From d94a647305cb614789179cfa5d2e5c61319c1819 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 22 Dec 2021 04:22:12 +0000 Subject: [PATCH] import grafana-7.5.11-2.el8 --- SOURCES/011-CVE-2021-43813.patch | 52 ++++++++++++++++++++++++++++++++ SPECS/grafana.spec | 9 +++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 SOURCES/011-CVE-2021-43813.patch diff --git a/SOURCES/011-CVE-2021-43813.patch b/SOURCES/011-CVE-2021-43813.patch new file mode 100644 index 0000000..375b364 --- /dev/null +++ b/SOURCES/011-CVE-2021-43813.patch @@ -0,0 +1,52 @@ +commit ea77415cfe2cefe46ffce233076a1409abaa8df7 +Author: Will Browne +Date: Fri Dec 10 11:29:12 2021 +0000 + + apply fix (#42969) + +diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go +index e6370a29e7..c7199c716e 100644 +--- a/pkg/plugins/plugins.go ++++ b/pkg/plugins/plugins.go +@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. +- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name))) ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading ++ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name))) + exists, err := fs.Exists(path) + if err != nil { + return nil, err + } + if !exists { +- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name))) ++ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name))) + } + + exists, err = fs.Exists(path) +@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err +@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + return data, nil + } + ++func mdFilepath(mdFilename string) string { ++ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename))) ++} ++ + // gets plugin filenames that require verification for plugin signing + func collectPluginFilesWithin(rootDir string) ([]string, error) { + var files []string diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index d163399..218af28 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -30,7 +30,7 @@ end} Name: grafana Version: 7.5.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -91,6 +91,8 @@ Patch9: 009-patch-unused-backend-crypto.patch # if FIPS mode is enabled. Patch10: 010-fips.patch +Patch11: 011-CVE-2021-43813.patch + # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -489,6 +491,7 @@ rm -r plugins-bundled %if %{enable_fips_mode} %patch10 -p1 %endif +%patch11 -p1 # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -671,6 +674,10 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption %changelog +* Thu Dec 16 2021 Andreas Gerstmayr 7.5.11-2 +- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache +- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files + * Mon Oct 11 2021 Andreas Gerstmayr 7.5.11-1 - update to 7.5.11 tagged upstream community sources, see CHANGELOG - resolve CVE-2021-39226