From aa839f1b1045e9fd95c3f23fe3ce259ce3e802ac Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 05 2021 14:21:02 +0000 Subject: import grafana-7.5.10-1.el8 --- diff --git a/.gitignore b/.gitignore index 8d9599f..e5ae55a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/grafana-7.5.9.tar.gz -SOURCES/grafana-vendor-7.5.9-2.tar.xz -SOURCES/grafana-webpack-7.5.9-2.tar.gz +SOURCES/grafana-7.5.10.tar.gz +SOURCES/grafana-vendor-7.5.10-1.tar.xz +SOURCES/grafana-webpack-7.5.10-1.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata index af2fa86..03f3ec2 100644 --- a/.grafana.metadata +++ b/.grafana.metadata @@ -1,3 +1,3 @@ -e658bc3706a71a2a77f34755ac362fd506d7b1a0 SOURCES/grafana-7.5.9.tar.gz -8fc46c12ac1bae0f2e0434e8fdf71e61e922c74a SOURCES/grafana-vendor-7.5.9-2.tar.xz -28052475c9cb45ac6523479ab9fd3da4ba678400 SOURCES/grafana-webpack-7.5.9-2.tar.gz +bb531789cb0dd0d3c9a2494a5924c64d12194d2f SOURCES/grafana-7.5.10.tar.gz +804c0d639055608f3788ea84b6f94bca9fe8f1ca SOURCES/grafana-vendor-7.5.10-1.tar.xz +8b52042f89703513945aa2086e5838cc425533c7 SOURCES/grafana-webpack-7.5.10-1.tar.gz diff --git a/SOURCES/002-manpages.patch b/SOURCES/002-manpages.patch index ccc1385..e87d709 100644 --- a/SOURCES/002-manpages.patch +++ b/SOURCES/002-manpages.patch @@ -4,7 +4,7 @@ index 0000000000..7ac2af882c --- /dev/null +++ b/docs/man/man1/grafana-cli.1 @@ -0,0 +1,60 @@ -+.TH GRAFANA "1" "June 2021" "Grafana cli version 7.5.9" "User Commands" ++.TH GRAFANA "1" "September 2021" "Grafana cli version 7.5.10" "User Commands" +.SH NAME +grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION @@ -70,7 +70,7 @@ index 0000000000..c616268b31 --- /dev/null +++ b/docs/man/man1/grafana-server.1 @@ -0,0 +1,72 @@ -+.TH VERSION "1" "June 2021" "Version 7.5.9" "User Commands" ++.TH VERSION "1" "September 2021" "Version 7.5.10" "User Commands" +.SH NAME +grafana-server \- back-end server for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION diff --git a/SOURCES/009-patch-unused-backend-crypto.patch b/SOURCES/009-patch-unused-backend-crypto.patch deleted file mode 100644 index 12be571..0000000 --- a/SOURCES/009-patch-unused-backend-crypto.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go -new file mode 100644 -index 0000000..871e612 ---- /dev/null -+++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go -@@ -0,0 +1,25 @@ -+package elgamal -+ -+import ( -+ "io" -+ "math/big" -+) -+ -+// PublicKey represents an ElGamal public key. -+type PublicKey struct { -+ G, P, Y *big.Int -+} -+ -+// PrivateKey represents an ElGamal private key. -+type PrivateKey struct { -+ PublicKey -+ X *big.Int -+} -+ -+func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { -+ panic("ElGamal encryption not available") -+} -+ -+func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { -+ panic("ElGamal encryption not available") -+} -diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go -index 9728d61..9f04c2d 100644 ---- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go -+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go -@@ -16,7 +16,6 @@ import ( - "math/big" - "math/bits" - -- "golang.org/x/crypto/cast5" - "golang.org/x/crypto/openpgp/errors" - ) - -@@ -487,7 +486,7 @@ func (cipher CipherFunction) KeySize() int { - case Cipher3DES: - return 24 - case CipherCAST5: -- return cast5.KeySize -+ panic("cast5 cipher not available") - case CipherAES128: - return 16 - case CipherAES192: -@@ -517,7 +516,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) { - case Cipher3DES: - block, _ = des.NewTripleDESCipher(key) - case CipherCAST5: -- block, _ = cast5.NewCipher(key) -+ panic("cast5 cipher not available") - case CipherAES128, CipherAES192, CipherAES256: - block, _ = aes.NewCipher(key) - } -diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -index 6126030..3a54c5f 100644 ---- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -@@ -5,13 +5,12 @@ - package packet - - import ( -- "crypto/cipher" - "crypto/sha1" - "crypto/subtle" -- "golang.org/x/crypto/openpgp/errors" - "hash" - "io" -- "strconv" -+ -+ "golang.org/x/crypto/openpgp/errors" - ) - - // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The -@@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error { - // packet can be read. An incorrect key can, with high probability, be detected - // immediately and this will result