!95 [sync] PR-93: Fix CVE-2024-3019

From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
2024-04-01 02:37:40 +00:00 · 2024-04-01 02:37:40 +00:00 · 831486b854
commit 831486b854
parent 4650371c53 30a64932e8
2 changed files with 36 additions and 1 deletions
--- a/CVE-2024-3019.patch
+++ b/CVE-2024-3019.patch
@ -0,0 +1,31 @@
+From 3bde240a2acc85e63e2f7813330713dd9b59386e Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Wed, 27 Mar 2024 14:51:28 +1100
+Subject: [PATCH] pmproxy: disable Redis protocol proxying by default
+
+origin: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e
+
+If a redis-server has been locked down in terms of connections,
+we want to prevent pmproxy from being allowed to send arbitrary
+RESP commands to it.
+
+This protocol proxying doesn't affect PCP functionality at all,
+its more of a developer/sysadmin convenience when Redis used in
+cluster mode (relatively uncommon compared to localhost mode).
+---
+ src/pmproxy/pmproxy.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
+index e54891792e..4cbc1c96af 100644
+--- a/src/pmproxy/pmproxy.conf
+++ b/src/pmproxy/pmproxy.conf
+@@ -29,7 +29,7 @@ pcp.enabled = true
+ http.enabled = true
+ 
+ # support Redis protocol proxying
+-redis.enabled = true
+redis.enabled = false
+ 
+ # support SSL/TLS protocol wrapping
+ secure.enabled = true
--- a/pcp.spec
+++ b/pcp.spec
@ -55,12 +55,13 @@
 Name:             pcp
 Version:          5.3.7
 Summary:          System-level performance monitoring and performance management
-Release:          3
+Release:          4
 License:          GPL-2.0-or-later and LGPL-2.0-or-later and CC-BY-SA-3.0
 URL:              https://pcp.io
 Source0:          https://github.com/performancecopilot/pcp/archive/refs/tags/%{version}.tar.gz
 #Refer:           https://github.com/performancecopilot/pcp/pull/822
 Patch0:           fix-out-of-range-mpstat.patch
+Patch1:           CVE-2024-3019.patch
 BuildRequires: make
 BuildRequires: gcc gcc-c++
 BuildRequires: procps autoconf bison flex
@ -1932,6 +1933,9 @@ systemctl condrestart pmproxy.service >/dev/null 2>&1


 %changelog
+* Fri Mar 29 2024 wangkai <13474090681@163.com> - 5.3.7-4
+- Fix CVE-2024-3019
+
 * Mon Feb 13 2023 wangkai <wangkai385@h-partners.com> - 5.3.7-3
 - Fix out of range in pcp-mpstat