fix CVE-2021-44716 and CVE-2021-43813
This commit is contained in:
		
							parent
							
								
									497e262377
								
							
						
					
					
						commit
						9d18845fa6
					
				
							
								
								
									
										52
									
								
								011-CVE-2021-43813.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								011-CVE-2021-43813.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,52 @@ | ||||
| commit ea77415cfe2cefe46ffce233076a1409abaa8df7 | ||||
| Author: Will Browne <wbrowne@users.noreply.github.com> | ||||
| Date:   Fri Dec 10 11:29:12 2021 +0000 | ||||
| 
 | ||||
|     apply fix (#42969) | ||||
| 
 | ||||
| diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
 | ||||
| index e6370a29e7..c7199c716e 100644
 | ||||
| --- a/pkg/plugins/plugins.go
 | ||||
| +++ b/pkg/plugins/plugins.go
 | ||||
| @@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 | ||||
|  	} | ||||
|   | ||||
|  	// nolint:gosec | ||||
| -	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
 | ||||
| -	// on plugin the folder structure on disk and not user input.
 | ||||
| -	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
 | ||||
| +	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
 | ||||
| +	// use this with a prefix of the plugin's directory, which is set during plugin loading
 | ||||
| +	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
 | ||||
|  	exists, err := fs.Exists(path) | ||||
|  	if err != nil { | ||||
|  		return nil, err | ||||
|  	} | ||||
|  	if !exists { | ||||
| -		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
 | ||||
| +		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
 | ||||
|  	} | ||||
|   | ||||
|  	exists, err = fs.Exists(path) | ||||
| @@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 | ||||
|  	} | ||||
|   | ||||
|  	// nolint:gosec | ||||
| -	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
 | ||||
| -	// on plugin the folder structure on disk and not user input.
 | ||||
| +	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
 | ||||
| +	// use this with a prefix of the plugin's directory, which is set during plugin loading
 | ||||
|  	data, err := ioutil.ReadFile(path) | ||||
|  	if err != nil { | ||||
|  		return nil, err | ||||
| @@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 | ||||
|  	return data, nil | ||||
|  } | ||||
|   | ||||
| +func mdFilepath(mdFilename string) string {
 | ||||
| +	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
 | ||||
| +}
 | ||||
| +
 | ||||
|  // gets plugin filenames that require verification for plugin signing | ||||
|  func collectPluginFilesWithin(rootDir string) ([]string, error) { | ||||
|  	var files []string | ||||
| @ -30,7 +30,7 @@ end} | ||||
| 
 | ||||
| Name:             grafana | ||||
| Version:          7.5.11 | ||||
| Release:          1%{?dist} | ||||
| Release:          2%{?dist} | ||||
| Summary:          Metrics dashboard and graph editor | ||||
| License:          ASL 2.0 | ||||
| URL:              https://grafana.org | ||||
| @ -91,6 +91,8 @@ Patch9:           009-patch-unused-backend-crypto.patch | ||||
| # if FIPS mode is enabled. | ||||
| Patch10:          010-fips.patch | ||||
| 
 | ||||
| Patch11:          011-CVE-2021-43813.patch | ||||
| 
 | ||||
| # Intersection of go_arches and nodejs_arches | ||||
| ExclusiveArch:    %{grafana_arches} | ||||
| 
 | ||||
| @ -492,6 +494,7 @@ rm -r plugins-bundled | ||||
| %if %{enable_fips_mode} | ||||
| %patch10 -p1 | ||||
| %endif | ||||
| %patch11 -p1 | ||||
| 
 | ||||
| # Set up build subdirs and links | ||||
| mkdir -p %{_builddir}/src/github.com/grafana | ||||
| @ -720,6 +723,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2 | ||||
| - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache | ||||
| - resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files | ||||
| 
 | ||||
| * Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1 | ||||
| - update to 7.5.11 tagged upstream community sources, see CHANGELOG | ||||
| - resolve CVE-2021-39226 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user