Resolves: RHEL-24301

Resolves: RHEL-30704 fix: CVE-2024-1313
2024-04-16 10:18:39 -04:00 · 2024-04-16 10:18:39 -04:00 · 7bf826e0d7
commit 7bf826e0d7
parent 41cdce4e9e
2 changed files with 29 additions and 1 deletions
--- a/0013-snapshot-delete-check-org.patch
+++ b/0013-snapshot-delete-check-org.patch
@ -0,0 +1,21 @@
+From 9c1236ba6e7d4c6506c62adeb830d9e56db7f425 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Thu, 28 Mar 2024 13:24:35 -0400
+Subject: [PATCH] snapshot delete check org
+
+
+diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
+index 47ae50544a..0007e89ccb 100644
+--- a/pkg/api/dashboard_snapshot.go
+++ b/pkg/api/dashboard_snapshot.go
+@@ -328,6 +328,10 @@ func (hs *HTTPServer) DeleteDashboardSnapshot(c *models.ReqContext) response.Res
+ 		return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil)
+ 	}
+ 
+	if query.Result.OrgId != c.OrgID {
+		return response.Error(http.StatusUnauthorized, "OrgID mismatch", nil)
+	}
+
+ 	if query.Result.External {
+ 		err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl)
+ 		if err != nil {
--- a/grafana.spec
+++ b/grafana.spec
@ -35,7 +35,7 @@ end}

 Name:             grafana
 Version:          9.2.10
-Release:          15%{?dist}
+Release:          16%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@ -87,6 +87,7 @@ Patch8:           0008-graphite-functions-xss.patch
 Patch10:          0010-skip-tests.patch
 Patch11:          0011-remove-email-lookup.patch
 Patch12:          0012-coredump-selinux-error.patch
+Patch13:          0013-snapshot-delete-check-org.patch

 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -773,6 +774,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1

 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -1019,6 +1021,11 @@ fi
 %{_datadir}/selinux/*/grafana.pp

 %changelog
+* Fri Apr 5 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-16
+- Check OrdID is correct before deleting snapshot
+- fix CVE-2024-1313
+- fix CVE-2024-1394
+
 * Wed Jan 31 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-15
 - Resolves RHEL-23466
 - Resolves RHEL-21027