From 979260fd3f72b04c562776b9d14ac36505ab7f82 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Sun, 29 Sep 2024 11:19:03 +0800
Subject: [PATCH] Fix CVE-2024-8118

---
 CVE-2024-8118.patch | 30 ++++++++++++++++++++++++++++++
 grafana.spec        |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-8118.patch

diff --git a/CVE-2024-8118.patch b/CVE-2024-8118.patch
new file mode 100644
index 0000000..52a8ade
--- /dev/null
+++ b/CVE-2024-8118.patch
@@ -0,0 +1,30 @@
+From 7bf99231de44c53c54bb158256562dd204f49b80 Mon Sep 17 00:00:00 2001
+From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
+Date: Thu, 5 Sep 2024 22:23:55 +0000
+Subject: [PATCH] apply security patch:
+ v10.3.x/0001-Alerting-Fix-permission-on-external-rule-write-endpo.patch
+
+Origin: https://github.com/grafana/grafana/commit/7bf99231de44c53c54bb158256562dd204f49b80
+
+commit 132e31627eb888b8b423a583e8bfdeb5dcfda976
+Author: Alex Weaver <weaver.alex.d@gmail.com>
+Date:   Thu Aug 22 12:15:32 2024 -0500
+
+    Alerting: Fix permission on external rule write endpoint
+---
+ pkg/services/ngalert/api/authorization.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pkg/services/ngalert/api/authorization.go b/pkg/services/ngalert/api/authorization.go
+index a3d073b62361..661034fc1c62 100644
+--- a/pkg/services/ngalert/api/authorization.go
++++ b/pkg/services/ngalert/api/authorization.go
+@@ -93,7 +93,7 @@ func (api *API) authorize(method, path string) web.Handler {
+ 	case http.MethodGet + "/api/ruler/{DatasourceUID}/api/v1/rules":
+ 		eval = ac.EvalPermission(ac.ActionAlertingRuleExternalRead, datasources.ScopeProvider.GetResourceScopeUID(ac.Parameter(":DatasourceUID")))
+ 	case http.MethodPost + "/api/ruler/{DatasourceUID}/api/v1/rules/{Namespace}":
+-		eval = ac.EvalPermission(ac.ActionAlertingInstancesExternalWrite, datasources.ScopeProvider.GetResourceScopeUID(ac.Parameter(":DatasourceUID")))
++		eval = ac.EvalPermission(ac.ActionAlertingRuleExternalWrite, datasources.ScopeProvider.GetResourceScopeUID(ac.Parameter(":DatasourceUID")))
+ 
+ 	// Lotex Prometheus-compatible Paths
+ 	case http.MethodGet + "/api/prometheus/{DatasourceUID}/api/v1/rules":
diff --git a/grafana.spec b/grafana.spec
index d659dc2..a6790ea 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -18,7 +18,7 @@
 
 Name:             grafana
 Version:          10.2.6
-Release:          2
+Release:          3
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -70,6 +70,7 @@ Patch8:           0008-replace-faulty-slices-sort.patch
 Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 # https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4
 Patch10:          0010-remove-bcrypt-references.patch
+Patch11:          CVE-2024-8118.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -760,6 +761,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 8 -p1
 %patch -P 9 -p1
 %patch -P 10 -p1
+%patch -P 11 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1014,6 +1016,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Sun Sep 29 2024 wangkai <13474090681@163.com> - 10.2.6-3
+- Fix CVE-2024-8118
+
 * Mon Aug 26 2024 Ge Wang <wang__ge@126.com> - 10.2.6-2
 - Create directory for alerting provisioning files
 
-- 
Gitee