rpms
/
grafana
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import grafana-7.5.11-2.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:00:15 -04:00 committed by Stepan Oksanichenko
parent effcd9ecc5
commit 5b04329bc2
7 changed files with 137 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/grafana-7.5.9.tar.gz
SOURCES/grafana-vendor-7.5.9-2.tar.xz
SOURCES/grafana-webpack-7.5.9-2.tar.gz
SOURCES/grafana-7.5.11.tar.gz
SOURCES/grafana-vendor-7.5.11-1.tar.xz
SOURCES/grafana-webpack-7.5.11-1.tar.gz

6
.grafana.metadata
View File

@ -1,3 +1,3 @@
e658bc3706a71a2a77f34755ac362fd506d7b1a0 SOURCES/grafana-7.5.9.tar.gz
8fc46c12ac1bae0f2e0434e8fdf71e61e922c74a SOURCES/grafana-vendor-7.5.9-2.tar.xz
28052475c9cb45ac6523479ab9fd3da4ba678400 SOURCES/grafana-webpack-7.5.9-2.tar.gz
cd7bfb63dd91361c1bc9c46d1f889b1f54f7758a SOURCES/grafana-7.5.11.tar.gz
d55ac0b3a8fb3a0ce772442923e2ca3cba1af78f SOURCES/grafana-vendor-7.5.11-1.tar.xz
db79c330e9a56dac2cdcae9b7c07c86112a66237 SOURCES/grafana-webpack-7.5.11-1.tar.gz

4
SOURCES/002-manpages.patch
View File

@ -4,7 +4,7 @@ index 0000000000..7ac2af882c
--- /dev/null
+++ b/docs/man/man1/grafana-cli.1
@@ -0,0 +1,60 @@
+.TH GRAFANA "1" "June 2021" "Grafana cli version 7.5.9" "User Commands"
+.TH GRAFANA "1" "October 2021" "Grafana cli version 7.5.11" "User Commands"
+.SH NAME
+grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor
+.SH DESCRIPTION
@ -70,7 +70,7 @@ index 0000000000..c616268b31
--- /dev/null
+++ b/docs/man/man1/grafana-server.1
@@ -0,0 +1,72 @@
+.TH VERSION "1" "June 2021" "Version 7.5.9" "User Commands"
+.TH VERSION "1" "October 2021" "Version 7.5.11" "User Commands"
+.SH NAME
+grafana-server \- back-end server for the Grafana metrics dashboard and graph editor
+.SH DESCRIPTION

55
SOURCES/011-CVE-2021-39226.patch
View File

@ -1,55 +0,0 @@
diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
index 4f7a4b8d09..b500639d15 100644
--- a/pkg/api/dashboard_snapshot.go
+++ b/pkg/api/dashboard_snapshot.go
@@ -144,6 +144,9 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna
// GET /api/snapshots/:key
func GetDashboardSnapshot(c *models.ReqContext) response.Response {
key := c.Params(":key")
+ if len(key) == 0 {
+ return response.Error(404, "Snapshot not found", nil)
+ }
query := &models.GetDashboardSnapshotQuery{Key: key}
err := bus.Dispatch(query)
@@ -210,6 +213,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error {
// GET /api/snapshots-delete/:deleteKey
func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response {
key := c.Params(":deleteKey")
+ if len(key) == 0 {
+ return response.Error(404, "Snapshot not found", nil)
+ }
query := &models.GetDashboardSnapshotQuery{DeleteKey: key}
@@ -240,6 +246,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response
// DELETE /api/snapshots/:key
func DeleteDashboardSnapshot(c *models.ReqContext) response.Response {
key := c.Params(":key")
+ if len(key) == 0 {
+ return response.Error(404, "Snapshot not found", nil)
+ }
query := &models.GetDashboardSnapshotQuery{Key: key}
diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go
index df593d669a..46cb0c160f 100644
--- a/vendor/gopkg.in/macaron.v1/router.go
+++ b/vendor/gopkg.in/macaron.v1/router.go
@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) {
func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if t, ok := r.routers[req.Method]; ok {
// Fast match for static routes
- leaf := r.getLeaf(req.Method, req.URL.Path)
- if leaf != nil {
- leaf.handle(rw, req, nil)
- return
+ if !strings.ContainsAny(req.URL.Path, ":*") {
+ leaf := r.getLeaf(req.Method, req.URL.Path)
+ if leaf != nil {
+ leaf.handle(rw, req, nil)
+ return
+ }
}
h, p, ok := t.Match(req.URL.EscapedPath())

52
SOURCES/011-CVE-2021-43813.patch Normal file
View File

@ -0,0 +1,52 @@
commit ea77415cfe2cefe46ffce233076a1409abaa8df7
Author: Will Browne <wbrowne@users.noreply.github.com>
Date: Fri Dec 10 11:29:12 2021 +0000
apply fix (#42969)
diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index e6370a29e7..c7199c716e 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
}
// nolint:gosec
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
- // on plugin the folder structure on disk and not user input.
- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
+ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
exists, err := fs.Exists(path)
if err != nil {
return nil, err
}
if !exists {
- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
}
exists, err = fs.Exists(path)
@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
}
// nolint:gosec
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
- // on plugin the folder structure on disk and not user input.
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
data, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
return data, nil
}
+func mdFilepath(mdFilename string) string {
+ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
+
// gets plugin filenames that require verification for plugin signing
func collectPluginFilesWithin(rootDir string) ([]string, error) {
var files []string

84
SOURCES/Makefile
View File

@ -1,19 +1,24 @@
ifndef VER
$(error VER is undefined)
endif
ifndef REL
$(error REL is undefined)
endif
VERSION := $(shell rpm --specfile *.spec --qf '%{VERSION}\n' | head -1)
RELEASE := $(shell rpm --specfile *.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1)
NAME := grafana
RPM_NAME := $(NAME)
SOURCE_DIR := $(NAME)-$(VER)
SOURCE_TAR := $(NAME)-$(VER).tar.gz
VENDOR_TAR := $(RPM_NAME)-vendor-$(VER)-$(REL).tar.xz
WEBPACK_TAR := $(RPM_NAME)-webpack-$(VER)-$(REL).tar.gz
SOURCE_DIR := $(NAME)-$(VERSION)
SOURCE_TAR := $(NAME)-$(VERSION).tar.gz
VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz
WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz
# patches which must be applied before creating the vendor tarball, for example:
# - changes in dependency versions
# - changes in Go module imports (which affect the vendored Go modules)
PATCHES_PRE_VENDOR := \
005-remove-unused-dependencies.patch \
008-remove-unused-frontend-crypto.patch
# patches which must be applied before creating the webpack, for example:
# - changes in Node.js sources or vendored dependencies
PATCHES_PRE_WEBPACK :=
ALL_PATCHES := $(wildcard *.patch)
PATCHES_TO_APPLY := $(filter-out 009-patch-unused-backend-crypto.patch 010-fips.patch,$(ALL_PATCHES))
all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR)
@ -21,43 +26,52 @@ $(SOURCE_TAR):
spectool -g $(RPM_NAME).spec
$(VENDOR_TAR): $(SOURCE_TAR)
rm -rf grafana-$(VER)
tar xfz grafana-$(VER).tar.gz
# start with a clean state
rm -rf $(SOURCE_DIR)
tar xf $(SOURCE_TAR)
# patches can affect Go or Node.js dependencies, or the webpack
for patch in $(PATCHES_TO_APPLY); do patch -d grafana-$(VER) -p1 --fuzz=0 < $$patch; done
# Patches to apply before vendoring
for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
# Go
cd grafana-$(VER) && go mod vendor -v
cd $(SOURCE_DIR) && go mod vendor -v
# Remove unused crypto
rm grafana-$(VER)/vendor/golang.org/x/crypto/cast5/cast5.go
rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/ed25519.go
rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' grafana-$(VER)/go.mod | \
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/cast5/cast5.go
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/ed25519.go
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' $(SOURCE_DIR)/go.mod | \
sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > $@.manifest
# Node.js
cd grafana-$(VER) && yarn install --pure-lockfile
cd $(SOURCE_DIR) && yarn install --pure-lockfile
# Remove files with licensing issues
find grafana-$(VER) -type d -name 'node-notifier' -prune -exec rm -r {} \;
find grafana-$(VER) -type d -name 'property-information' -prune -exec rm -r {} \;
find grafana-$(VER) -type f -name '*.exe' -delete
rm -r grafana-$(VER)/node_modules/visjs-network/examples
./list_bundled_nodejs_packages.py grafana-$(VER)/ >> $@.manifest
find $(SOURCE_DIR) -type d -name 'node-notifier' -prune -exec rm -r {} \;
find $(SOURCE_DIR) -type d -name 'property-information' -prune -exec rm -r {} \;
find $(SOURCE_DIR) -type f -name '*.exe' -delete
rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples
./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest
# Create tarball
XZ_OPT=-9 tar cfJ $@ \
grafana-$(VER)/vendor \
$$(find grafana-$(VER) -type d -name "node_modules" -prune)
XZ_OPT=-9 time -p tar cJf $@ \
$(SOURCE_DIR)/vendor \
$$(find $(SOURCE_DIR) -type d -name "node_modules" -prune)
$(WEBPACK_TAR): $(VENDOR_TAR)
cd grafana-$(VER) && \
# start with a clean state
rm -rf $(SOURCE_DIR)
tar xf $(SOURCE_TAR)
tar xf $(VENDOR_TAR)
# Patches to apply before creating the webpack
for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
cd $(SOURCE_DIR) && \
../build_frontend.sh
tar cfz $@ grafana-$(VER)/public/build grafana-$(VER)/public/views grafana-$(VER)/plugins-bundled
tar cfz $@ $(SOURCE_DIR)/public/build $(SOURCE_DIR)/public/views $(SOURCE_DIR)/plugins-bundled
clean:
rm -rf *.tar.gz *.tar.xz *.manifest *.rpm $(NAME)-*/