in a KeyIncorrect error being returned. - func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { -- keySize := c.KeySize() -- if keySize == 0 { -- return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) -- } -- if len(key) != keySize { -- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") -- } -- -- if se.prefix == nil { -- se.prefix = make([]byte, c.blockSize()+2) -- _, err := readFull(se.contents, se.prefix) -- if err != nil { -- return nil, err -- } -- } else if len(se.prefix) != c.blockSize()+2 { -- return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") -- } -- -- ocfbResync := OCFBResync -- if se.MDC { -- // MDC packets use a different form of OCFB mode. -- ocfbResync = OCFBNoResync -- } -- -- s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) -- if s == nil { -- return nil, errors.ErrKeyIncorrect -- } -- -- plaintext := cipher.StreamReader{S: s, R: se.contents} -- -- if se.MDC { -- // MDC packets have an embedded hash that we need to check. -- h := sha1.New() -- h.Write(se.prefix) -- return &seMDCReader{in: plaintext, h: h}, nil -- } -- -- // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. -- return seReader{plaintext}, nil -+ panic("OCFB cipher not available") - } - - // seReader wraps an io.Reader with a no-op Close method. -@@ -254,37 +214,5 @@ func (c noOpCloser) Close() error { - // written. - // If config is nil, sensible defaults will be used. - func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { -- if c.KeySize() != len(key) { -- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") -- } -- writeCloser := noOpCloser{w} -- ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) -- if err != nil { -- return -- } -- -- _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) -- if err != nil { -- return -- } -- -- block := c.new(key) -- blockSize := block.BlockSize() -- iv := make([]byte, blockSize) -- _, err = config.Random().Read(iv) -- if err != nil { -- return -- } -- s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) -- _, err = ciphertext.Write(prefix) -- if err != nil { -- return -- } -- plaintext := cipher.StreamWriter{S: s, W: ciphertext} -- -- h := sha1.New() -- h.Write(iv) -- h.Write(iv[blockSize-2:]) -- contents = &seMDCWriter{w: plaintext, h: h} -- return -+ panic("OCFB cipher not available") - } diff --git a/SOURCES/009-patch-unused-backend-crypto.vendor.patch b/SOURCES/009-patch-unused-backend-crypto.vendor.patch new file mode 100644 index 0000000..12be571 --- /dev/null +++ b/SOURCES/009-patch-unused-backend-crypto.vendor.patch @@ -0,0 +1,168 @@ +diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go +new file mode 100644 +index 0000000..871e612 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go +@@ -0,0 +1,25 @@ ++package elgamal ++ ++import ( ++ "io" ++ "math/big" ++) ++ ++// PublicKey represents an ElGamal public key. ++type PublicKey struct { ++ G, P, Y *big.Int ++} ++ ++// PrivateKey represents an ElGamal private key. ++type PrivateKey struct { ++ PublicKey ++ X *big.Int ++} ++ ++func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { ++ panic("ElGamal encryption not available") ++} ++ ++func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { ++ panic("ElGamal encryption not available") ++} +diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go +index 9728d61..9f04c2d 100644 +--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go ++++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go +@@ -16,7 +16,6 @@ import ( + "math/big" + "math/bits" + +- "golang.org/x/crypto/cast5" + "golang.org/x/crypto/openpgp/errors" + ) + +@@ -487,7 +486,7 @@ func (cipher CipherFunction) KeySize() int { + case Cipher3DES: + return 24 + case CipherCAST5: +- return cast5.KeySize ++ panic("cast5 cipher not available") + case CipherAES128: + return 16 + case CipherAES192: +@@ -517,7 +516,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) { + case Cipher3DES: + block, _ = des.NewTripleDESCipher(key) + case CipherCAST5: +- block, _ = cast5.NewCipher(key) ++ panic("cast5 cipher not available") + case CipherAES128, CipherAES192, CipherAES256: + block, _ = aes.NewCipher(key) + } +diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go +index 6126030..3a54c5f 100644 +--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go ++++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go +@@ -5,13 +5,12 @@ + package packet + + import ( +- "crypto/cipher" + "crypto/sha1" + "crypto/subtle" +- "golang.org/x/crypto/openpgp/errors" + "hash" + "io" +- "strconv" ++ ++ "golang.org/x/crypto/openpgp/errors" + ) + + // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The +@@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error { + // packet can be read. An incorrect key can, with high probability, be detected + // immediately and this will result in a KeyIncorrect error being returned. + func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { +- keySize := c.KeySize() +- if keySize == 0 { +- return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) +- } +- if len(key) != keySize { +- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") +- } +- +- if se.prefix == nil { +- se.prefix = make([]byte, c.blockSize()+2) +- _, err := readFull(se.contents, se.prefix) +- if err != nil { +- return nil, err +- } +- } else if len(se.prefix) != c.blockSize()+2 { +- return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") +- } +- +- ocfbResync := OCFBResync +- if se.MDC { +- // MDC packets use a different form of OCFB mode. +- ocfbResync = OCFBNoResync +- } +- +- s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) +- if s == nil { +- return nil, errors.ErrKeyIncorrect +- } +- +- plaintext := cipher.StreamReader{S: s, R: se.contents} +- +- if se.MDC { +- // MDC packets have an embedded hash that we need to check. +- h := sha1.New() +- h.Write(se.prefix) +- return &seMDCReader{in: plaintext, h: h}, nil +- } +- +- // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. +- return seReader{plaintext}, nil ++ panic("OCFB cipher not available") + } + + // seReader wraps an io.Reader with a no-op Close method. +@@ -254,37 +214,5 @@ func (c noOpCloser) Close() error { + // written. + // If config is nil, sensible defaults will be used. + func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { +- if c.KeySize() != len(key) { +- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") +- } +- writeCloser := noOpCloser{w} +- ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) +- if err != nil { +- return +- } +- +- _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) +- if err != nil { +- return +- } +- +- block := c.new(key) +- blockSize := block.BlockSize() +- iv := make([]byte, blockSize) +- _, err = config.Random().Read(iv) +- if err != nil { +- return +- } +- s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) +- _, err = ciphertext.Write(prefix) +- if err != nil { +- return +- } +- plaintext := cipher.StreamWriter{S: s, W: ciphertext} +- +- h := sha1.New() +- h.Write(iv) +- h.Write(iv[blockSize-2:]) +- contents = &seMDCWriter{w: plaintext, h: h} +- return ++ panic("OCFB cipher not available") + } diff --git a/SOURCES/010-fips.cond.patch b/SOURCES/010-fips.cond.patch new file mode 100644 index 0000000..f9adee9 --- /dev/null +++ b/SOURCES/010-fips.cond.patch @@ -0,0 +1,140 @@ +diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go +new file mode 100644 +index 0000000..a9c550e +--- /dev/null ++++ b/vendor/golang.org/x/crypto/internal/boring/boring.go +@@ -0,0 +1,74 @@ ++// Copyright 2017 The Go Authors. All rights reserved. ++// Copyright 2021 Red Hat. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build linux ++// +build !android ++// +build !no_openssl ++// +build !cmd_go_bootstrap ++// +build !msan ++ ++package boring ++ ++// #include "openssl_pbkdf2.h" ++// #cgo LDFLAGS: -ldl ++import "C" ++import ( ++ "bytes" ++ "crypto/sha1" ++ "crypto/sha256" ++ "hash" ++ "unsafe" ++) ++ ++var ( ++ emptySha1 = sha1.Sum([]byte{}) ++ emptySha256 = sha256.Sum256([]byte{}) ++) ++ ++func hashToMD(h hash.Hash) *C.GO_EVP_MD { ++ emptyHash := h.Sum([]byte{}) ++ ++ switch { ++ case bytes.Equal(emptyHash, emptySha1[:]): ++ return C._goboringcrypto_EVP_sha1() ++ case bytes.Equal(emptyHash, emptySha256[:]): ++ return C._goboringcrypto_EVP_sha256() ++ } ++ return nil ++} ++ ++// charptr returns the address of the underlying array in b, ++// being careful not to panic when b has zero length. ++func charptr(b []byte) *C.char { ++ if len(b) == 0 { ++ return nil ++ } ++ return (*C.char)(unsafe.Pointer(&b[0])) ++} ++ ++// ucharptr returns the address of the underlying array in b, ++// being careful not to panic when b has zero length. ++func ucharptr(b []byte) *C.uchar { ++ if len(b) == 0 { ++ return nil ++ } ++ return (*C.uchar)(unsafe.Pointer(&b[0])) ++} ++ ++func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ // println("[debug] using pbkdf2 from OpenSSL") ++ ch := h() ++ md := hashToMD(ch) ++ if md == nil { ++ return nil ++ } ++ ++ out := make([]byte, keyLen) ++ ok := C._goboringcrypto_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out)) ++ if ok != 1 { ++ panic("boringcrypto: PKCS5_PBKDF2_HMAC failed") ++ } ++ return out ++} +diff --git a/vendor/golang.org/x/crypto/internal/boring/notboring.go b/vendor/golang.org/x/crypto/internal/boring/notboring.go +new file mode 100644 +index 0000000..e244fb5 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/internal/boring/notboring.go +@@ -0,0 +1,16 @@ ++// Copyright 2017 The Go Authors. All rights reserved. ++// Copyright 2021 Red Hat. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl ++ ++package boring ++ ++import ( ++ "hash" ++) ++ ++func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ panic("boringcrypto: not available") ++} +diff --git a/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h +new file mode 100644 +index 0000000..6dfdf10 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h +@@ -0,0 +1,5 @@ ++#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h" ++ ++DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, ++ (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out), ++ (pass, passlen, salt, saltlen, iter, digest, keylen, out)) +diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go +index 593f653..799a611 100644 +--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go ++++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go +@@ -19,8 +19,11 @@ pbkdf2.Key. + package pbkdf2 // import "golang.org/x/crypto/pbkdf2" + + import ( ++ "crypto/boring" + "crypto/hmac" + "hash" ++ ++ xboring "golang.org/x/crypto/internal/boring" + ) + + // Key derives a key from the password, salt and iteration count, returning a +@@ -40,6 +43,10 @@ import ( + // Using a higher iteration count will increase the cost of an exhaustive + // search but will also make derivation proportionally slower. + func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ if boring.Enabled() { ++ return xboring.Pbkdf2Key(password, salt, iter, keyLen, h) ++ } ++ + prf := hmac.New(h, password) + hashLen := prf.Size() + numBlocks := (keyLen + hashLen - 1) / hashLen diff --git a/SOURCES/010-fips.patch b/SOURCES/010-fips.patch deleted file mode 100644 index f9adee9..0000000 --- a/SOURCES/010-fips.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go -new file mode 100644 -index 0000000..a9c550e ---- /dev/null -+++ b/vendor/golang.org/x/crypto/internal/boring/boring.go -@@ -0,0 +1,74 @@ -+// Copyright 2017 The Go Authors. All rights reserved. -+// Copyright 2021 Red Hat. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+// +build linux -+// +build !android -+// +build !no_openssl -+// +build !cmd_go_bootstrap -+// +build !msan -+ -+package boring -+ -+// #include "openssl_pbkdf2.h" -+// #cgo LDFLAGS: -ldl -+import "C" -+import ( -+ "bytes" -+ "crypto/sha1" -+ "crypto/sha256" -+ "hash" -+ "unsafe" -+) -+ -+var ( -+ emptySha1 = sha1.Sum([]byte{}) -+ emptySha256 = sha256.Sum256([]byte{}) -+) -+ -+func hashToMD(h hash.Hash) *C.GO_EVP_MD { -+ emptyHash := h.Sum([]byte{}) -+ -+ switch { -+ case bytes.Equal(emptyHash, emptySha1[:]): -+ return C._goboringcrypto_EVP_sha1() -+ case bytes.Equal(emptyHash, emptySha256[:]): -+ return C._goboringcrypto_EVP_sha256() -+ } -+ return nil -+} -+ -+// charptr returns the address of the underlying array in b, -+// being careful not to panic when b has zero length. -+func charptr(b []byte) *C.char { -+ if len(b) == 0 { -+ return nil -+ } -+ return (*C.char)(unsafe.Pointer(&b[0])) -+} -+ -+// ucharptr returns the address of the underlying array in b, -+// being careful not to panic when b has zero length. -+func ucharptr(b []byte) *C.uchar { -+ if len(b) == 0 { -+ return nil -+ } -+ return (*C.uchar)(unsafe.Pointer(&b[0])) -+} -+ -+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { -+ // println("[debug] using pbkdf2 from OpenSSL") -+ ch := h() -+ md := hashToMD(ch) -+ if md == nil { -+ return nil -+ } -+ -+ out := make([]byte, keyLen) -+ ok := C._goboringcrypto_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out)) -+ if ok != 1 { -+ panic("boringcrypto: PKCS5_PBKDF2_HMAC failed") -+ } -+ return out -+} -diff --git a/vendor/golang.org/x/crypto/internal/boring/notboring.go b/vendor/golang.org/x/crypto/internal/boring/notboring.go -new file mode 100644 -index 0000000..e244fb5 ---- /dev/null -+++ b/vendor/golang.org/x/crypto/internal/boring/notboring.go -@@ -0,0 +1,16 @@ -+// Copyright 2017 The Go Authors. All rights reserved. -+// Copyright 2021 Red Hat. