import grafana-7.3.6-3.el8_4

SOURCES/007-CVE-2021-39226.patch

@@ -0,0 +1,55 @@
+diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
+index d657b98809..a59865cc22 100644
+--- a/pkg/api/dashboard_snapshot.go
++++ b/pkg/api/dashboard_snapshot.go
+@@ -138,6 +138,9 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna
+ // GET /api/snapshots/:key
+ func GetDashboardSnapshot(c *models.ReqContext) Response {
+ 	key := c.Params(":key")
++	if len(key) == 0 {
++		return Error(404, "Snapshot not found", nil)
++	}
+ 	query := &models.GetDashboardSnapshotQuery{Key: key}
+ 
+ 	err := bus.Dispatch(query)
+@@ -202,6 +205,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error {
+ // GET /api/snapshots-delete/:deleteKey
+ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
+ 	key := c.Params(":deleteKey")
++	if len(key) == 0 {
++		return Error(404, "Snapshot not found", nil)
++	}
+ 
+ 	query := &models.GetDashboardSnapshotQuery{DeleteKey: key}
+ 
+@@ -229,6 +235,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
+ // DELETE /api/snapshots/:key
+ func DeleteDashboardSnapshot(c *models.ReqContext) Response {
+ 	key := c.Params(":key")
++	if len(key) == 0 {
++		return Error(404, "Snapshot not found", nil)
++	}
+ 
+ 	query := &models.GetDashboardSnapshotQuery{Key: key}
+ 
+diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go
+index df593d669a..46cb0c160f 100644
+--- a/vendor/gopkg.in/macaron.v1/router.go
++++ b/vendor/gopkg.in/macaron.v1/router.go
+@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) {
+ func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+ 	if t, ok := r.routers[req.Method]; ok {
+ 		// Fast match for static routes
+-		leaf := r.getLeaf(req.Method, req.URL.Path)
+-		if leaf != nil {
+-			leaf.handle(rw, req, nil)
+-			return
++		if !strings.ContainsAny(req.URL.Path, ":*") {
++			leaf := r.getLeaf(req.Method, req.URL.Path)
++			if leaf != nil {
++				leaf.handle(rw, req, nil)
++				return
++			}
+ 		}
+ 
+ 		h, p, ok := t.Match(req.URL.EscapedPath())

SOURCES/008-CVE-2021-27358.patch

@@ -0,0 +1,17 @@
+diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go
+index c44d7dd9a7..4989ea0e1c 100644
+--- a/pkg/middleware/auth.go
++++ b/pkg/middleware/auth.go
+@@ -141,9 +141,9 @@ func SnapshotPublicModeOrSignedIn() macaron.Handler {
+ 			return
+ 		}
+ 
+-		_, err := c.Invoke(ReqSignedIn)
+-		if err != nil {
+-			c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
++		if !c.IsSignedIn {
++			notAuthorized(c)
++			return
+ 		}
+ 	}
+ }

SPECS/grafana.spec

@@ -27,7 +27,7 @@ end}
 
 Name:             grafana
 Version:          7.3.6
-Release:          2%{?dist}
+Release:          3%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -71,6 +71,8 @@ Patch4:           004-skip-x86-goldenfiles-tests.patch
 
 Patch5:           005-pin-yarn-version.patch
 Patch6:           006-remove-saml-dependency.patch
+Patch7:           007-CVE-2021-39226.patch
+Patch8:           008-CVE-2021-27358.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -452,6 +454,8 @@ rm -r plugins-bundled
 %endif
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@@ -627,6 +631,10 @@ export TZ=GMT
 
 
 %changelog
+* Wed Oct 06 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.3.6-3
+- resolve CVE-2021-39226
+- resolve CVE-2021-27358
+
 * Fri Jan 22 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.3.6-2
 - change working dir to $GRAFANA_HOME in grafana-cli wrapper (fixes Red Hat BZ #1916083)
 - add pcp-redis-datasource to allow_loading_unsigned_plugins config option