Version in base suite: 0.5.1-2

Base version: golang-github-prometheus-exporter-toolkit_0.5.1-2
Target version: golang-github-prometheus-exporter-toolkit_0.5.1-2+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/golang-github-prometheus-exporter-toolkit/golang-github-prometheus-exporter-toolkit_0.5.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/golang-github-prometheus-exporter-toolkit/golang-github-prometheus-exporter-toolkit_0.5.1-2+deb11u2.dsc

 changelog                           |   13 ++++
 control                             |    3 
 patches/02-Avoid_race_in_test.patch |   31 +++++++++
 patches/03-CVE-2022-46146.patch     |  112 ++++++++++++++++++++++++++++++++++++
 patches/series                      |    2 
 5 files changed, 160 insertions(+), 1 deletion(-)

diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog	2021-01-25 14:10:41.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog	2022-12-19 23:02:39.000000000 +0000
@@ -1,3 +1,16 @@
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u2) bullseye; urgency=medium
+
+  * Backport fix for CVE-2022-46146. Closes: #1025127.
+
+ -- Martina Ferrari <tina@debian.org>  Mon, 19 Dec 2022 23:02:39 +0000
+
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u1) bullseye; urgency=medium
+
+  * Patch tests to avoid race condition. Closes: #1013578.
+    Thanks to Santiago Vila for the adjusted patch.
+
+ -- Martina Ferrari <tina@debian.org>  Thu, 15 Dec 2022 22:33:17 +0000
+
 golang-github-prometheus-exporter-toolkit (0.5.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/control golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/control	2021-01-19 14:44:59.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/control	2022-12-19 23:02:39.000000000 +0000
@@ -1,6 +1,7 @@
 Source: golang-github-prometheus-exporter-toolkit
 Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
-Uploaders: Daniel Swarbrick <daniel.swarbrick@cloud.ionos.com>
+Uploaders: Daniel Swarbrick <dswarbrick@debian.org>,
+           Martina Ferrari <tina@debian.org>,
 Section: devel
 Testsuite: autopkgtest-pkg-go
 Priority: optional
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch	2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,31 @@
+Author: Martina Ferrari <tina@debian.org>
+Description: Fix test failures due to race conditions
+Forwarded: https://github.com/prometheus/exporter-toolkit/issues/108
+Last-Updated: Mon, 29 Aug 2022 17:39:56 +0000
+
+--- a/web/users_test.go
++++ b/web/users_test.go
+@@ -18,6 +18,7 @@
+ 	"net/http"
+ 	"sync"
+ 	"testing"
++	"time"
+ )
+ 
+ // TestBasicAuthCache validates that the cache is working by calling a password
+@@ -42,6 +43,7 @@
+ 		ListenAndServe(server, "testdata/tls_config_users_noTLS.good.yml", testlogger)
+ 		close(done)
+ 	}()
++	time.Sleep(250 * time.Millisecond)
+ 
+ 	login := func(username, password string, code int) {
+ 		client := &http.Client{}
+@@ -106,6 +108,7 @@
+ 		ListenAndServe(server, "testdata/tls_config_users_noTLS.good.yml", testlogger)
+ 		close(done)
+ 	}()
++	time.Sleep(250 * time.Millisecond)
+ 
+ 	login := func() {
+ 		client := &http.Client{}
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch	2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,112 @@
+Author: Julien Pivotto <roidelapluie@o11y.eu>
+Date:   Tue Nov 29 10:22:49 2022 +0100
+Forwarded: not-needed
+Last-Updated: Mon, 19 Dec 2022 20:11:12 +0000
+Description:
+ Backport of upstream commits 2528877 and 0af5c3f:
+
+    Merge pull request from GHSA-7rg2-cxvp-9p7p
+    
+    * Fix authentication bypass if stored password hash is known
+    
+    Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu>
+    
+    * Add test for CVE-2022-46146
+    
+    Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu>
+
+    * Fix tests
+    
+    Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu>
+
+--- a/web/users.go
++++ b/web/users.go
+@@ -18,6 +18,7 @@
+ import (
+ 	"encoding/hex"
+ 	"net/http"
++	"strings"
+ 	"sync"
+ 
+ 	"github.com/go-kit/kit/log"
+@@ -74,7 +75,12 @@
+ 			hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
+ 		}
+ 
+-		cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...))
++		cacheKey := strings.Join(
++			[]string{
++				hex.EncodeToString([]byte(user)),
++				hex.EncodeToString([]byte(hashedPassword)),
++				hex.EncodeToString([]byte(pass)),
++			}, ":")
+ 		authOk, ok := u.cache.get(cacheKey)
+ 
+ 		if !ok {
+@@ -83,7 +89,7 @@
+ 			err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
+ 			u.bcryptMtx.Unlock()
+ 
+-			authOk = err == nil
++			authOk = validUser && err == nil
+ 			u.cache.set(cacheKey, authOk)
+ 		}
+ 
+--- a/web/users_test.go
++++ b/web/users_test.go
+@@ -131,3 +131,47 @@
+ 	// Login with the response cached.
+ 	login()
+ }
++
++// TestByPassBasicAuthVuln tests for CVE-2022-46146.
++func TestByPassBasicAuthVuln(t *testing.T) {
++	server := &http.Server{
++		Addr: port,
++		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++			w.Write([]byte("Hello World!"))
++		}),
++	}
++
++	done := make(chan struct{})
++	t.Cleanup(func() {
++		if err := server.Shutdown(context.Background()); err != nil {
++			t.Fatal(err)
++		}
++		<-done
++	})
++
++	go func() {
++		ListenAndServe(server, "testdata/web_config_users_noTLS.good.yml", testlogger)
++		close(done)
++	}()
++
++	login := func(username, password string) {
++		client := &http.Client{}
++		req, err := http.NewRequest("GET", "http://localhost"+port, nil)
++		if err != nil {
++			t.Fatal(err)
++		}
++		req.SetBasicAuth(username, password)
++		r, err := client.Do(req)
++		if err != nil {
++			t.Fatal(err)
++		}
++		if r.StatusCode != 401 {
++			t.Fatalf("bad return code, expected %d, got %d", 401, r.StatusCode)
++		}
++	}
++
++	// Poison the cache.
++	login("alice$2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby", "fakepassword")
++	// Login with a wrong password.
++	login("alice", "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSifakepassword")
++}
+--- /dev/null
++++ b/web/testdata/web_config_users_noTLS.good.yml
+@@ -0,0 +1,5 @@
++basic_auth_users:
++  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
++  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
++  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
++  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series	2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,2 @@
+02-Avoid_race_in_test.patch
+03-CVE-2022-46146.patch