Fix CVE-2022-21673

2022-01-27 10:04:52 +08:00 · 2022-01-27 10:04:52 +08:00 · d6e1573827
commit d6e1573827
parent 8ff7854c8a
2 changed files with 218 additions and 2 deletions
--- a/CVE-2022-21673.patch
+++ b/CVE-2022-21673.patch
@ -0,0 +1,212 @@
 From bb0cfbc1d9ee75ba9c1068276e490e2868bb112f Mon Sep 17 00:00:00 2001
 From: Dimitris Sotirakis <dimitrios.sotirakis@grafana.com>
 Date: Tue, 18 Jan 2022 10:51:10 +0200
 Subject: [PATCH] [v7.5.x] GetUserInfo: return an error if no user was found
 (#212)
 * Update grabpl version
 * return an error if no user was found
 (cherry picked from commit b9d3b9b5a40d8aad0adadd6d278427320fb4aebe)
 * also if authid is empty
 Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>
 ---
 .drone.yml                         | 36 +++++++++++++++---------------
 pkg/services/sqlstore/user_auth.go |  4 ++++
 scripts/lib.star                   |  2 +-
 3 files changed, 23 insertions(+), 19 deletions(-)
 diff --git a/.drone.yml b/.drone.yml
 index 55dd0893c30e8..6da4e5b76fb1a 100644
 --- a/.drone.yml
 +++ b/.drone.yml
@@ -17,7 +17,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
@@ -266,7 +266,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
@@ -605,7 +605,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
 - name: build-windows-installer
   image: grafana/ci-wix:0.1.1
@@ -654,7 +654,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   environment:
@@ -742,7 +742,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - ./bin/grabpl verify-version ${DRONE_TAG}
@@ -1056,7 +1056,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
 - name: build-windows-installer
   image: grafana/ci-wix:0.1.1
@@ -1106,7 +1106,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
@@ -1503,7 +1503,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
   - git checkout ${DRONE_TAG}
@@ -1568,7 +1568,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - ./bin/grabpl verify-version ${DRONE_TAG}
@@ -1676,7 +1676,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - ./bin/grabpl verify-version v7.3.0-test
@@ -1979,7 +1979,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
 - name: build-windows-installer
   image: grafana/ci-wix:0.1.1
@@ -2029,7 +2029,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
@@ -2420,7 +2420,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
   - git checkout main
@@ -2485,7 +2485,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - ./bin/grabpl verify-version v7.3.0-test
@@ -2593,7 +2593,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - ./bin/grabpl verify-drone
   - curl -fLO https://github.com/jwilder/dockerize/releases/download/v$${DOCKERIZE_VERSION}/dockerize-linux-amd64-v$${DOCKERIZE_VERSION}.tar.gz
@@ -2871,7 +2871,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
 - name: build-windows-installer
   image: grafana/ci-wix:0.1.1
@@ -2917,7 +2917,7 @@ steps:
   image: grafana/build-container:1.4.1
   commands:
   - mkdir -p bin
 -  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/grabpl
 +  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/grabpl
   - chmod +x bin/grabpl
   - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
@@ -3311,7 +3311,7 @@ steps:
   image: grafana/ci-wix:0.1.1
   commands:
   - $$ProgressPreference = "SilentlyContinue"
 -  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.58/windows/grabpl.exe -OutFile grabpl.exe
 +  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v0.5.59/windows/grabpl.exe -OutFile grabpl.exe
   - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
   - cd grafana-enterprise
   - git checkout $$env:DRONE_BRANCH
 diff --git a/pkg/services/sqlstore/user_auth.go b/pkg/services/sqlstore/user_auth.go
 index 0bef79e160048..9605ccce76a83 100644
 --- a/pkg/services/sqlstore/user_auth.go
 +++ b/pkg/services/sqlstore/user_auth.go
@@ -142,6 +142,10 @@ func GetExternalUserInfoByLogin(query *models.GetExternalUserInfoByLoginQuery) e
 }
 func GetAuthInfo(query *models.GetAuthInfoQuery) error {
 +	if query.UserId == 0 && query.AuthId == "" {
 +		return models.ErrUserNotFound
 +	}
 +
 	userAuth := &models.UserAuth{
 		UserId:     query.UserId,
 		AuthModule: query.AuthModule,
 diff --git a/scripts/lib.star b/scripts/lib.star
 index e115fe363cbca..da1291f102166 100644
 --- a/scripts/lib.star
 +++ b/scripts/lib.star
@@ -1,4 +1,4 @@
 -grabpl_version = '0.5.58'
 +grabpl_version = '0.5.59'
 build_image = 'grafana/build-container:1.4.1'
 publish_image = 'grafana/grafana-ci-deploy:1.3.1'
 grafana_docker_image = 'grafana/drone-grafana-docker:0.3.2'
--- a/grafana.spec
+++ b/grafana.spec
@ -7,7 +7,7 @@
 Name:             grafana
 Version:          7.5.11
-Release:          3
+Release:          4
 Summary:          Metrics dashboard and graph editor
 License:          Apache 2.0
 URL:              https://grafana.org
@ -31,6 +31,7 @@ Patch5:           005-fix-gtime-test-32bit.patch
 Patch6:           006-remove-unused-frontend-crypto.patch
 Patch7:           007-patch-unused-backend-crypto.patch
 Patch8:           CVE-2021-43813.patch
 Patch9:           CVE-2022-21673.patch
 BuildRequires:    git, systemd, golang 
@ -400,7 +401,7 @@ rm -r plugins-bundled
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
-
+%patch9 -p1
 # Set up build subdirs and links
@ -565,6 +566,9 @@ rm -r pkg/macaron
 %changelog
 * Thu Jan 27 2022 wangkai <wangkai385@huawei.com> 7.5.11-4
 - Fix CVE-2022-21673
 * Wed Dec 15 2021 wangkai <wangkai385@huawei.com> 7.5.11-3
 - Fix CVE-2021-43813