From 0ee7429587298d987cde5406df203320de227083 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 12 Jul 2023 15:39:48 +0300
Subject: [PATCH] - Fix CVE-2023-3128(Patch was taken from grafana github
 sources and backported for 9.0.9)

---
 SOURCES/0011-fix-alert-test.patch | 19 ++++++++++
 SOURCES/0012-CVE-2023-3128.patch  | 63 +++++++++++++++++++++++++++++++
 SPECS/grafana.spec                | 13 ++++++-
 3 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0011-fix-alert-test.patch
 create mode 100644 SOURCES/0012-CVE-2023-3128.patch

diff --git a/SOURCES/0011-fix-alert-test.patch b/SOURCES/0011-fix-alert-test.patch
new file mode 100644
index 0000000..71039d1
--- /dev/null
+++ b/SOURCES/0011-fix-alert-test.patch
@@ -0,0 +1,19 @@
+From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001
+From: Stan Cox <scox@redhat.com>
+Date: Wed, 22 Jun 2022 17:05:48 +0200
+Subject: [PATCH] fix alert test
+
+
+diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go
+index 2d6e1235b6..f0eff6d2ac 100644
+--- a/pkg/tests/api/alerting/api_alertmanager_test.go	2023-01-24 14:44:19.000000000 -0500
++++ b/pkg/tests/api/alerting/api_alertmanager_test.go	2023-04-13 16:20:51.718515009 -0400
+@@ -210,7 +210,7 @@
+ 		{
+ 			"comment": "string",
+ 			"createdBy": "string",
+-			"endsAt": "2023-03-31T14:17:04.419Z",
++			"endsAt": "2032-03-31T14:17:04.419Z",
+ 			"matchers": [
+ 			  {
+ 				"isRegex": true,
diff --git a/SOURCES/0012-CVE-2023-3128.patch b/SOURCES/0012-CVE-2023-3128.patch
new file mode 100644
index 0000000..baf0514
--- /dev/null
+++ b/SOURCES/0012-CVE-2023-3128.patch
@@ -0,0 +1,63 @@
+From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001
+From: eabdullin <ed.abdullin.1@gmail.com>
+Date: Wed, 12 Jul 2023 15:31:00 +0300
+Subject: [PATCH] CVE-2023-3128
+
+---
+ pkg/api/login_oauth.go | 17 +++++++++--------
+ pkg/setting/setting.go |  5 ++++-
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
+index b422baf..f124252 100644
+--- a/pkg/api/login_oauth.go
++++ b/pkg/api/login_oauth.go
+@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(
+ 	connect social.SocialConnector,
+ ) (*models.User, error) {
+ 	oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
++	lookupParams := models.UserLookupParams{}
++	if hs.Cfg.OAuthAllowInsecureEmailLookup {
++		lookupParams.Email = &extUser.Email
++	}
++
+ 	// add/update user in Grafana
+ 	cmd := &models.UpsertUserCommand{
+-		ReqContext:    ctx,
+-		ExternalUser:  extUser,
+-		SignupAllowed: connect.IsSignupAllowed(),
+-		UserLookupParams: models.UserLookupParams{
+-			Email:  &extUser.Email,
+-			UserID: nil,
+-			Login:  nil,
+-		},
++		ReqContext:       ctx,
++		ExternalUser:     extUser,
++		SignupAllowed:    connect.IsSignupAllowed(),
++		UserLookupParams: lookupParams,
+ 	}
+ 
+ 	if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
+diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
+index ba2c4bb..6b5c948 100644
+--- a/pkg/setting/setting.go
++++ b/pkg/setting/setting.go
+@@ -312,7 +312,8 @@ type Cfg struct {
+ 	AuthProxySyncTTL          int
+ 
+ 	// OAuth
+-	OAuthCookieMaxAge int
++	OAuthCookieMaxAge             int
++	OAuthAllowInsecureEmailLookup bool
+ 
+ 	// JWT Auth
+ 	JWTAuthEnabled       bool
+@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
+ 		return err
+ 	}
+ 
++	cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
++
+ 	const defaultMaxLifetime = "30d"
+ 	maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
+ 	cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index 4ebe726..41ddb7a 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -23,7 +23,7 @@ end}
 
 Name:             grafana
 Version:          9.0.9
-Release:          2%{?dist}
+Release:          3%{?dist}.alma
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -71,6 +71,12 @@ Patch7:           0007-skip-marketplace-plugin-install-test.patch
 Patch8:           0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
 Patch9:           0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
 Patch10:	  0010-v9.0.x-Login-email-before-username-57406.patch
+# https://gitlab.com/redhat/centos-stream/rpms/grafana/-/blob/3731c12a8956d50514a58d9aa2f2d330d4ee32b6/0007-fix-alert-test.patch
+Patch11:    0011-fix-alert-test.patch
+# Patch was taken from grafana github sources and backported for 9.0.9
+# git diff v9.2.19 v9.2.20 -- pkg/
+Patch12:    0012-CVE-2023-3128.patch
+
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -708,6 +714,8 @@ rm -r plugins-bundled
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 %patch1001 -p1
 %if %{enable_fips_mode}
@@ -899,6 +907,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 
 
 %changelog
+* Wed Jul 12 2023 Eduard Abdullin <eabdullin@almalinux.org> 9.0.9-3
+- Fix CVE-2023-3128(Patch was taken from grafana github sources and backported for 9.0.9)
+
 * Tue Nov 01 2022 Stan Cox <scox@redhat.com> 9.0.9-2
 - resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
 - resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws