Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 883637

Summary: <app-metrics/prometheus-2.40.4 app-metrics/prometheus-bin: basic authentication bypass
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: williamh, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 883639    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 18:16:59 UTC 
CVE-2022-46146:

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Patch: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
oss-security discussion: http://www.openwall.com/lists/oss-security/2022/11/29/1

Prometheus 2.37.4 and 2.40.4 have been released with a fix. Please bump ASAP.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-29 19:50:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e664907e4e7118e96d9d701a058f3070e8a3151

commit 1e664907e4e7118e96d9d701a058f3070e8a3151
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:49:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: stabilize 2.40.4 for amd64
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/prometheus-2.40.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=222342a657bdfa777040dcd050bd449f08269ca6

commit 222342a657bdfa777040dcd050bd449f08269ca6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:47:14 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: add 2.40.4
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  3 ++
 app-metrics/prometheus/prometheus-2.40.4.ebuild | 72 +++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-11-29 19:53:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3941873e20f0b9e3c1ec405de17668f24fc1373

commit c3941873e20f0b9e3c1ec405de17668f24fc1373
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:52:09 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:52:09 +0000

    app-metrics/prometheus: drop 2.39.1, 2.40.1
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  6 ---
 app-metrics/prometheus/prometheus-2.39.1.ebuild | 72 -------------------------
 app-metrics/prometheus/prometheus-2.40.1.ebuild | 72 -------------------------
 3 files changed, 150 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-11-29 23:10:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7925a4c054a07a9fdfb8570cc108d5a2ead530d0

commit 7925a4c054a07a9fdfb8570cc108d5a2ead530d0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-29 23:09:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-29 23:09:59 +0000

    profiles: last rite app-metrics/prometheus-bin
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-12-31 18:32:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16a7694e781f11239293b97de2e8786873d87fb0

commit 16a7694e781f11239293b97de2e8786873d87fb0
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-12-31 18:19:22 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-12-31 18:31:00 +0000

    app-metrics/prometheus-bin: treeclean
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 app-metrics/prometheus-bin/Manifest                |  4 --
 app-metrics/prometheus-bin/files/prometheus.confd  |  2 -
 app-metrics/prometheus-bin/files/prometheus.initd  | 34 ---------------
 .../prometheus-bin/files/prometheus.service        | 22 ----------
 app-metrics/prometheus-bin/metadata.xml            | 15 -------
 .../prometheus-bin/prometheus-bin-2.26.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.27.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.28.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.31.1.ebuild    | 51 ----------------------
 profiles/package.mask                              |  6 ---
 10 files changed, 287 deletions(-)