fix CVE-2021-44716 and CVE-2021-43813
Resolves: rhbz#2034450 Resolves: rhbz#2032740
This commit is contained in:
parent
598a441ca7
commit
a362c62136
52
011-CVE-2021-43813.patch
Normal file
52
011-CVE-2021-43813.patch
Normal file
@ -0,0 +1,52 @@
|
||||
commit ea77415cfe2cefe46ffce233076a1409abaa8df7
|
||||
Author: Will Browne <wbrowne@users.noreply.github.com>
|
||||
Date: Fri Dec 10 11:29:12 2021 +0000
|
||||
|
||||
apply fix (#42969)
|
||||
|
||||
diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
|
||||
index e6370a29e7..c7199c716e 100644
|
||||
--- a/pkg/plugins/plugins.go
|
||||
+++ b/pkg/plugins/plugins.go
|
||||
@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
|
||||
}
|
||||
|
||||
// nolint:gosec
|
||||
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
|
||||
- // on plugin the folder structure on disk and not user input.
|
||||
- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
|
||||
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
|
||||
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
|
||||
+ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
|
||||
exists, err := fs.Exists(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !exists {
|
||||
- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
|
||||
+ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
|
||||
}
|
||||
|
||||
exists, err = fs.Exists(path)
|
||||
@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
|
||||
}
|
||||
|
||||
// nolint:gosec
|
||||
- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
|
||||
- // on plugin the folder structure on disk and not user input.
|
||||
+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
|
||||
+ // use this with a prefix of the plugin's directory, which is set during plugin loading
|
||||
data, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
|
||||
return data, nil
|
||||
}
|
||||
|
||||
+func mdFilepath(mdFilename string) string {
|
||||
+ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
|
||||
+}
|
||||
+
|
||||
// gets plugin filenames that require verification for plugin signing
|
||||
func collectPluginFilesWithin(rootDir string) ([]string, error) {
|
||||
var files []string
|
@ -30,7 +30,7 @@ end}
|
||||
|
||||
Name: grafana
|
||||
Version: 7.5.11
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Metrics dashboard and graph editor
|
||||
License: ASL 2.0
|
||||
URL: https://grafana.org
|
||||
@ -91,6 +91,8 @@ Patch9: 009-patch-unused-backend-crypto.patch
|
||||
# if FIPS mode is enabled.
|
||||
Patch10: 010-fips.patch
|
||||
|
||||
Patch11: 011-CVE-2021-43813.patch
|
||||
|
||||
# Intersection of go_arches and nodejs_arches
|
||||
ExclusiveArch: %{grafana_arches}
|
||||
|
||||
@ -492,6 +494,7 @@ rm -r plugins-bundled
|
||||
%if %{enable_fips_mode}
|
||||
%patch10 -p1
|
||||
%endif
|
||||
%patch11 -p1
|
||||
|
||||
# Set up build subdirs and links
|
||||
mkdir -p %{_builddir}/src/github.com/grafana
|
||||
@ -720,6 +723,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
|
||||
- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
|
||||
- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
|
||||
|
||||
* Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
|
||||
- update to 7.5.11 tagged upstream community sources, see CHANGELOG
|
||||
- resolve CVE-2021-39226
|
||||
|
Loading…
Reference in New Issue
Block a user