From 2e6f73e0da502534014f2e735174ec81008b560e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 20 2020 18:26:55 +0000
Subject: import grafana-6.7.4-2.el8


---

diff --git a/.grafana.metadata b/.grafana.metadata
index 9dce1c8..6f6248f 100644
--- a/.grafana.metadata
+++ b/.grafana.metadata
@@ -1,2 +1,2 @@
 8bd02ed09feb9479a7f933408420354a3785dc9e SOURCES/grafana-6.7.4.tar.gz
-58bbf1928f44025278fe6a576c786fc5a8db78b0 SOURCES/grafana_webpack-6.7.4.tar.gz
+b0cadabb76cc9ed7ce1c2e36ad38faede152b0bd SOURCES/grafana_webpack-6.7.4.tar.gz
diff --git a/SOURCES/010-CVE-2020-13430.patch b/SOURCES/010-CVE-2020-13430.patch
new file mode 100644
index 0000000..d9c3597
--- /dev/null
+++ b/SOURCES/010-CVE-2020-13430.patch
@@ -0,0 +1,21 @@
+diff --git a/public/app/plugins/datasource/opentsdb/query_ctrl.ts b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
+index 8569de2eb0..cbb1790625 100644
+--- a/public/app/plugins/datasource/opentsdb/query_ctrl.ts
++++ b/public/app/plugins/datasource/opentsdb/query_ctrl.ts
+@@ -2,6 +2,7 @@ import _ from 'lodash';
+ import kbn from 'app/core/utils/kbn';
+ import { QueryCtrl } from 'app/plugins/sdk';
+ import { auto } from 'angular';
++import { escapeHtml } from 'app/core/utils/text';
+ 
+ export class OpenTsQueryCtrl extends QueryCtrl {
+   static templateUrl = 'partials/query.editor.html';
+@@ -90,7 +91,7 @@ export class OpenTsQueryCtrl extends QueryCtrl {
+ 
+   getTextValues(metricFindResult: any) {
+     return _.map(metricFindResult, value => {
+-      return value.text;
++      return escapeHtml(value.text);
+     });
+   }
+ 
diff --git a/SOURCES/make_grafana_webpack.sh b/SOURCES/make_grafana_webpack.sh
index 7baf487..6f95c3d 100755
--- a/SOURCES/make_grafana_webpack.sh
+++ b/SOURCES/make_grafana_webpack.sh
@@ -26,6 +26,9 @@ git clone https://github.com/grafana/grafana grafana-$VER
 cd grafana-$VER
 git checkout -b v$VER v$VER
 
+# applying webpack patches
+patch -p1 < ../010-CVE-2020-13430.patch
+
 # exclude the phantomjs-prebuilt binary module from the webpack
 sed -i '/phantomjs-prebuilt/d' package.json
 
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index fa38f0f..c0c362d 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -24,7 +24,7 @@ end}
 
 Name:             grafana
 Version:          6.7.4
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -58,6 +58,7 @@ Patch6:           006-pkg-setting-ini-default-section.patch
 Patch7:           007-pkg-prometheus-client-query-range.patch
 Patch8:           008-pkg-services-notifications-codes-Unknwon.patch
 Patch9:           009-pkg-fix-xorm-import.patch
+Patch10:          010-CVE-2020-13430.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -631,6 +632,9 @@ export GO111MODULE=off
 
 
 %changelog
+* Wed Aug 19 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-2
+- security fix for CVE-2020-13430
+
 * Fri Jun 05 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-1
 - update to 6.7.4 tagged upstream community sources, see CHANGELOG
 - security fix for CVE-2020-13379