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl -+ -+package boring -+ -+import ( -+ "hash" -+) -+ -+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { -+ panic("boringcrypto: not available") -+} -diff --git a/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h -new file mode 100644 -index 0000000..6dfdf10 ---- /dev/null -+++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h -@@ -0,0 +1,5 @@ -+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h" -+ -+DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, -+ (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out), -+ (pass, passlen, salt, saltlen, iter, digest, keylen, out)) -diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go -index 593f653..799a611 100644 ---- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go -+++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go -@@ -19,8 +19,11 @@ pbkdf2.Key. - package pbkdf2 // import "golang.org/x/crypto/pbkdf2" - - import ( -+ "crypto/boring" - "crypto/hmac" - "hash" -+ -+ xboring "golang.org/x/crypto/internal/boring" - ) - - // Key derives a key from the password, salt and iteration count, returning a -@@ -40,6 +43,10 @@ import ( - // Using a higher iteration count will increase the cost of an exhaustive - // search but will also make derivation proportionally slower. - func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { -+ if boring.Enabled() { -+ return xboring.Pbkdf2Key(password, salt, iter, keyLen, h) -+ } -+ - prf := hmac.New(h, password) - hashLen := prf.Size() - numBlocks := (keyLen + hashLen - 1) / hashLen diff --git a/SOURCES/Makefile b/SOURCES/Makefile index acd932c..eff9c98 100644 --- a/SOURCES/Makefile +++ b/SOURCES/Makefile @@ -1,19 +1,17 @@ -ifndef VER - $(error VER is undefined) -endif -ifndef REL - $(error REL is undefined) -endif +VERSION := $(shell rpm --specfile *.spec --qf '%{VERSION}\n' | head -1) +RELEASE := $(shell rpm --specfile *.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1) NAME := grafana RPM_NAME := $(NAME) -SOURCE_DIR := $(NAME)-$(VER) -SOURCE_TAR := $(NAME)-$(VER).tar.gz -VENDOR_TAR := $(RPM_NAME)-vendor-$(VER)-$(REL).tar.xz -WEBPACK_TAR := $(RPM_NAME)-webpack-$(VER)-$(REL).tar.gz +SOURCE_DIR := $(NAME)-$(VERSION) +SOURCE_TAR := $(NAME)-$(VERSION).tar.gz +VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz +WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz -ALL_PATCHES := $(wildcard *.patch) -PATCHES_TO_APPLY := $(filter-out 009-patch-unused-backend-crypto.patch 010-fips.patch,$(ALL_PATCHES)) +ALL_PATCHES := $(sort $(wildcard *.patch)) +VENDOR_PATCHES := $(sort $(wildcard *.vendor.patch)) +COND_PATCHES := $(sort $(wildcard *.cond.patch)) +REGULAR_PATCHES := $(filter-out $(VENDOR_PATCHES) $(COND_PATCHES),$(ALL_PATCHES)) all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR) @@ -21,43 +19,46 @@ $(SOURCE_TAR): spectool -g $(RPM_NAME).spec $(VENDOR_TAR): $(SOURCE_TAR) - rm -rf grafana-$(VER) - tar xfz grafana-$(VER).tar.gz + rm -rf $(SOURCE_DIR) + tar xf $(SOURCE_TAR) - # patches can affect Go or Node.js dependencies, or the webpack - for patch in $(PATCHES_TO_APPLY); do patch -d grafana-$(VER) -p1 --fuzz=0 < $$patch; done + # Patches to apply before vendoring + for patch in $(REGULAR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done # Go - cd grafana-$(VER) && go mod vendor -v + cd $(SOURCE_DIR) && go mod vendor -v # Remove unused crypto - rm grafana-$(VER)/vendor/golang.org/x/crypto/cast5/cast5.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/ed25519.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go - rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go - awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' grafana-$(VER)/go.mod | \ + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/cast5/cast5.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/ed25519.