From 456ad1eb5f6b27fb70fad4844fb7c08d0705ee4b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:00:15 +0000 Subject: import grafana-7.5.11-2.el8 --- diff --git a/.gitignore b/.gitignore index 8d9599f..79c4020 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/grafana-7.5.9.tar.gz -SOURCES/grafana-vendor-7.5.9-2.tar.xz -SOURCES/grafana-webpack-7.5.9-2.tar.gz +SOURCES/grafana-7.5.11.tar.gz +SOURCES/grafana-vendor-7.5.11-1.tar.xz +SOURCES/grafana-webpack-7.5.11-1.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata index af2fa86..d33b818 100644 --- a/.grafana.metadata +++ b/.grafana.metadata @@ -1,3 +1,3 @@ -e658bc3706a71a2a77f34755ac362fd506d7b1a0 SOURCES/grafana-7.5.9.tar.gz -8fc46c12ac1bae0f2e0434e8fdf71e61e922c74a SOURCES/grafana-vendor-7.5.9-2.tar.xz -28052475c9cb45ac6523479ab9fd3da4ba678400 SOURCES/grafana-webpack-7.5.9-2.tar.gz +cd7bfb63dd91361c1bc9c46d1f889b1f54f7758a SOURCES/grafana-7.5.11.tar.gz +d55ac0b3a8fb3a0ce772442923e2ca3cba1af78f SOURCES/grafana-vendor-7.5.11-1.tar.xz +db79c330e9a56dac2cdcae9b7c07c86112a66237 SOURCES/grafana-webpack-7.5.11-1.tar.gz diff --git a/SOURCES/002-manpages.patch b/SOURCES/002-manpages.patch index ccc1385..36ca294 100644 --- a/SOURCES/002-manpages.patch +++ b/SOURCES/002-manpages.patch @@ -4,7 +4,7 @@ index 0000000000..7ac2af882c --- /dev/null +++ b/docs/man/man1/grafana-cli.1 @@ -0,0 +1,60 @@ -+.TH GRAFANA "1" "June 2021" "Grafana cli version 7.5.9" "User Commands" ++.TH GRAFANA "1" "October 2021" "Grafana cli version 7.5.11" "User Commands" +.SH NAME +grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION @@ -70,7 +70,7 @@ index 0000000000..c616268b31 --- /dev/null +++ b/docs/man/man1/grafana-server.1 @@ -0,0 +1,72 @@ -+.TH VERSION "1" "June 2021" "Version 7.5.9" "User Commands" ++.TH VERSION "1" "October 2021" "Version 7.5.11" "User Commands" +.SH NAME +grafana-server \- back-end server for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION diff --git a/SOURCES/011-CVE-2021-39226.patch b/SOURCES/011-CVE-2021-39226.patch deleted file mode 100644 index a17cd34..0000000 --- a/SOURCES/011-CVE-2021-39226.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go -index 4f7a4b8d09..b500639d15 100644 ---- a/pkg/api/dashboard_snapshot.go -+++ b/pkg/api/dashboard_snapshot.go -@@ -144,6 +144,9 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna - // GET /api/snapshots/:key - func GetDashboardSnapshot(c *models.ReqContext) response.Response { - key := c.Params(":key") -+ if len(key) == 0 { -+ return response.Error(404, "Snapshot not found", nil) -+ } - query := &models.GetDashboardSnapshotQuery{Key: key} - - err := bus.Dispatch(query) -@@ -210,6 +213,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error { - // GET /api/snapshots-delete/:deleteKey - func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response { - key := c.Params(":deleteKey") -+ if len(key) == 0 { -+ return response.Error(404, "Snapshot not found", nil) -+ } - - query := &models.GetDashboardSnapshotQuery{DeleteKey: key} - -@@ -240,6 +246,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response - // DELETE /api/snapshots/:key - func DeleteDashboardSnapshot(c *models.ReqContext) response.Response { - key := c.Params(":key") -+ if len(key) == 0 { -+ return response.Error(404, "Snapshot not found", nil) -+ } - - query := &models.GetDashboardSnapshotQuery{Key: key} - -diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go -index df593d669a..46cb0c160f 100644 ---- a/vendor/gopkg.in/macaron.v1/router.go -+++ b/vendor/gopkg.in/macaron.v1/router.go -@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) { - func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) { - if t, ok := r.routers[req.Method]; ok { - // Fast match for static routes -- leaf := r.getLeaf(req.Method, req.URL.Path) -- if leaf != nil { -- leaf.handle(rw, req, nil) -- return -+ if !strings.ContainsAny(req.URL.Path, ":*") { -+ leaf := r.getLeaf(req.Method, req.URL.Path) -+ if leaf != nil { -+ leaf.handle(rw, req, nil) -+ return -+ } - } - - h, p, ok := t.Match(req.URL.EscapedPath()) diff --git a/SOURCES/011-CVE-2021-43813.patch b/SOURCES/011-CVE-2021-43813.patch new file mode 100644 index 0000000..375b364 --- /dev/null +++ b/SOURCES/011-CVE-2021-43813.patch @@ -0,0 +1,52 @@ +commit ea77415cfe2cefe46ffce233076a1409abaa8df7 +Author: Will Browne +Date: Fri Dec 10 11:29:12 2021 +0000 + + apply fix (#42969) + +diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go +index e6370a29e7..c7199c716e 100644 +--- a/pkg/plugins/plugins.go ++++ b/pkg/plugins/plugins.go +@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. +- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name))) ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading ++ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name))) + exists, err := fs.Exists(path) + if err != nil { + return nil, err + } + if !exists { +- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name))) ++ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name))) + } + + exists, err = fs.Exists(path) +@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err +@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + return data, nil + } + ++func mdFilepath(mdFilename string) string { ++ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename))) ++} ++ + // gets plugin filenames that require verification for plugin signing + func collectPluginFilesWithin(rootDir string) ([]string, error) { + var files []string diff --git a/SOURCES/Makefile b/SOURCES/Makefile index acd932c..dab531d 100644 --- a/SOURCES/Makefile +++ b/SOURCES/Makefile @@ -1,19 +1,24 @@ -ifndef VER - $(error VER is undefined) -endif -ifndef REL - $(error REL is undefined) -endif +VERSION := $(shell rpm --specfile *.spec --qf '%{VERSION}\n' | head -1) +RELEASE := $(shell rpm --specfile *.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1) NAME := grafana RPM_NAME := $(NAME) -SOURCE_DIR := $(NAME)-$(VER) -SOURCE_TAR := $(NAME)-$(VER).tar.gz -VENDOR_TAR := $(RPM_NAME)-vendor-$(VER)-$(REL).tar.xz -WEBPACK_TAR := $(RPM_NAME)-webpack-$(VER)-$(REL).tar.gz +SOURCE_DIR := $(NAME)-$(VERSION) +SOURCE_TAR := $(NAME)-$(VERSION).tar.gz +VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz +WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz + +# patches which must be applied before creating the vendor tarball, for example: +# - changes in dependency versions +# - changes in Go module imports (which affect the vendored Go modules) +PATCHES_PRE_VENDOR := \ + 005-remove-unused-dependencies.patch \ + 008-remove-unused-frontend-crypto.patch + +# patches which must be applied before creating the webpack, for example: +# - changes in Node.js sources or vendored dependencies +PATCHES_PRE_WEBPACK := -ALL_PATCHES := $(wildcard *.patch) -PATCHES_TO_APPLY := $(filter-out 009-patch-unused-backend-crypto.patch 010-fips.patch,$(ALL_PATCHES)) all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR) @@ -21,43 +26,52 @@ $(SOURCE_TAR): spectool -g $(RPM_NAME).spec $(VENDOR_TAR): $(SOURCE_TAR) - rm -rf grafana-$(VER) - tar xfz grafana-$(VER).tar.gz + # start with a clean state + rm -rf $(SOURCE_DIR) + tar xf $(SOURCE_TAR) - # patches can affect Go or Node.js dependencies, or the webpack - for patch in $(PATCHES_TO_APPLY); do patch -d grafana-$(VER) -p1 --fuzz=0 < $$patch; done + # Patches to apply before vendoring + for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done # Go - cd grafana-$(VER) && go mod vendor -v + cd $(SOURCE_DIR) && go mod vendor -v # Remove unused crypto - rm grafana-$(VER)/vendor/golang.org/x/crypto/cast5/cast5.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/ed25519.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go - awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' grafana-$(VER)/go.mod | \ + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/cast5/cast5.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/ed25519.