38
SPECS/grafana.spec
View File

@ -1,3 +1,13 @@
# gobuild and gotest macros are not available on CentOS Stream
# remove once BZ 1965292 is resolved
# definitions lifted from Fedora 34 podman.spec
%if ! 0%{?gobuild:1}
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
%endif
%if ! 0%{?gotest:1}
%define gotest() GO111MODULE=off go test -buildmode pie -compiler gc -ldflags "${LDFLAGS:-} -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" %{?**};
%endif
%global grafana_arches %{lua: go_arches = {}
for arch in rpm.expand("%{go_arches}"):gmatch("%S+") do
go_arches[arch] = 1
@ -19,8 +29,8 @@ end}
%endif
Name: grafana
Version: 7.5.9
Release: 5%{?dist}
Version: 7.5.11
Release: 2%{?dist}
Summary: Metrics dashboard and graph editor
License: ASL 2.0
URL: https://grafana.org
@ -30,14 +40,14 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name}
# Source1 contains the bundled Go and Node.js dependencies
# Note: In case there were no changes to this tarball, the NVR of this tarball
# lags behind the NVR of the Grafana package.
Source1: grafana-vendor-%{version}-2.tar.xz
# lags behind the NVR of this package.
Source1: grafana-vendor-%{version}-1.tar.xz
%if %{compile_frontend} == 0
# Source2 contains the precompiled frontend
# Note: In case there were no changes to this tarball, the NVR of this tarball
# lags behind the NVR of the Grafana package.
Source2: grafana-webpack-%{version}-2.tar.gz
# lags behind the NVR of this package.
Source2: grafana-webpack-%{version}-1.tar.gz
%endif
# Source3 contains Grafana configuration defaults for distributions
@ -81,8 +91,7 @@ Patch9: 009-patch-unused-backend-crypto.patch
# if FIPS mode is enabled.
Patch10: 010-fips.patch
# Patch for CVE-2021-39226
Patch11: 011-CVE-2021-39226.patch
Patch11: 011-CVE-2021-43813.patch
# Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches}
@ -610,6 +619,10 @@ export GOPATH=%{_builddir}
# let's set the time zone to a time zone without daylight saving time
export TZ=GMT
# GO111MODULE=on automatically skips vendored macaron sources in pkg/macaron
# GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path
rm -r pkg/macaron
%gotest ./pkg/...
%if %{enable_fips_mode}
@ -661,12 +674,17 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
%changelog
* Tue Dec 21 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-5
* Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
* Wed Oct 06 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-4
* Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
- update to 7.5.11 tagged upstream community sources, see CHANGELOG
- resolve CVE-2021-39226
* Thu Sep 30 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.10-1
- update to 7.5.10 tagged upstream community sources, see CHANGELOG
* Mon Aug 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-3
- rebuild to resolve CVE-2021-34558