import grafana-7.5.15-4.el8

This commit is contained in:
CentOS Sources 2023-03-28 10:29:33 +00:00 committed by Stepan Oksanichenko
parent 250c3c4777
commit c2f40a0a60
3 changed files with 127 additions and 3 deletions

View File

@ -106,7 +106,7 @@ index 0000000..6dfdf10
--- /dev/null
+++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
@@ -0,0 +1,5 @@
+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h"
+#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h"
+
+DEFINEFUNC(int, PKCS5_PBKDF2_HMAC,
+ (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out),

View File

@ -0,0 +1,104 @@
From 5aa2c77ac1ac544ed6b3a2c5efa767e53b810c3b Mon Sep 17 00:00:00 2001
From: linoman <2051016+linoman@users.noreply.github.com>
Date: Fri, 16 Sep 2022 10:46:44 +0200
Subject: [PATCH] fix CVE-2022-39229
Swap order of login fields
(cherry picked from commit 5ec176cada3d8adf651f844e3f707bc469495abd)
Add test for username/login field conflict
(cherry picked from commit 7aabcf26944835b0418eec6b057a0b186ff206bf)
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
Co-authored-by: dsotirakis <dimitrios.sotirakis@grafana.com>
diff --git a/pkg/services/sqlstore/user.go b/pkg/services/sqlstore/user.go
index 3dba16a75e..d773bd9dfe 100644
--- a/pkg/services/sqlstore/user.go
+++ b/pkg/services/sqlstore/user.go
@@ -298,19 +298,24 @@ func GetUserByLogin(query *models.GetUserByLoginQuery) error {
return models.ErrUserNotFound
}
- // Try and find the user by login first.
- // It's not sufficient to assume that a LoginOrEmail with an "@" is an email.
+ var has bool
+ var err error
user := &models.User{Login: query.LoginOrEmail}
- has, err := x.Get(user)
- if err != nil {
- return err
+ // Since username can be an email address, attempt login with email address
+ // first if the login field has the "@" symbol.
+ if strings.Contains(query.LoginOrEmail, "@") {
+ user = &models.User{Email: query.LoginOrEmail}
+ has, err = x.Get(user)
+
+ if err != nil {
+ return err
+ }
}
- if !has && strings.Contains(query.LoginOrEmail, "@") {
- // If the user wasn't found, and it contains an "@" fallback to finding the
- // user by email.
- user = &models.User{Email: query.LoginOrEmail}
+ // Lookup the login field instead of email field
+ if !has {
+ user = &models.User{Login: query.LoginOrEmail}
has, err = x.Get(user)
}
diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go
index aa796ffb02..7fb9d9be2a 100644
--- a/pkg/services/sqlstore/user_test.go
+++ b/pkg/services/sqlstore/user_test.go
@@ -42,6 +43,45 @@ func TestUserDataAccess(t *testing.T) {
})
})
+ Convey("Get User by login - user_2 uses user_1.email as login", func() {
+ ss = InitTestDB(t)
+
+ // create user_1
+ cmd1 := &models.CreateUserCommand{
+ Email: "user_1@mail.com",
+ Name: "user_1",
+ Login: "user_1",
+ Password: "user_1_password",
+ IsDisabled: true,
+ }
+ err := CreateUser(context.Background(), cmd1)
+ So(err, ShouldBeNil)
+
+ // create user_2
+ cmd2 := &models.CreateUserCommand{
+ Email: "user_2@mail.com",
+ Name: "user_2",
+ Login: "user_1@mail.com",
+ Password: "user_2_password",
+ IsDisabled: true,
+ }
+ err = CreateUser(context.Background(), cmd2)
+ So(err, ShouldBeNil)
+
+ // query user database for user_1 email
+ query := models.GetUserByLoginQuery{LoginOrEmail: "user_1@mail.com"}
+ err = GetUserByLogin(&query)
+ So(err, ShouldBeNil)
+
+ // expect user_1 as result
+ So(query.Result.Email, ShouldEqual, cmd1.Email)
+ So(query.Result.Login, ShouldEqual, cmd1.Login)
+ So(query.Result.Name, ShouldEqual, cmd1.Name)
+ So(query.Result.Email, ShouldNotEqual, cmd2.Email)
+ So(query.Result.Login, ShouldNotEqual, cmd2.Login)
+ So(query.Result.Name, ShouldNotEqual, cmd2.Name)
+ })
+
Convey("Creates disabled user", func() {
cmd := &models.CreateUserCommand{
Email: "usertest@test.com",

View File

@ -30,7 +30,7 @@ end}
Name: grafana
Version: 7.5.15
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Metrics dashboard and graph editor
License: ASL 2.0
URL: https://grafana.org
@ -103,6 +103,7 @@ Patch13: 013-CVE-2021-23648.patch
Patch14: 014-CVE-2022-21698.patch
Patch15: 015-CVE-2022-21698.vendor.patch
Patch16: 016-fix-CVE-2022-31107.patch
Patch17: 017-fix-CVE-2022-39229.patch
# Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches}
@ -791,6 +792,7 @@ rm -r plugins-bundled
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
# Set up build subdirs and links
mkdir -p %{_builddir}/src/github.com/grafana
@ -808,6 +810,11 @@ ln -s %{_builddir}/%{name}-%{version} \
cd %{_builddir}/src/github.com/grafana/grafana
export GOPATH=%{_builddir}
# required since RHEL 8.8 to fix the following error:
# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
# can be removed in a future Go release
export GOEXPERIMENT=boringcrypto
# see grafana-X.X.X/build.go
export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
for cmd in grafana-cli grafana-server; do
@ -922,7 +929,12 @@ export TZ=GMT
# GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path
rm -r pkg/macaron
%gotest ./pkg/...
# required since RHEL 8.8 to fix the following error:
# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
# can be removed in a future Go release
export GOEXPERIMENT=boringcrypto
%gotest "-tags=integration" ./pkg/...
%if %{enable_fips_mode}
OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
@ -973,6 +985,14 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
%changelog
* Mon Oct 31 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-4
- resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in
- resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
- resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
- resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
- run integration tests in check phase
- update FIPS patch with latest changes in Go packaging
* Wed Aug 10 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-3
- resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
- resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header