From c2f40a0a60b71158052217564762afa77ad02094 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 10:29:33 +0000 Subject: [PATCH] import grafana-7.5.15-4.el8 --- SOURCES/010-fips.patch | 2 +- SOURCES/017-fix-CVE-2022-39229.patch | 104 +++++++++++++++++++++++++++ SPECS/grafana.spec | 24 ++++++- 3 files changed, 127 insertions(+), 3 deletions(-) create mode 100644 SOURCES/017-fix-CVE-2022-39229.patch diff --git a/SOURCES/010-fips.patch b/SOURCES/010-fips.patch index f9adee9..1ea6cd2 100644 --- a/SOURCES/010-fips.patch +++ b/SOURCES/010-fips.patch @@ -106,7 +106,7 @@ index 0000000..6dfdf10 --- /dev/null +++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h @@ -0,0 +1,5 @@ -+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h" ++#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h" + +DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, + (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out), diff --git a/SOURCES/017-fix-CVE-2022-39229.patch b/SOURCES/017-fix-CVE-2022-39229.patch new file mode 100644 index 0000000..daa760c --- /dev/null +++ b/SOURCES/017-fix-CVE-2022-39229.patch @@ -0,0 +1,104 @@ +From 5aa2c77ac1ac544ed6b3a2c5efa767e53b810c3b Mon Sep 17 00:00:00 2001 +From: linoman <2051016+linoman@users.noreply.github.com> +Date: Fri, 16 Sep 2022 10:46:44 +0200 +Subject: [PATCH] fix CVE-2022-39229 + +Swap order of login fields + +(cherry picked from commit 5ec176cada3d8adf651f844e3f707bc469495abd) + +Add test for username/login field conflict + +(cherry picked from commit 7aabcf26944835b0418eec6b057a0b186ff206bf) + +Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> +Co-authored-by: dsotirakis + +diff --git a/pkg/services/sqlstore/user.go b/pkg/services/sqlstore/user.go +index 3dba16a75e..d773bd9dfe 100644 +--- a/pkg/services/sqlstore/user.go ++++ b/pkg/services/sqlstore/user.go +@@ -298,19 +298,24 @@ func GetUserByLogin(query *models.GetUserByLoginQuery) error { + return models.ErrUserNotFound + } + +- // Try and find the user by login first. +- // It's not sufficient to assume that a LoginOrEmail with an "@" is an email. ++ var has bool ++ var err error + user := &models.User{Login: query.LoginOrEmail} +- has, err := x.Get(user) + +- if err != nil { +- return err ++ // Since username can be an email address, attempt login with email address ++ // first if the login field has the "@" symbol. ++ if strings.Contains(query.LoginOrEmail, "@") { ++ user = &models.User{Email: query.LoginOrEmail} ++ has, err = x.Get(user) ++ ++ if err != nil { ++ return err ++ } + } + +- if !has && strings.Contains(query.LoginOrEmail, "@") { +- // If the user wasn't found, and it contains an "@" fallback to finding the +- // user by email. +- user = &models.User{Email: query.LoginOrEmail} ++ // Lookup the login field instead of email field ++ if !has { ++ user = &models.User{Login: query.LoginOrEmail} + has, err = x.Get(user) + } + +diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go +index aa796ffb02..7fb9d9be2a 100644 +--- a/pkg/services/sqlstore/user_test.go ++++ b/pkg/services/sqlstore/user_test.go +@@ -42,6 +43,45 @@ func TestUserDataAccess(t *testing.T) { + }) + }) + ++ Convey("Get User by login - user_2 uses user_1.email as login", func() { ++ ss = InitTestDB(t) ++ ++ // create user_1 ++ cmd1 := &models.CreateUserCommand{ ++ Email: "user_1@mail.com", ++ Name: "user_1", ++ Login: "user_1", ++ Password: "user_1_password", ++ IsDisabled: true, ++ } ++ err := CreateUser(context.Background(), cmd1) ++ So(err, ShouldBeNil) ++ ++ // create user_2 ++ cmd2 := &models.CreateUserCommand{ ++ Email: "user_2@mail.com", ++ Name: "user_2", ++ Login: "user_1@mail.com", ++ Password: "user_2_password", ++ IsDisabled: true, ++ } ++ err = CreateUser(context.Background(), cmd2) ++ So(err, ShouldBeNil) ++ ++ // query user database for user_1 email ++ query := models.GetUserByLoginQuery{LoginOrEmail: "user_1@mail.com"} ++ err = GetUserByLogin(&query) ++ So(err, ShouldBeNil) ++ ++ // expect user_1 as result ++ So(query.Result.Email, ShouldEqual, cmd1.Email) ++ So(query.Result.Login, ShouldEqual, cmd1.Login) ++ So(query.Result.Name, ShouldEqual, cmd1.Name) ++ So(query.Result.Email, ShouldNotEqual, cmd2.Email) ++ So(query.Result.Login, ShouldNotEqual, cmd2.Login) ++ So(query.Result.Name, ShouldNotEqual, cmd2.Name) ++ }) ++ + Convey("Creates disabled user", func() { + cmd := &models.CreateUserCommand{ + Email: "usertest@test.com", diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 0a96dc0..4e90aa7 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -30,7 +30,7 @@ end} Name: grafana Version: 7.5.15 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -103,6 +103,7 @@ Patch13: 013-CVE-2021-23648.patch Patch14: 014-CVE-2022-21698.patch Patch15: 015-CVE-2022-21698.vendor.patch Patch16: 016-fix-CVE-2022-31107.patch +Patch17: 017-fix-CVE-2022-39229.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -791,6 +792,7 @@ rm -r plugins-bundled %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -808,6 +810,11 @@ ln -s %{_builddir}/%{name}-%{version} \ cd %{_builddir}/src/github.com/grafana/grafana export GOPATH=%{_builddir} +# required since RHEL 8.8 to fix the following error: +# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring" +# can be removed in a future Go release +export GOEXPERIMENT=boringcrypto + # see grafana-X.X.X/build.go export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}" for cmd in grafana-cli grafana-server; do @@ -922,7 +929,12 @@ export TZ=GMT # GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path rm -r pkg/macaron -%gotest ./pkg/... +# required since RHEL 8.8 to fix the following error: +# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring" +# can be removed in a future Go release +export GOEXPERIMENT=boringcrypto + +%gotest "-tags=integration" ./pkg/... %if %{enable_fips_mode} OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption @@ -973,6 +985,14 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio %changelog +* Mon Oct 31 2022 Andreas Gerstmayr 7.5.15-4 +- resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in +- resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY +- resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps +- resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters +- run integration tests in check phase +- update FIPS patch with latest changes in Go packaging + * Wed Aug 10 2022 Andreas Gerstmayr 7.5.15-3 - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions - resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header