packages/A-Tune-Collector
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!46 [sync] PR-44: fix CVE-2024-24897

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @gaoruoshu 
Signed-off-by: @gaoruoshu
This commit is contained in:
openeuler-ci-bot 2024-03-12 11:00:16 +00:00 committed by Gitee
commit 23a63e5f90
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2024-24897.patch Normal file
View File

@ -0,0 +1,28 @@
From c59e9b4dd509a456fb1fedb50cc7ff9ef7ad55f9 Mon Sep 17 00:00:00 2001
From: zhoupengcheng <zhoupengcheng11@huawei.com>
Date: Mon, 11 Mar 2024 19:05:07 +0800
Subject: [PATCH] preventing possible Shell command injection
---
atune_collector/plugin/monitor/process/sched.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/atune_collector/plugin/monitor/process/sched.py b/atune_collector/plugin/monitor/process/sched.py
index 0fadeba..82e6d9f 100644
--- a/atune_collector/plugin/monitor/process/sched.py
+++ b/atune_collector/plugin/monitor/process/sched.py
@@ -68,8 +68,9 @@ class ProcSched(Monitor):
raise err
for app in self.__applications:
- pid = subprocess.getoutput(
- "ps -A | grep {} | awk '{{print $1}}'".format(app)).split()
+ pid = subprocess.getoutput("ps -A")
+ app_processes = [line for line in pid.split('\n') if app in line]
+ pid = [line.split()[0] for line in app_processes]
app_pid_flag = True if pid else False
proc_flag.append(app_pid_flag)
if pid:
--
2.33.0

6
atune-collector.spec
View File

@ -2,7 +2,7 @@
Name: atune-collector Name: atune-collector
Version: 1.1.0 Version: 1.1.0
Release: 7 Release: 8
Summary: A-Tune-Collector is used to collect various system resources. Summary: A-Tune-Collector is used to collect various system resources.
License: Mulan PSL v2 License: Mulan PSL v2
URL: https://gitee.com/openeuler/A-Tune-Collector URL: https://gitee.com/openeuler/A-Tune-Collector
@ -25,6 +25,7 @@ Patch14: feature-add-multi-for-rps-xps.patch
Patch15: feature-add-rfs-to-network.patch Patch15: feature-add-rfs-to-network.patch
Patch16: fix-bug-procsched-report-list-index-out-of-range.patch Patch16: fix-bug-procsched-report-list-index-out-of-range.patch
Patch17: fix-bug-procsched-data-collection-issue.patch Patch17: fix-bug-procsched-data-collection-issue.patch
Patch18: CVE-2024-24897.patch
BuildRequires: python3-setuptools BuildRequires: python3-setuptools
Requires: python3-dict2xml python3-werkzeug Requires: python3-dict2xml python3-werkzeug
@ -49,6 +50,9 @@ The A-Tune-Collector is used to collect various system resources and can also be
%attr(0600,root,root) %{_sysconfdir}/atune_collector/* %attr(0600,root,root) %{_sysconfdir}/atune_collector/*
%changelog %changelog
* Tue Mar 12 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.1.0-8
- fix CVE-2024-24897
* Fri Dec 15 2023 weiyaping <weiyaping@xfusion.com> - 1.1.0-7 * Fri Dec 15 2023 weiyaping <weiyaping@xfusion.com> - 1.1.0-7
- fix bug: ProcSched.report: list index out of range - fix bug: ProcSched.report: list index out of range