From 24af225d9bdd62df95d1d4da5bf93aa413378d73 Mon Sep 17 00:00:00 2001
From: zhangxianting <zhangxianting@uniontech.com>
Date: Tue, 8 Oct 2024 17:12:24 +0800
Subject: [PATCH] Update uplot 1.6.31, fix CVE-2024-21489

---
 CVE-2024-21489.patch | 100 +++++++++++++++++++++++++++++++++++++++++++
 grafana.spec         |   9 +++-
 2 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-21489.patch

diff --git a/CVE-2024-21489.patch b/CVE-2024-21489.patch
new file mode 100644
index 0000000..7180539
--- /dev/null
+++ b/CVE-2024-21489.patch
@@ -0,0 +1,100 @@
+From 165ca3b4e8411cebc73dcc8a396836038e3f064c Mon Sep 17 00:00:00 2001
+From: Leon Sorokin <leeoniya@gmail.com>
+Date: Fri, 27 Sep 2024 23:11:05 -0500
+Subject: [PATCH] Chore: uPlot v1.6.31 (#93952)
+
+---
+ package.json                       |  2 +-
+ packages/grafana-data/package.json |  2 +-
+ packages/grafana-ui/package.json   |  2 +-
+ yarn.lock                          | 14 +++++++-------
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/package.json b/package.json
+index aad5e88..2838a96 100644
+--- a/package.json
++++ b/package.json
+@@ -414,7 +414,7 @@
+     "tinycolor2": "1.6.0",
+     "tslib": "2.6.0",
+     "tween-functions": "^1.2.0",
+-    "uplot": "1.6.27",
++    "uplot": "1.6.31",
+     "uuid": "9.0.0",
+     "vendor": "link:./public/vendor",
+     "visjs-network": "4.25.0",
+diff --git a/packages/grafana-data/package.json b/packages/grafana-data/package.json
+index 2182744..b5c63ef 100644
+--- a/packages/grafana-data/package.json
++++ b/packages/grafana-data/package.json
+@@ -58,7 +58,7 @@
+     "string-hash": "^1.1.3",
+     "tinycolor2": "1.6.0",
+     "tslib": "2.6.0",
+-    "uplot": "1.6.27",
++    "uplot": "1.6.31",
+     "xss": "^1.0.14"
+   },
+   "devDependencies": {
+diff --git a/packages/grafana-ui/package.json b/packages/grafana-ui/package.json
+index de05a7f..47d1a5a 100644
+--- a/packages/grafana-ui/package.json
++++ b/packages/grafana-ui/package.json
+@@ -109,7 +109,7 @@
+     "slate-react": "0.22.10",
+     "tinycolor2": "1.6.0",
+     "tslib": "2.6.0",
+-    "uplot": "1.6.27",
++    "uplot": "1.6.31",
+     "uuid": "9.0.0"
+   },
+   "devDependencies": {
+diff --git a/yarn.lock b/yarn.lock
+index 1552ddc..e8f3bbe 100644
+--- a/yarn.lock
++++ b/yarn.lock
+@@ -2980,7 +2980,7 @@ __metadata:
+     tinycolor2: "npm:1.6.0"
+     tslib: "npm:2.6.0"
+     typescript: "npm:5.2.2"
+-    uplot: "npm:1.6.27"
++    uplot: "npm:1.6.31"
+     xss: "npm:^1.0.14"
+   peerDependencies:
+     react: ^17.0.0 || ^18.0.0
+@@ -3493,7 +3493,7 @@ __metadata:
+     tinycolor2: "npm:1.6.0"
+     tslib: "npm:2.6.0"
+     typescript: "npm:5.2.2"
+-    uplot: "npm:1.6.27"
++    uplot: "npm:1.6.31"
+     uuid: "npm:9.0.0"
+     webpack: "npm:5.89.0"
+   peerDependencies:
+@@ -17557,7 +17557,7 @@ __metadata:
+     tslib: "npm:2.6.0"
+     tween-functions: "npm:^1.2.0"
+     typescript: "npm:5.2.2"
+-    uplot: "npm:1.6.27"
++    uplot: "npm:1.6.31"
+     uuid: "npm:9.0.0"
+     vendor: "link:./public/vendor"
+     visjs-network: "npm:4.25.0"
+@@ -29776,10 +29776,10 @@ __metadata:
+   languageName: node
+   linkType: hard
+ 
+-"uplot@npm:1.6.27":
+-  version: 1.6.27
+-  resolution: "uplot@npm:1.6.27"
+-  checksum: b46de70804fdec2aa62101d8980aa18517a9a84e94fdeac922baa8121140ddae35685002a7cbdc74bbe6ea2306e341628490f5a5e2fa4b8086ff1643dccf2be9
++"uplot@npm:1.6.31":
++  version: 1.6.31
++  resolution: "uplot@npm:1.6.31"
++  checksum: 8a24bed5c56aa45928102ff964a6a42e3ec806369278ce52dbc65d65e453a7e4b1ee73d525c53618223b712207266f7be752853284c7e5d5bc04c2d23bcc85b1
+   languageName: node
+   linkType: hard
+ 
+-- 
+2.43.0
+
diff --git a/grafana.spec b/grafana.spec
index a6790ea..f1664f9 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -18,7 +18,7 @@
 
 Name:             grafana
 Version:          10.2.6
-Release:          3
+Release:          4
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -71,6 +71,7 @@ Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 # https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4
 Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          CVE-2024-8118.patch
+Patch12:          CVE-2024-21489.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -700,7 +701,7 @@ Provides: bundled(npm(ts-node)) = 10.9.1
 Provides: bundled(npm(tslib)) = 1.14.1
 Provides: bundled(npm(tween-functions)) = 1.2.0
 Provides: bundled(npm(typescript)) = 4.8.4
-Provides: bundled(npm(uplot)) = 1.6.27
+Provides: bundled(npm(uplot)) = 1.6.31
 Provides: bundled(npm(uuid)) = 3.4.0
 Provides: bundled(npm(visjs-network)) = 4.25.0
 Provides: bundled(npm(webpack)) = 5.76.0
@@ -762,6 +763,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
+%patch -P 12 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1016,6 +1018,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue Oct 08 2024 zhangxianting <zhangxianting@uniontech.com> - 10.2.6-4
+- Update uplot 1.6.31, fix CVE-2024-21489
+
 * Sun Sep 29 2024 wangkai <13474090681@163.com> - 10.2.6-3
 - Fix CVE-2024-8118
 
-- 
Gitee