Fix CVE-2021-43813

2021-12-15 15:32:04 +08:00 · 2021-12-15 15:32:04 +08:00 · fdfc2e1911
commit fdfc2e1911
parent 0c781d802b
2 changed files with 61 additions and 1 deletions
--- a/CVE-2021-43813.patch
+++ b/CVE-2021-43813.patch
@ -0,0 +1,55 @@
+From ea77415cfe2cefe46ffce233076a1409abaa8df7 Mon Sep 17 00:00:00 2001
+From: Will Browne <wbrowne@users.noreply.github.com>
+Date: Fri, 10 Dec 2021 11:29:12 +0000
+Subject: [PATCH] apply fix (#42969)
+
+---
+ pkg/plugins/plugins.go | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
+index e6370a29e75c0..c7199c716ee88 100644
+--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
+@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
+-	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
+ 	exists, err := fs.Exists(path)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 	if !exists {
+-		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
+ 	}
+ 
+ 	exists, err = fs.Exists(path)
+@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+ 	data, err := ioutil.ReadFile(path)
+ 	if err != nil {
+ 		return nil, err
+@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	return data, nil
+ }
+ 
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
+
+ // gets plugin filenames that require verification for plugin signing
+ func collectPluginFilesWithin(rootDir string) ([]string, error) {
+ 	var files []string
--- a/grafana.spec
+++ b/grafana.spec
@ -7,7 +7,7 @@

 Name:             grafana
 Version:          7.5.11
-Release:          2
+Release:          3
 Summary:          Metrics dashboard and graph editor
 License:          Apache 2.0
 URL:              https://grafana.org
@ -30,6 +30,7 @@ Patch4:           004-remove-unused-dependencies.patch
 Patch5:           005-fix-gtime-test-32bit.patch
 Patch6:           006-remove-unused-frontend-crypto.patch
 Patch7:           007-patch-unused-backend-crypto.patch
+Patch8:           CVE-2021-43813.patch

 BuildRequires:    git, systemd, golang 

@ -398,6 +399,7 @@ rm -r plugins-bundled
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1



@ -563,6 +565,9 @@ rm -r pkg/macaron


 %changelog
+* Wed Dec 15 2021 wangkai <wangkai385@huawei.com> 7.5.11-3
+- Fix CVE-2021-43813
+
 * Wed Nov 17 2021 wangkai <wangkai385@huawei.com> 7.5.11-2
 - Update Patch Source Provides