From f525e3f6eff56fd4e27a20546e048536aa063923 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 27 Jan 2022 10:12:16 +0800 Subject: [PATCH] Fix CVE-2022-21673 (cherry picked from commit c1105aa670d053fbe8f0f5ed931fef807d8e103a) --- CVE-2022-21673.patch | 212 +++++++++++++++++++++++++++++++++++++++++++ grafana.spec | 7 +- 2 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-21673.patch diff --git a/CVE-2022-21673.patch b/CVE-2022-21673.patch new file mode 100644 index 0000000..92e9dae --- /dev/null +++ b/CVE-2022-21673.patch @@ -0,0 +1,212 @@ +From bb0cfbc1d9ee75ba9c1068276e490e2868bb112f Mon Sep 17 00:00:00 2001 +From: Dimitris Sotirakis +Date: Tue, 18 Jan 2022 10:51:10 +0200 +Subject: [PATCH] [v7.5.x] GetUserInfo: return an error if no user was found + (#212) + +* Update grabpl version + +* return an error if no user was found + +(cherry picked from commit b9d3b9b5a40d8aad0adadd6d278427320fb4aebe) + +* also if authid is empty + +Co-authored-by: Kevin Minehart +--- + .drone.yml | 36 +++++++++++++++--------------- + pkg/services/sqlstore/user_auth.go | 4 ++++ + scripts/lib.star | 2 +- + 3 files changed, 23 insertions(+), 19 deletions(-) + +diff --git a/.drone.yml b/.drone.yml +index 55dd0893c30e8..6da4e5b76fb1a 100644 +--- a/.drone.yml ++++ b/.drone.yml +@@ -17,7 +17,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz +@@ -266,7 +266,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz +@@ -605,7 +605,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + + - name: build-windows-installer + image: grafana/ci-wix:0.1.1 +@@ -654,7 +654,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + environment: +@@ -742,7 +742,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - ./bin/grabpl verify-version ${DRONE_TAG} +@@ -1056,7 +1056,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + + - name: build-windows-installer + image: grafana/ci-wix:0.1.1 +@@ -1106,7 +1106,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise +@@ -1503,7 +1503,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise + - git checkout ${DRONE_TAG} +@@ -1568,7 +1568,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - ./bin/grabpl verify-version ${DRONE_TAG} +@@ -1676,7 +1676,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - ./bin/grabpl verify-version v7.3.0-test +@@ -1979,7 +1979,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + + - name: build-windows-installer + image: grafana/ci-wix:0.1.1 +@@ -2029,7 +2029,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise +@@ -2420,7 +2420,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise + - git checkout main +@@ -2485,7 +2485,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - ./bin/grabpl verify-version v7.3.0-test +@@ -2593,7 +2593,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - ./bin/grabpl verify-drone + - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz +@@ -2871,7 +2871,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + + - name: build-windows-installer + image: grafana/ci-wix:0.1.1 +@@ -2917,7 +2917,7 @@ steps: + image: grafana/build-container:1.4.1 + commands: + - mkdir -p bin +- - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl ++ - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl + - chmod +x bin/grabpl + - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise +@@ -3311,7 +3311,7 @@ steps: + image: grafana/ci-wix:0.1.1 + commands: + - $$ProgressPreference = "SilentlyContinue" +- - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe ++ - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe + - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git" + - cd grafana-enterprise + - git checkout $$env:DRONE_BRANCH +diff --git a/pkg/services/sqlstore/user_auth.go b/pkg/services/sqlstore/user_auth.go +index 0bef79e160048..9605ccce76a83 100644 +--- a/pkg/services/sqlstore/user_auth.go ++++ b/pkg/services/sqlstore/user_auth.go +@@ -142,6 +142,10 @@ func GetExternalUserInfoByLogin(query *models.GetExternalUserInfoByLoginQuery) e + } + + func GetAuthInfo(query *models.GetAuthInfoQuery) error { ++ if query.UserId == 0 && query.AuthId == "" { ++ return models.ErrUserNotFound ++ } ++ + userAuth := &models.UserAuth{ + UserId: query.UserId, + AuthModule: query.AuthModule, +diff --git a/scripts/lib.star b/scripts/lib.star +index e115fe363cbca..da1291f102166 100644 +--- a/scripts/lib.star ++++ b/scripts/lib.star +@@ -1,4 +1,4 @@ +-grabpl_version = '0.5.58' ++grabpl_version = '0.5.59' + build_image = 'grafana/build-container:1.4.1' + publish_image = 'grafana/grafana-ci-deploy:1.3.1' + grafana_docker_image = 'grafana/drone-grafana-docker:0.3.2' diff --git a/grafana.spec b/grafana.spec index 7a0b5a3..3101221 100644 --- a/grafana.spec +++ b/grafana.spec @@ -7,7 +7,7 @@ Name: grafana Version: 7.5.11 -Release: 2 +Release: 3 Summary: Metrics dashboard and graph editor License: Apache 2.0 URL: https://grafana.org @@ -31,6 +31,7 @@ Patch5: 005-fix-gtime-test-32bit.patch Patch6: 006-remove-unused-frontend-crypto.patch Patch7: 007-patch-unused-backend-crypto.patch Patch8: CVE-2021-43813.patch +Patch9: CVE-2022-21673.patch BuildRequires: git, systemd, golang @@ -400,6 +401,7 @@ rm -r plugins-bundled %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -563,6 +565,9 @@ rm -r pkg/macaron %changelog +* Thu Jan 27 2022 wangkai 7.5.11-3 +- Fix CVE-2022-21673 + * Wed Dec 15 2021 wangkai 7.5.11-2 - Fix CVE-2021-43813 -- Gitee