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go + rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go + awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' $(SOURCE_DIR)/go.mod | \ sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > $@.manifest # Node.js - cd grafana-$(VER) && yarn install --pure-lockfile + cd $(SOURCE_DIR) && yarn install --pure-lockfile # Remove files with licensing issues - find grafana-$(VER) -type d -name 'node-notifier' -prune -exec rm -r {} \; - find grafana-$(VER) -type d -name 'property-information' -prune -exec rm -r {} \; - find grafana-$(VER) -type f -name '*.exe' -delete - rm -r grafana-$(VER)/node_modules/visjs-network/examples - ./list_bundled_nodejs_packages.py grafana-$(VER)/ >> $@.manifest + find $(SOURCE_DIR) -type d -name 'node-notifier' -prune -exec rm -r {} \; + find $(SOURCE_DIR) -type d -name 'property-information' -prune -exec rm -r {} \; + find $(SOURCE_DIR) -type f -name '*.exe' -delete + rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples + ./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest + + # Patches to apply after vendoring + for patch in $(VENDOR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done # Create tarball - XZ_OPT=-9 tar cfJ $@ \ - grafana-$(VER)/vendor \ - $$(find grafana-$(VER) -type d -name "node_modules" -prune) + time XZ_OPT=-9 tar cJf $@ \ + $(SOURCE_DIR)/vendor \ + $$(find $(SOURCE_DIR) -type d -name "node_modules" -prune) $(WEBPACK_TAR): $(VENDOR_TAR) - cd grafana-$(VER) && \ + cd $(SOURCE_DIR) && \ ../build_frontend.sh - tar cfz $@ grafana-$(VER)/public/build grafana-$(VER)/public/views grafana-$(VER)/plugins-bundled + tar cfz $@ $(SOURCE_DIR)/public/build $(SOURCE_DIR)/public/views $(SOURCE_DIR)/plugins-bundled clean: rm -rf *.tar.gz *.tar.xz *.manifest *.rpm $(NAME)-*/ diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index eb3a2a4..dee3dcf 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -1,3 +1,13 @@ +# gobuild and gotest macros are not available on CentOS Stream +# remove once BZ 1965292 is resolved +# definitions lifted from Fedora 34 podman.spec +%if ! 0%{?gobuild:1} +%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**}; +%endif +%if ! 0%{?gotest:1} +%define gotest() GO111MODULE=off go test -buildmode pie -compiler gc -ldflags "${LDFLAGS:-} -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" %{?**}; +%endif + %global grafana_arches %{lua: go_arches = {} for arch in rpm.expand("%{go_arches}"):gmatch("%S+") do go_arches[arch] = 1 @@ -19,8 +29,8 @@ end} %endif Name: grafana -Version: 7.5.9 -Release: 3%{?dist} +Version: 7.5.10 +Release: 1%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -30,14 +40,14 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the bundled Go and Node.js dependencies # Note: In case there were no changes to this tarball, the NVR of this tarball -# lags behind the NVR of the Grafana package. -Source1: grafana-vendor-%{version}-2.tar.xz +# lags behind the NVR of this package. +Source1: grafana-vendor-%{version}-1.tar.xz %if %{compile_frontend} == 0 # Source2 contains the precompiled frontend # Note: In case there were no changes to this tarball, the NVR of this tarball -# lags behind the NVR of the Grafana package. -Source2: grafana-webpack-%{version}-2.tar.gz +# lags behind the NVR of this package. +Source2: grafana-webpack-%{version}-1.tar.gz %endif # Source3 contains Grafana configuration defaults for distributions @@ -75,11 +85,11 @@ Patch8: 008-remove-unused-frontend-crypto.patch # The Makefile removes a few files with crypto implementations # from the vendor tarball, which are not used in Grafana. # This patch removes all references to the deleted files. -Patch9: 009-patch-unused-backend-crypto.patch +Patch9: 009-patch-unused-backend-crypto.vendor.patch # This patch modifies the x/crypto/pbkdf2 function to use OpenSSL # if FIPS mode is enabled. -Patch10: 010-fips.patch +Patch10: 010-fips.cond.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -475,7 +485,6 @@ rm -r plugins-bundled %patch5 -p1 %patch6 -p1 %patch8 -p1 -%patch9 -p1 %if %{enable_fips_mode} %patch10 -p1 %endif @@ -657,6 +666,9 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption %changelog +* Thu Sep 30 2021 Andreas Gerstmayr 7.5.10-1 +- update to 7.5.10 tagged upstream community sources, see CHANGELOG + * Mon Aug 16 2021 Andreas Gerstmayr 7.5.9-3 - rebuild to resolve CVE-2021-34558