fix CVE-2021-44716 and CVE-2021-43813

This commit is contained in:
Andreas Gerstmayr 2021-12-16 16:01:01 +01:00
parent 497e262377
commit 9d18845fa6
2 changed files with 60 additions and 1 deletions

52
011-CVE-2021-43813.patch Normal file
View File

@ -0,0 +1,52 @@
commit ea77415cfe2cefe46ffce233076a1409abaa8df7
Author: Will Browne <wbrowne@users.noreply.github.com>
Date: Fri Dec 10 11:29:12 2021 +0000
apply fix (#42969)
diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index e6370a29e7..c7199c716e 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
}
// nolint:gosec
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
- // on plugin the folder structure on disk and not user input.
- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
+ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
exists, err := fs.Exists(path)
if err != nil {
return nil, err
}
if !exists {
- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
}
exists, err = fs.Exists(path)
@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
}
// nolint:gosec
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
- // on plugin the folder structure on disk and not user input.
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
data, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
return data, nil
}
+func mdFilepath(mdFilename string) string {
+ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
+
// gets plugin filenames that require verification for plugin signing
func collectPluginFilesWithin(rootDir string) ([]string, error) {
var files []string

View File

@ -30,7 +30,7 @@ end}
Name: grafana
Version: 7.5.11
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Metrics dashboard and graph editor
License: ASL 2.0
URL: https://grafana.org
@ -91,6 +91,8 @@ Patch9: 009-patch-unused-backend-crypto.patch
# if FIPS mode is enabled.
Patch10: 010-fips.patch
Patch11: 011-CVE-2021-43813.patch
# Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches}
@ -492,6 +494,7 @@ rm -r plugins-bundled
%if %{enable_fips_mode}
%patch10 -p1
%endif
%patch11 -p1
# Set up build subdirs and links
mkdir -p %{_builddir}/src/github.com/grafana
@ -720,6 +723,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
%changelog
* Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
* Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
- update to 7.5.11 tagged upstream community sources, see CHANGELOG
- resolve CVE-2021-39226