fix CVE-2021-44716 and CVE-2021-43813

011-CVE-2021-43813.patch

@@ -0,0 +1,52 @@
+commit ea77415cfe2cefe46ffce233076a1409abaa8df7
+Author: Will Browne <wbrowne@users.noreply.github.com>
+Date:   Fri Dec 10 11:29:12 2021 +0000
+
+    apply fix (#42969)
+
+diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
+index e6370a29e7..c7199c716e 100644
+--- a/pkg/plugins/plugins.go
++++ b/pkg/plugins/plugins.go
+@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
+-	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
++	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
++	// use this with a prefix of the plugin's directory, which is set during plugin loading
++	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
+ 	exists, err := fs.Exists(path)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 	if !exists {
+-		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
++		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
+ 	}
+ 
+ 	exists, err = fs.Exists(path)
+@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
++	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
++	// use this with a prefix of the plugin's directory, which is set during plugin loading
+ 	data, err := ioutil.ReadFile(path)
+ 	if err != nil {
+ 		return nil, err
+@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	return data, nil
+ }
+ 
++func mdFilepath(mdFilename string) string {
++	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
++}
++
+ // gets plugin filenames that require verification for plugin signing
+ func collectPluginFilesWithin(rootDir string) ([]string, error) {
+ 	var files []string

grafana.spec

@@ -30,7 +30,7 @@ end}
 
 Name:             grafana
 Version:          7.5.11
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -91,6 +91,8 @@ Patch9:           009-patch-unused-backend-crypto.patch
 # if FIPS mode is enabled.
 Patch10:          010-fips.patch
 
+Patch11:          011-CVE-2021-43813.patch
+
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
 
@@ -492,6 +494,7 @@ rm -r plugins-bundled
 %if %{enable_fips_mode}
 %patch10 -p1
 %endif
+%patch11 -p1
 
 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@@ -720,6 +723,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
 
 
 %changelog
+* Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
+- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
+- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
+
 * Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
 - update to 7.5.11 tagged upstream community sources, see CHANGELOG
 - resolve CVE-2021-39226