fix CVE-2021-44716 and CVE-2021-43813

Resolves: rhbz#2034450 Resolves: rhbz#2032740
2021-12-16 16:01:01 +01:00 · 2021-12-16 16:01:01 +01:00 · a362c62136
commit a362c62136
parent 598a441ca7
2 changed files with 60 additions and 1 deletions
--- a/011-CVE-2021-43813.patch
+++ b/011-CVE-2021-43813.patch
@ -0,0 +1,52 @@
 commit ea77415cfe2cefe46ffce233076a1409abaa8df7
 Author: Will Browne <wbrowne@users.noreply.github.com>
 Date:   Fri Dec 10 11:29:12 2021 +0000
    apply fix (#42969)
 diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
 index e6370a29e7..c7199c716e 100644
 --- a/pkg/plugins/plugins.go
 +++ b/pkg/plugins/plugins.go
@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 	}
 	// nolint:gosec
 -	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
 -	// on plugin the folder structure on disk and not user input.
 -	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
 +	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
 +	// use this with a prefix of the plugin's directory, which is set during plugin loading
 +	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
 	exists, err := fs.Exists(path)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 -		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
 +		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
 	}
 	exists, err = fs.Exists(path)
@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 	}
 	// nolint:gosec
 -	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
 -	// on plugin the folder structure on disk and not user input.
 +	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
 +	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 	return data, nil
 }
 +func mdFilepath(mdFilename string) string {
 +	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
 +}
 +
 // gets plugin filenames that require verification for plugin signing
 func collectPluginFilesWithin(rootDir string) ([]string, error) {
 	var files []string
--- a/grafana.spec
+++ b/grafana.spec
@ -30,7 +30,7 @@ end}
 Name:             grafana
 Version:          7.5.11
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@ -91,6 +91,8 @@ Patch9:           009-patch-unused-backend-crypto.patch
 # if FIPS mode is enabled.
 Patch10:          010-fips.patch
 Patch11:          011-CVE-2021-43813.patch
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@ -492,6 +494,7 @@ rm -r plugins-bundled
 %if %{enable_fips_mode}
 %patch10 -p1
 %endif
 %patch11 -p1
 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@ -720,6 +723,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
 %changelog
 * Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
 - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
 - resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
 * Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
 - update to 7.5.11 tagged upstream community sources, see CHANGELOG
 - resolve CVE-2021-39226