From 83f9dedf6144267ded366be7fe2a88af12c71c60 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 28 2023 10:29:33 +0000
Subject: import grafana-7.5.15-4.el8


---

diff --git a/SOURCES/010-fips.patch b/SOURCES/010-fips.patch
index f9adee9..1ea6cd2 100644
--- a/SOURCES/010-fips.patch
+++ b/SOURCES/010-fips.patch
@@ -106,7 +106,7 @@ index 0000000..6dfdf10
 --- /dev/null
 +++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
 @@ -0,0 +1,5 @@
-+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h"
++#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h"
 +
 +DEFINEFUNC(int, PKCS5_PBKDF2_HMAC,
 +    (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out),
diff --git a/SOURCES/017-fix-CVE-2022-39229.patch b/SOURCES/017-fix-CVE-2022-39229.patch
new file mode 100644
index 0000000..daa760c
--- /dev/null
+++ b/SOURCES/017-fix-CVE-2022-39229.patch
@@ -0,0 +1,104 @@
+From 5aa2c77ac1ac544ed6b3a2c5efa767e53b810c3b Mon Sep 17 00:00:00 2001
+From: linoman <2051016+linoman@users.noreply.github.com>
+Date: Fri, 16 Sep 2022 10:46:44 +0200
+Subject: [PATCH] fix CVE-2022-39229
+
+Swap order of login fields
+
+(cherry picked from commit 5ec176cada3d8adf651f844e3f707bc469495abd)
+
+Add test for username/login field conflict
+
+(cherry picked from commit 7aabcf26944835b0418eec6b057a0b186ff206bf)
+
+Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
+Co-authored-by: dsotirakis <dimitrios.sotirakis@grafana.com>
+
+diff --git a/pkg/services/sqlstore/user.go b/pkg/services/sqlstore/user.go
+index 3dba16a75e..d773bd9dfe 100644
+--- a/pkg/services/sqlstore/user.go
++++ b/pkg/services/sqlstore/user.go
+@@ -298,19 +298,24 @@ func GetUserByLogin(query *models.GetUserByLoginQuery) error {
+ 		return models.ErrUserNotFound
+ 	}
+ 
+-	// Try and find the user by login first.
+-	// It's not sufficient to assume that a LoginOrEmail with an "@" is an email.
++	var has bool
++	var err error
+ 	user := &models.User{Login: query.LoginOrEmail}
+-	has, err := x.Get(user)
+ 
+-	if err != nil {
+-		return err
++	// Since username can be an email address, attempt login with email address
++	// first if the login field has the "@" symbol.
++	if strings.Contains(query.LoginOrEmail, "@") {
++		user = &models.User{Email: query.LoginOrEmail}
++		has, err = x.Get(user)
++
++		if err != nil {
++			return err
++		}
+ 	}
+ 
+-	if !has && strings.Contains(query.LoginOrEmail, "@") {
+-		// If the user wasn't found, and it contains an "@" fallback to finding the
+-		// user by email.
+-		user = &models.User{Email: query.LoginOrEmail}
++	// Lookup the login field instead of email field
++	if !has {
++		user = &models.User{Login: query.LoginOrEmail}
+ 		has, err = x.Get(user)
+ 	}
+ 
+diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go
+index aa796ffb02..7fb9d9be2a 100644
+--- a/pkg/services/sqlstore/user_test.go
++++ b/pkg/services/sqlstore/user_test.go
+@@ -42,6 +43,45 @@ func TestUserDataAccess(t *testing.T) {
+ 			})
+ 		})
+ 
++		Convey("Get User by login - user_2 uses user_1.email as login", func() {
++			ss = InitTestDB(t)
++
++			// create user_1
++			cmd1 := &models.CreateUserCommand{
++				Email:      "user_1@mail.com",
++				Name:       "user_1",
++				Login:      "user_1",
++				Password:   "user_1_password",
++				IsDisabled: true,
++			}
++			err := CreateUser(context.Background(), cmd1)
++			So(err, ShouldBeNil)
++
++			// create user_2
++			cmd2 := &models.CreateUserCommand{
++				Email:      "user_2@mail.com",
++				Name:       "user_2",
++				Login:      "user_1@mail.com",
++				Password:   "user_2_password",
++				IsDisabled: true,
++			}
++			err = CreateUser(context.Background(), cmd2)
++			So(err, ShouldBeNil)
++
++			// query user database for user_1 email
++			query := models.GetUserByLoginQuery{LoginOrEmail: "user_1@mail.com"}
++			err = GetUserByLogin(&query)
++			So(err, ShouldBeNil)
++
++			// expect user_1 as result
++			So(query.Result.Email, ShouldEqual, cmd1.Email)
++			So(query.Result.Login, ShouldEqual, cmd1.Login)
++			So(query.Result.Name, ShouldEqual, cmd1.Name)
++			So(query.Result.Email, ShouldNotEqual, cmd2.Email)
++			So(query.Result.Login, ShouldNotEqual, cmd2.Login)
++			So(query.Result.Name, ShouldNotEqual, cmd2.Name)
++		})
++
+ 		Convey("Creates disabled user", func() {
+ 			cmd := &models.CreateUserCommand{
+ 				Email:      "usertest@test.com",
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index 0a96dc0..4e90aa7 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -30,7 +30,7 @@ end}
 
 Name:             grafana
 Version:          7.5.15
-Release:          3%{?dist}
+Release:          4%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -103,6 +103,7 @@ Patch13:          013-CVE-2021-23648.patch
 Patch14:          014-CVE-2022-21698.patch
 Patch15:          015-CVE-2022-21698.vendor.patch
 Patch16:          016-fix-CVE-2022-31107.patch
+Patch17:          017-fix-CVE-2022-39229.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -791,6 +792,7 @@ rm -r plugins-bundled
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 
 # Set up build subdirs and links
 mkdir -p %{_builddir}/src/github.com/grafana
@@ -808,6 +810,11 @@ ln -s %{_builddir}/%{name}-%{version} \
 cd %{_builddir}/src/github.com/grafana/grafana
 export GOPATH=%{_builddir}
 
+# required since RHEL 8.8 to fix the following error:
+# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
+# can be removed in a future Go release
+export GOEXPERIMENT=boringcrypto
+
 # see grafana-X.X.X/build.go
 export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
 for cmd in grafana-cli grafana-server; do
@@ -922,7 +929,12 @@ export TZ=GMT
 # GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path
 rm -r pkg/macaron
 
-%gotest ./pkg/...
+# required since RHEL 8.8 to fix the following error:
+# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
+# can be removed in a future Go release
+export GOEXPERIMENT=boringcrypto
+
+%gotest "-tags=integration" ./pkg/...
 
 %if %{enable_fips_mode}
 OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
@@ -973,6 +985,14 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 
 
 %changelog
+* Mon Oct 31 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-4
+- resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in
+- resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
+- resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
+- resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
+- run integration tests in check phase
+- update FIPS patch with latest changes in Go packaging
+
 * Wed Aug 10 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-3
 - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
 - resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header