From d6923f8d15ba17b3c517dff289c12480023909ea Mon Sep 17 00:00:00 2001 From: zhoupengcheng Date: Tue, 12 Mar 2024 16:39:02 +0800 Subject: [PATCH] fix CVE-2024-24897 (cherry picked from commit 588032f3067f01aef49ee2583888370cae015517) --- CVE-2024-24897.patch | 28 ++++++++++++++++++++++++++++ atune-collector.spec | 6 +++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-24897.patch diff --git a/CVE-2024-24897.patch b/CVE-2024-24897.patch new file mode 100644 index 0000000..bba27ac --- /dev/null +++ b/CVE-2024-24897.patch @@ -0,0 +1,28 @@ +From c59e9b4dd509a456fb1fedb50cc7ff9ef7ad55f9 Mon Sep 17 00:00:00 2001 +From: zhoupengcheng +Date: Mon, 11 Mar 2024 19:05:07 +0800 +Subject: [PATCH] preventing possible Shell command injection + +--- + atune_collector/plugin/monitor/process/sched.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/atune_collector/plugin/monitor/process/sched.py b/atune_collector/plugin/monitor/process/sched.py +index 0fadeba..82e6d9f 100644 +--- a/atune_collector/plugin/monitor/process/sched.py ++++ b/atune_collector/plugin/monitor/process/sched.py +@@ -68,8 +68,9 @@ class ProcSched(Monitor): + raise err + + for app in self.__applications: +- pid = subprocess.getoutput( +- "ps -A | grep {} | awk '{{print $1}}'".format(app)).split() ++ pid = subprocess.getoutput("ps -A") ++ app_processes = [line for line in pid.split('\n') if app in line] ++ pid = [line.split()[0] for line in app_processes] + app_pid_flag = True if pid else False + proc_flag.append(app_pid_flag) + if pid: +-- +2.33.0 + diff --git a/atune-collector.spec b/atune-collector.spec index f65cdd7..fcfa003 100644 --- a/atune-collector.spec +++ b/atune-collector.spec @@ -2,7 +2,7 @@ Name: atune-collector Version: 1.1.0 -Release: 7 +Release: 8 Summary: A-Tune-Collector is used to collect various system resources. License: Mulan PSL v2 URL: https://gitee.com/openeuler/A-Tune-Collector @@ -25,6 +25,7 @@ Patch14: feature-add-multi-for-rps-xps.patch Patch15: feature-add-rfs-to-network.patch Patch16: fix-bug-procsched-report-list-index-out-of-range.patch Patch17: fix-bug-procsched-data-collection-issue.patch +Patch18: CVE-2024-24897.patch BuildRequires: python3-setuptools Requires: python3-dict2xml python3-werkzeug @@ -49,6 +50,9 @@ The A-Tune-Collector is used to collect various system resources and can also be %attr(0600,root,root) %{_sysconfdir}/atune_collector/* %changelog +* Tue Mar 12 2024 zhoupengcheng - 1.1.0-8 +- fix CVE-2024-24897 + * Fri Dec 15 2023 weiyaping - 1.1.0-7 - fix bug: ProcSched.report: list index out of range -- Gitee