Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 883637 - <app-metrics/prometheus-2.40.4 app-metrics/prometheus-bin: basic authentication bypass
Summary: <app-metrics/prometheus-2.40.4 app-metrics/prometheus-bin: basic authenticati...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/prometheus/exporte...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2022-46146
  Show dependency tree
 
Reported: 2022-11-29 18:16 UTC by John Helmert III
Modified: 2022-12-31 18:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 18:16:59 UTC
CVE-2022-46146:

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Patch: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
oss-security discussion: http://www.openwall.com/lists/oss-security/2022/11/29/1

Prometheus 2.37.4 and 2.40.4 have been released with a fix. Please bump ASAP.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-29 19:50:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e664907e4e7118e96d9d701a058f3070e8a3151

commit 1e664907e4e7118e96d9d701a058f3070e8a3151
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:49:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: stabilize 2.40.4 for amd64
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/prometheus-2.40.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=222342a657bdfa777040dcd050bd449f08269ca6

commit 222342a657bdfa777040dcd050bd449f08269ca6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:47:14 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: add 2.40.4
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  3 ++
 app-metrics/prometheus/prometheus-2.40.4.ebuild | 72 +++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-11-29 19:53:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3941873e20f0b9e3c1ec405de17668f24fc1373

commit c3941873e20f0b9e3c1ec405de17668f24fc1373
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:52:09 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:52:09 +0000

    app-metrics/prometheus: drop 2.39.1, 2.40.1
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  6 ---
 app-metrics/prometheus/prometheus-2.39.1.ebuild | 72 -------------------------
 app-metrics/prometheus/prometheus-2.40.1.ebuild | 72 -------------------------
 3 files changed, 150 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-11-29 23:10:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7925a4c054a07a9fdfb8570cc108d5a2ead530d0

commit 7925a4c054a07a9fdfb8570cc108d5a2ead530d0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-29 23:09:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-29 23:09:59 +0000

    profiles: last rite app-metrics/prometheus-bin
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-12-31 18:32:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16a7694e781f11239293b97de2e8786873d87fb0

commit 16a7694e781f11239293b97de2e8786873d87fb0
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-12-31 18:19:22 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-12-31 18:31:00 +0000

    app-metrics/prometheus-bin: treeclean
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 app-metrics/prometheus-bin/Manifest                |  4 --
 app-metrics/prometheus-bin/files/prometheus.confd  |  2 -
 app-metrics/prometheus-bin/files/prometheus.initd  | 34 ---------------
 .../prometheus-bin/files/prometheus.service        | 22 ----------
 app-metrics/prometheus-bin/metadata.xml            | 15 -------
 .../prometheus-bin/prometheus-bin-2.26.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.27.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.28.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.31.1.ebuild    | 51 ----------------------
 profiles/package.mask                              |  6 ---
 10 files changed, 287 deletions(-)