489 Mon Sep 17 00:00:00 2001
+From 0ee0768a196ba12b860b4a0920f729d5ce50ea3e Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Wed, 22 Jun 2022 17:36:47 +0200
 Subject: [PATCH] remove unused frontend crypto

0006-notifications-use-HMAC-SHA256-to-generate-password-r.patch

@@ -1,4 +1,4 @@
-From ee7dfe8a877a5a20e38896c2115aeb236ca7d453 Mon Sep 17 00:00:00 2001
+From 5749f50533225b5d38fed1ed86b1c893cc0466b5 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Thu, 25 Nov 2021 18:49:52 +0100
 Subject: [PATCH] notifications: use HMAC-SHA256 to generate password reset

0007-skip-marketplace-plugin-install-test.patch

@@ -1,4 +1,4 @@
-From 547c09f8771dac1ee451aa1761af9d50697d3888 Mon Sep 17 00:00:00 2001
+From 03a5c7f452efb1dbf605bba8caf3e86e15888c25 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Thu, 23 Jun 2022 17:00:46 +0200
 Subject: [PATCH] skip marketplace plugin install test

0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch

@@ -1,4 +1,4 @@
-From 37aed65376760b8459f4588a15ba55fe43131a8b Mon Sep 17 00:00:00 2001
+From dc4e1c882d28db17064bd4fb788775a86ebfe066 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Mon, 27 Jun 2022 17:12:27 +0200
 Subject: [PATCH] Prometheus: Fix integer overflow in rate interval calculation

0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch

@@ -1,4 +1,4 @@
-From 9c3f27a440c515c3b8949c981a58666c7de3c8bc Mon Sep 17 00:00:00 2001
+From 09be2f6709e7d05a2f75756c5f58b0602b54af72 Mon Sep 17 00:00:00 2001
 From: Andreas Gerstmayr <agerstmayr@redhat.com>
 Date: Tue, 5 Jul 2022 17:04:13 +0200
 Subject: [PATCH] Prometheus: Fix integer overflow in rate interval calculation

