!26 Fix CVE-2022-21673

Merge pull request !26 from wk333/master
2022-01-27 02:38:06 +00:00 · 2022-01-27 02:38:06 +00:00 · 425ddc755a
commit 425ddc755a
parent 8ff7854c8a d6e1573827
2 changed files with 218 additions and 2 deletions
--- a/CVE-2022-21673.patch
+++ b/CVE-2022-21673.patch
@ -0,0 +1,212 @@
+From bb0cfbc1d9ee75ba9c1068276e490e2868bb112f Mon Sep 17 00:00:00 2001
+From: Dimitris Sotirakis <dimitrios.sotirakis@grafana.com>
+Date: Tue, 18 Jan 2022 10:51:10 +0200
+Subject: [PATCH] [v7.5.x] GetUserInfo: return an error if no user was found
+ (#212)
+
+* Update grabpl version
+
+* return an error if no user was found
+
+(cherry picked from commit b9d3b9b5a40d8aad0adadd6d278427320fb4aebe)
+
+* also if authid is empty
+
+Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>
+---
+ .drone.yml                         | 36 +++++++++++++++---------------
+ pkg/services/sqlstore/user_auth.go |  4 ++++
+ scripts/lib.star                   |  2 +-
+ 3 files changed, 23 insertions(+), 19 deletions(-)
+
+diff --git a/.drone.yml b/.drone.yml
+index 55dd0893c30e8..6da4e5b76fb1a 100644
+--- a/.drone.yml
+++ b/.drone.yml
+@@ -17,7 +17,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
+@@ -266,7 +266,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
+@@ -605,7 +605,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+ 
+ - name: build-windows-installer
+   image: grafana/ci-wix:0.1.1
+@@ -654,7 +654,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   environment:
+@@ -742,7 +742,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - ./bin/grabpl verify-version ${DRONE_TAG}
+@@ -1056,7 +1056,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+ 
+ - name: build-windows-installer
+   image: grafana/ci-wix:0.1.1
+@@ -1106,7 +1106,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+@@ -1503,7 +1503,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+   - git checkout ${DRONE_TAG}
+@@ -1568,7 +1568,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - ./bin/grabpl verify-version ${DRONE_TAG}
+@@ -1676,7 +1676,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - ./bin/grabpl verify-version v7.3.0-test
+@@ -1979,7 +1979,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+ 
+ - name: build-windows-installer
+   image: grafana/ci-wix:0.1.1
+@@ -2029,7 +2029,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+@@ -2420,7 +2420,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+   - git checkout main
+@@ -2485,7 +2485,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - ./bin/grabpl verify-version v7.3.0-test
+@@ -2593,7 +2593,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - ./bin/grabpl verify-drone
+   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
+@@ -2871,7 +2871,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+ 
+ - name: build-windows-installer
+   image: grafana/ci-wix:0.1.1
+@@ -2917,7 +2917,7 @@ steps:
+   image: grafana/build-container:1.4.1
+   commands:
+   - mkdir -p bin
+-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
+   - chmod +x bin/grabpl
+   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+@@ -3311,7 +3311,7 @@ steps:
+   image: grafana/ci-wix:0.1.1
+   commands:
+   - $$ProgressPreference = "SilentlyContinue"
+-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
+   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
+   - cd grafana-enterprise
+   - git checkout $$env:DRONE_BRANCH
+diff --git a/pkg/services/sqlstore/user_auth.go b/pkg/services/sqlstore/user_auth.go
+index 0bef79e160048..9605ccce76a83 100644
+--- a/pkg/services/sqlstore/user_auth.go
+++ b/pkg/services/sqlstore/user_auth.go
+@@ -142,6 +142,10 @@ func GetExternalUserInfoByLogin(query *models.GetExternalUserInfoByLoginQuery) e
+ }
+ 
+ func GetAuthInfo(query *models.GetAuthInfoQuery) error {
+	if query.UserId == 0 && query.AuthId == "" {
+		return models.ErrUserNotFound
+	}
+
+ 	userAuth := &models.UserAuth{
+ 		UserId:     query.UserId,
+ 		AuthModule: query.AuthModule,
+diff --git a/scripts/lib.star b/scripts/lib.star
+index e115fe363cbca..da1291f102166 100644
+--- a/scripts/lib.star
+++ b/scripts/lib.star
+@@ -1,4 +1,4 @@
+-grabpl_version = '0.5.58'
+grabpl_version = '0.5.59'
+ build_image = 'grafana/build-container:1.4.1'
+ publish_image = 'grafana/grafana-ci-deploy:1.3.1'
+ grafana_docker_image = 'grafana/drone-grafana-docker:0.3.2'
--- a/grafana.spec
+++ b/grafana.spec
@ -7,7 +7,7 @@

 Name:             grafana
 Version:          7.5.11
-Release:          3
+Release:          4
 Summary:          Metrics dashboard and graph editor
 License:          Apache 2.0
 URL:              https://grafana.org
@ -31,6 +31,7 @@ Patch5:           005-fix-gtime-test-32bit.patch
 Patch6:           006-remove-unused-frontend-crypto.patch
 Patch7:           007-patch-unused-backend-crypto.patch
 Patch8:           CVE-2021-43813.patch
+Patch9:           CVE-2022-21673.patch

 BuildRequires:    git, systemd, golang 

@ -400,7 +401,7 @@ rm -r plugins-bundled
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
-
+%patch9 -p1


 # Set up build subdirs and links
@ -565,6 +566,9 @@ rm -r pkg/macaron


 %changelog
+* Thu Jan 27 2022 wangkai <wangkai385@huawei.com> 7.5.11-4
+- Fix CVE-2022-21673
+
 * Wed Dec 15 2021 wangkai <wangkai385@huawei.com> 7.5.11-3
 - Fix CVE-2021-43813