import grafana-6.3.6-2.el8_2

2020-06-22 02:51:42 -04:00 · 2020-06-22 02:51:42 -04:00 · 1a1a0cb69f
commit 1a1a0cb69f
parent e2f674e9e5
2 changed files with 48 additions and 2 deletions
--- a/SOURCES/006-CVE-2020-13379.patch
+++ b/SOURCES/006-CVE-2020-13379.patch
@ -0,0 +1,39 @@
+diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
+--- a/pkg/api/avatar/avatar.go
+++ b/pkg/api/avatar/avatar.go
+@@ -17,14 +17,15 @@ import (
+ 	"net/http"
+ 	"net/url"
+ 	"path/filepath"
+	"regexp"
+ 	"strconv"
+ 	"strings"
+ 	"sync"
+ 	"time"
+ 
+ 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/models"
+ 	"github.com/grafana/grafana/pkg/setting"
+-	"gopkg.in/macaron.v1"
+ 
+ 	gocache "github.com/patrickmn/go-cache"
+ )
+@@ -97,9 +98,15 @@ type CacheServer struct {
+ 	cache    *gocache.Cache
+ }
+ 
+-func (this *CacheServer) Handler(ctx *macaron.Context) {
+-	urlPath := ctx.Req.URL.Path
+-	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
+var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
+
+func (this *CacheServer) Handler(ctx *models.ReqContext) {
+	hash := ctx.Params("hash")
+
+	if len(hash) != 32 || !validMD5.MatchString(hash) {
+		ctx.JsonApiErr(404, "Avatar not found", nil)
+		return
+	}
+ 
+ 	var avatar *Avatar
+ 
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -22,7 +22,7 @@ end}

 Name:             grafana
 Version:          6.3.6
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@ -43,6 +43,9 @@ Patch3:           003-new-files.patch
 Patch4:           004-xerrors.patch
 Patch5:           005-mute-shellcheck-grafana-cli.patch

+# Patch for CVE-2020-13379
+Patch6:           006-CVE-2020-13379.patch
+
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}

@ -409,6 +412,7 @@ The Grafana stackdriver datasource.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1

 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@ -440,13 +444,13 @@ cd %{_builddir}/src/github.com/grafana/grafana
 echo _builddir=%{_builddir} archbindir=%{archbindir}
 [ ! -d %{archbindir} ] && mkdir -p %{archbindir}
 export GOPATH=%{_builddir}:%{gopath}
-# export GO111MODULE=off
 %if 0%{?fedora} >= 31
 # native fedora golang build but without modules (no grafana support yet)
 go build -mod=vendor -o %{archbindir}/grafana-cli ./pkg/cmd/grafana-cli
 go build -mod=vendor -o %{archbindir}/grafana-server ./pkg/cmd/grafana-server
 %else
 # use the grafana build.go script.
+export GO111MODULE=off
 go run build.go build
 %endif

@ -633,6 +637,9 @@ go test ./pkg/...


 %changelog
+* Wed Jun 17 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.3.6-2
+- fix CVE-2020-13379
+
 * Wed Nov 20 2019 Mark Goodwin <mgoodwin@redhat.com> 6.3.6-1
 - add weak depenency on grafana-pcp
 - add patch to mute shellcheck SC1090 for grafana-cli