0010-v9.0.x-Login-email-before-username-57406.patch

@@ -0,0 +1,100 @@
+From 74f3c59f7096b5c31d5c218310b20775eb111d0f Mon Sep 17 00:00:00 2001
+From: Karl Persson <kalle.persson@grafana.com>
+Date: Fri, 21 Oct 2022 14:15:21 +0200
+Subject: [PATCH] [v9.0.x] Login email before username (#57406)
+
+* Add test for username/login field conflict
+
+* Swap order of login fields
+
+Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
+
+diff --git a/pkg/services/sqlstore/user.go b/pkg/services/sqlstore/user.go
+index 9cd80da396..00e3ddc2df 100644
+--- a/pkg/services/sqlstore/user.go
++++ b/pkg/services/sqlstore/user.go
+@@ -170,20 +170,24 @@ func (ss *SQLStore) GetUserByLogin(ctx context.Context, query *models.GetUserByL
+ 			return models.ErrUserNotFound
+ 		}
+ 
+-		// Try and find the user by login first.
+-		// It's not sufficient to assume that a LoginOrEmail with an "@" is an email.
++		var has bool
++		var err error
+ 		user := &models.User{Login: query.LoginOrEmail}
+-		has, err := sess.Where(notServiceAccountFilter(ss)).Get(user)
+-
+-		if err != nil {
+-			return err
+-		}
+ 
+-		if !has && strings.Contains(query.LoginOrEmail, "@") {
+-			// If the user wasn't found, and it contains an "@" fallback to finding the
+-			// user by email.
++		// Since username can be an email address, attempt login with email address
++		// first if the login field has the "@" symbol.
++		if strings.Contains(query.LoginOrEmail, "@") {
+ 			user = &models.User{Email: query.LoginOrEmail}
+ 			has, err = sess.Get(user)
++
++			if err != nil {
++				return err
++			}
++		}
++
++		// Lookup the login field instead of email field
++		if !has {
++			has, err = sess.Where(notServiceAccountFilter(ss)).Get(user)
+ 		}
+ 
+ 		if err != nil {
+diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go
+index d3803fa0c9..da23a7cca9 100644
+--- a/pkg/services/sqlstore/user_test.go
++++ b/pkg/services/sqlstore/user_test.go
+@@ -51,6 +51,45 @@ func TestIntegrationUserDataAccess(t *testing.T) {
+ 		require.False(t, query.Result.IsDisabled)
+ 	})
+ 
++	t.Run("Get User by login - user_2 uses user_1.email as login", func(t *testing.T) {
++		ss = InitTestDB(t)
++
++		// create user_1
++		cmd := models.CreateUserCommand{
++			Email:      "user_1@mail.com",
++			Name:       "user_1",
++			Login:      "user_1",
++			Password:   "user_1_password",
++			IsDisabled: true,
++		}
++		user_1, err := ss.CreateUser(context.Background(), cmd)
++		require.Nil(t, err)
++
++		// create user_2
++		cmd = models.CreateUserCommand{
++			Email:      "user_2@mail.com",
++			Name:       "user_2",
++			Login:      "user_1@mail.com",
++			Password:   "user_2_password",
++			IsDisabled: true,
++		}
++		user_2, err := ss.CreateUser(context.Background(), cmd)
++		require.Nil(t, err)
++
++		// query user database for user_1 email
++		query := models.GetUserByLoginQuery{LoginOrEmail: "user_1@mail.com"}
++		err = ss.GetUserByLogin(context.Background(), &query)
++		require.Nil(t, err)
++
++		// expect user_1 as result
++		require.Equal(t, user_1.Email, query.Result.Email)
++		require.Equal(t, user_1.Login, query.Result.Login)
++		require.Equal(t, user_1.Name, query.Result.Name)
++		require.NotEqual(t, user_2.Email, query.Result.Email)
++		require.NotEqual(t, user_2.Login, query.Result.Login)
++		require.NotEqual(t, user_2.Name, query.Result.Name)
++	})
++
+ 	t.Run("Testing DB - creates and loads disabled user", func(t *testing.T) {
+ 		ss = InitTestDB(t)
+ 		cmd := models.CreateUserCommand{

1002-vendor-use-pbkdf2-from-OpenSSL.patch

@@ -111,7 +111,7 @@ index 0000000000..6dfdf10424
 --- /dev/null
 +++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
 @@ -0,0 +1,5 @@
-+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h"
++#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h"
 +
 +DEFINEFUNC(int, PKCS5_PBKDF2_HMAC,
 +    (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out),

grafana.spec

@@ -23,7 +23,7 @@ end}
 
 Name:             grafana
 Version:          9.0.9
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -70,6 +70,7 @@ Patch7:           0007-skip-marketplace-plugin-install-test.patch
 # https://github.com/grafana/grafana/pull/51508
 Patch8:           0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
 Patch9:           0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
+Patch10:	  0010-v9.0.x-Login-email-before-username-57406.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -706,6 +707,7 @@ rm -r plugins-bundled
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %patch1001 -p1
 %if %{enable_fips_mode}
@@ -724,6 +726,10 @@ rm -r plugins-bundled
 
 # Build the backend
 
+# required since RHEL 8.8 to fix the following error:
+# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
+# can be removed in a future Go release
+export GOEXPERIMENT=boringcrypto
 # see grafana-X.Y.Z/pkg/build/cmd.go
 export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
 for cmd in grafana-cli grafana-server; do
@@ -835,6 +841,10 @@ yarn run jest
 # let's set the time zone to a time zone without daylight saving time
 export TZ=GMT
 
+# required since RHEL 8.8 to fix the following error:
+# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
+# can be removed in a future Go release
+export GOEXPERIMENT=boringcrypto
 %gotest ./pkg/...
 
 %if %{enable_fips_mode}
@@ -889,6 +899,10 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 
 
 %changelog
+* Tue Nov 01 2022 Stan Cox <scox@redhat.com> 9.0.9-2
+- resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
+- resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
+
 * Wed Sep 21 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 9.0.9-1
 - update to 9.0.9 tagged upstream community sources, see CHANGELOG
 - resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2125530)