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go + awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' $(SOURCE_DIR)/go.mod | \ sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > $@.manifest # Node.js - cd grafana-$(VER) && yarn install --pure-lockfile + cd $(SOURCE_DIR) && yarn install --pure-lockfile # Remove files with licensing issues - find grafana-$(VER) -type d -name 'node-notifier' -prune -exec rm -r {} \; - find grafana-$(VER) -type d -name 'property-information' -prune -exec rm -r {} \; - find grafana-$(VER) -type f -name '*.exe' -delete - rm -r grafana-$(VER)/node_modules/visjs-network/examples - ./list_bundled_nodejs_packages.py grafana-$(VER)/ >> $@.manifest + find $(SOURCE_DIR) -type d -name 'node-notifier' -prune -exec rm -r {} \; + find $(SOURCE_DIR) -type d -name 'property-information' -prune -exec rm -r {} \; + find $(SOURCE_DIR) -type f -name '*.exe' -delete + rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples + ./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest # Create tarball - XZ_OPT=-9 tar cfJ $@ \ - grafana-$(VER)/vendor \ - $$(find grafana-$(VER) -type d -name "node_modules" -prune) + XZ_OPT=-9 time -p tar cJf $@ \ + $(SOURCE_DIR)/vendor \ + $$(find $(SOURCE_DIR) -type d -name "node_modules" -prune) $(WEBPACK_TAR): $(VENDOR_TAR) - cd grafana-$(VER) && \ + # start with a clean state + rm -rf $(SOURCE_DIR) + tar xf $(SOURCE_TAR) + tar xf $(VENDOR_TAR) + + # Patches to apply before creating the webpack + for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done + + cd $(SOURCE_DIR) && \ ../build_frontend.sh - tar cfz $@ grafana-$(VER)/public/build grafana-$(VER)/public/views grafana-$(VER)/plugins-bundled + tar cfz $@ $(SOURCE_DIR)/public/build $(SOURCE_DIR)/public/views $(SOURCE_DIR)/plugins-bundled clean: rm -rf *.tar.gz *.tar.xz *.manifest *.rpm $(NAME)-*/ diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 0da9ff2..218af28 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -1,3 +1,13 @@ +# gobuild and gotest macros are not available on CentOS Stream +# remove once BZ 1965292 is resolved +# definitions lifted from Fedora 34 podman.spec +%if ! 0%{?gobuild:1} +%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**}; +%endif +%if ! 0%{?gotest:1} +%define gotest() GO111MODULE=off go test -buildmode pie -compiler gc -ldflags "${LDFLAGS:-} -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" %{?**}; +%endif + %global grafana_arches %{lua: go_arches = {} for arch in rpm.expand("%{go_arches}"):gmatch("%S+") do go_arches[arch] = 1 @@ -19,8 +29,8 @@ end} %endif Name: grafana -Version: 7.5.9 -Release: 5%{?dist} +Version: 7.5.11 +Release: 2%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -30,14 +40,14 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the bundled Go and Node.js dependencies # Note: In case there were no changes to this tarball, the NVR of this tarball -# lags behind the NVR of the Grafana package. -Source1: grafana-vendor-%{version}-2.tar.xz +# lags behind the NVR of this package. +Source1: grafana-vendor-%{version}-1.tar.xz %if %{compile_frontend} == 0 # Source2 contains the precompiled frontend # Note: In case there were no changes to this tarball, the NVR of this tarball -# lags behind the NVR of the Grafana package. -Source2: grafana-webpack-%{version}-2.tar.gz +# lags behind the NVR of this package. +Source2: grafana-webpack-%{version}-1.tar.gz %endif # Source3 contains Grafana configuration defaults for distributions @@ -81,8 +91,7 @@ Patch9: 009-patch-unused-backend-crypto.patch # if FIPS mode is enabled. Patch10: 010-fips.patch -# Patch for CVE-2021-39226 -Patch11: 011-CVE-2021-39226.patch +Patch11: 011-CVE-2021-43813.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -610,6 +619,10 @@ export GOPATH=%{_builddir} # let's set the time zone to a time zone without daylight saving time export TZ=GMT +# GO111MODULE=on automatically skips vendored macaron sources in pkg/macaron +# GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path +rm -r pkg/macaron + %gotest ./pkg/... %if %{enable_fips_mode} @@ -661,12 +674,17 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption %changelog -* Tue Dec 21 2021 Andreas Gerstmayr 7.5.9-5 +* Thu Dec 16 2021 Andreas Gerstmayr 7.5.11-2 - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache +- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files -* Wed Oct 06 2021 Andreas Gerstmayr 7.5.9-4 +* Mon Oct 11 2021 Andreas Gerstmayr 7.5.11-1 +- update to 7.5.11 tagged upstream community sources, see CHANGELOG - resolve CVE-2021-39226 +* Thu Sep 30 2021 Andreas Gerstmayr 7.5.10-1 +- update to 7.5.10 tagged upstream community sources, see CHANGELOG + * Mon Aug 16 2021 Andreas Gerstmayr 7.5.9-3 - rebuild to resolve CVE-2021-34558