From 8f5a672fddcd9380a47429f35b0056dead36f6ad Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 15 Dec 2021 15:40:50 +0800 Subject: [PATCH] Fix CVE-2021-43813 (cherry picked from commit d4379a78be73e0c368183e22003d12ce51b766eb) --- CVE-2021-43813.patch | 55 ++++++++++++++++++++++++++++++++++++++++++++ grafana.spec | 7 +++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-43813.patch diff --git a/CVE-2021-43813.patch b/CVE-2021-43813.patch new file mode 100644 index 0000000..9839ed3 --- /dev/null +++ b/CVE-2021-43813.patch @@ -0,0 +1,55 @@ +From ea77415cfe2cefe46ffce233076a1409abaa8df7 Mon Sep 17 00:00:00 2001 +From: Will Browne +Date: Fri, 10 Dec 2021 11:29:12 +0000 +Subject: [PATCH] apply fix (#42969) + +--- + pkg/plugins/plugins.go | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go +index e6370a29e75c0..c7199c716ee88 100644 +--- a/pkg/plugins/plugins.go ++++ b/pkg/plugins/plugins.go +@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. +- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name))) ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading ++ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name))) + exists, err := fs.Exists(path) + if err != nil { + return nil, err + } + if !exists { +- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name))) ++ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name))) + } + + exists, err = fs.Exists(path) +@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + } + + // nolint:gosec +- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based +- // on plugin the folder structure on disk and not user input. ++ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently ++ // use this with a prefix of the plugin's directory, which is set during plugin loading + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err +@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { + return data, nil + } + ++func mdFilepath(mdFilename string) string { ++ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename))) ++} ++ + // gets plugin filenames that require verification for plugin signing + func collectPluginFilesWithin(rootDir string) ([]string, error) { + var files []string diff --git a/grafana.spec b/grafana.spec index 816fb26..1e8c9fa 100644 --- a/grafana.spec +++ b/grafana.spec @@ -7,7 +7,7 @@ Name: grafana Version: 7.5.11 -Release: 1 +Release: 2 Summary: Metrics dashboard and graph editor License: Apache 2.0 URL: https://grafana.org @@ -30,6 +30,7 @@ Patch4: 004-remove-unused-dependencies.patch Patch5: 005-fix-gtime-test-32bit.patch Patch6: 006-remove-unused-frontend-crypto.patch Patch7: 007-patch-unused-backend-crypto.patch +Patch8: CVE-2021-43813.patch BuildRequires: git systemd golang openEuler-rpm-config @@ -398,6 +399,7 @@ rm -r plugins-bundled %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -561,6 +563,9 @@ rm -r pkg/macaron %changelog +* Wed Dec 15 2021 wangkai 7.5.11-2 +- Fix CVE-2021-43813 + * Wed Nov 17 2021 wangkai 7.5.11-1 - Upgrade to 7.5.11 for fix CVE-2021-39226 -- Gitee