resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations

2023-07-22 00:37:49 -05:00 · 2023-07-22 00:37:49 -05:00 · f70a707434
parent 53f206ac65
commit f70a707434
2 changed files with 71 additions and 1 deletions
--- a/0010-remove-email-lookup.patch
+++ b/0010-remove-email-lookup.patch
@ -0,0 +1,64 @@
+From bae86dbeb0ad68a205454e98e76985dc393183d4 Mon Sep 17 00:00:00 2001
+From: Ieva <ieva.vasiljeva@grafana.com>
+Date: Tue, 6 Jun 2023 17:45:31 +0100
+Subject: [PATCH] Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
+
+backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x
+---
+ pkg/api/login_oauth.go | 17 +++++++++--------
+ pkg/setting/setting.go |  5 ++++-
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
+index 22014aee433c2..af00c56a68ccd 100644
+--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
+@@ -302,16 +302,17 @@ func (hs *HTTPServer) SyncUser(
+ 	connect social.SocialConnector,
+ ) (*user.User, error) {
+ 	oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
+	lookupParams := models.UserLookupParams{}
+	if hs.Cfg.OAuthAllowInsecureEmailLookup {
+		lookupParams.Email = &extUser.Email
+	}
+
+ 	// add/update user in Grafana
+ 	cmd := &models.UpsertUserCommand{
+-		ReqContext:    ctx,
+-		ExternalUser:  extUser,
+-		SignupAllowed: connect.IsSignupAllowed(),
+-		UserLookupParams: models.UserLookupParams{
+-			Email:  &extUser.Email,
+-			UserID: nil,
+-			Login:  nil,
+-		},
+		ReqContext:       ctx,
+		ExternalUser:     extUser,
+		SignupAllowed:    connect.IsSignupAllowed(),
+		UserLookupParams: lookupParams,
+ 	}
+ 
+ 	if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
+diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
+index 20e8f78a2f55c..03aa5c17d8682 100644
+--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
+@@ -318,7 +318,8 @@ type Cfg struct {
+ 	AuthProxySyncTTL          int
+ 
+ 	// OAuth
+-	OAuthCookieMaxAge int
+	OAuthCookieMaxAge             int
+	OAuthAllowInsecureEmailLookup bool
+ 
+ 	// JWT Auth
+ 	JWTAuthEnabled                 bool
+@@ -1305,6 +1306,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
+ 		return err
+ 	}
+ 
+	cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+
+ 	const defaultMaxLifetime = "30d"
+ 	maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
+ 	cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
--- a/grafana.spec
+++ b/grafana.spec
@ -23,7 +23,7 @@ end}

 Name:             grafana
 Version:          9.2.10
-Release:          3%{?dist}
+Release:          4%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@ -68,6 +68,8 @@ Patch6:           0006-skip-marketplace-plugin-install-test.patch
 Patch7:           0007-fix-alert-test.patch
 Patch8:           0008-graphite-functions-xss.patch
 Patch9:           0009-redact-weak-ciphers.patch
+# https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4
+Patch10:          0010-remove-email-lookup.patch

 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -724,6 +726,7 @@ rm -r plugins-bundled
 %patch -P 7 -p1
 %patch -P 8 -p1
 %patch -P 9 -p1
+%patch -P 10 -p1

 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -914,6 +917,9 @@ export GOEXPERIMENT=boringcrypto


 %changelog
+* Sat Jul 22 2023 Carl George <carl@redhat.com> - 9.2.10-4
+- resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations
+
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 9.2.10-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild