Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 883637 - <app-metrics/prometheus-2.40.4 app-metrics/prometheus-bin: basic authentication bypass
Summary: <app-metrics/prometheus-2.40.4 app-metrics/prometheus-bin: basic authenticati...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/prometheus/exporte...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2022-46146
  Show dependency tree
 
Reported: 2022-11-29 18:16 UTC by John Helmert III
Modified: 2022-12-31 18:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 18:16:59 UTC 
CVE-2022-46146:

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Patch: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
oss-security discussion: http://www.openwall.com/lists/oss-security/2022/11/29/1

Prometheus 2.37.4 and 2.40.4 have been released with a fix. Please bump ASAP.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-29 19:50:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e664907e4e7118e96d9d701a058f3070e8a3151

commit 1e664907e4e7118e96d9d701a058f3070e8a3151
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:49:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: stabilize 2.40.4 for amd64
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/prometheus-2.40.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=222342a657bdfa777040dcd050bd449f08269ca6

commit 222342a657bdfa777040dcd050bd449f08269ca6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:47:14 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:50:04 +0000

    app-metrics/prometheus: add 2.40.4
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  3 ++
 app-metrics/prometheus/prometheus-2.40.4.ebuild | 72 +++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-11-29 19:53:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3941873e20f0b9e3c1ec405de17668f24fc1373

commit c3941873e20f0b9e3c1ec405de17668f24fc1373
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-11-29 19:52:09 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-11-29 19:52:09 +0000

    app-metrics/prometheus: drop 2.39.1, 2.40.1
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-metrics/prometheus/Manifest                 |  6 ---
 app-metrics/prometheus/prometheus-2.39.1.ebuild | 72 -------------------------
 app-metrics/prometheus/prometheus-2.40.1.ebuild | 72 -------------------------
 3 files changed, 150 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-11-29 23:10:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7925a4c054a07a9fdfb8570cc108d5a2ead530d0

commit 7925a4c054a07a9fdfb8570cc108d5a2ead530d0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-29 23:09:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-29 23:09:59 +0000

    profiles: last rite app-metrics/prometheus-bin
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-12-31 18:32:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16a7694e781f11239293b97de2e8786873d87fb0

commit 16a7694e781f11239293b97de2e8786873d87fb0
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-12-31 18:19:22 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-12-31 18:31:00 +0000

    app-metrics/prometheus-bin: treeclean
    
    Bug: https://bugs.gentoo.org/883637
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 app-metrics/prometheus-bin/Manifest                |  4 --
 app-metrics/prometheus-bin/files/prometheus.confd  |  2 -
 app-metrics/prometheus-bin/files/prometheus.initd  | 34 ---------------
 .../prometheus-bin/files/prometheus.service        | 22 ----------
 app-metrics/prometheus-bin/metadata.xml            | 15 -------
 .../prometheus-bin/prometheus-bin-2.26.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.27.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.28.1.ebuild    | 51 ----------------------
 .../prometheus-bin/prometheus-bin-2.31.1.ebuild    | 51 ----------------------
 profiles/package.mask                              |  6 ---
 10 files changed, 287 deletions(-)