From bf9bb1c1ba8059ea42cdc8f318aa9410147a0d16 Mon Sep 17 00:00:00 2001 From: zhoupengcheng Date: Tue, 12 Mar 2024 15:21:23 +0800 Subject: [PATCH] fix CVE-2024-24897 (cherry picked from commit 5960d2e3e02441399f0317a13dcce5172e540ba9) --- CVE-2024-24897.patch | 28 ++++++++++++++++++++++++++++ atune-collector.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-24897.patch diff --git a/CVE-2024-24897.patch b/CVE-2024-24897.patch new file mode 100644 index 0000000..bba27ac --- /dev/null +++ b/CVE-2024-24897.patch @@ -0,0 +1,28 @@ +From c59e9b4dd509a456fb1fedb50cc7ff9ef7ad55f9 Mon Sep 17 00:00:00 2001 +From: zhoupengcheng +Date: Mon, 11 Mar 2024 19:05:07 +0800 +Subject: [PATCH] preventing possible Shell command injection + +--- + atune_collector/plugin/monitor/process/sched.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/atune_collector/plugin/monitor/process/sched.py b/atune_collector/plugin/monitor/process/sched.py +index 0fadeba..82e6d9f 100644 +--- a/atune_collector/plugin/monitor/process/sched.py ++++ b/atune_collector/plugin/monitor/process/sched.py +@@ -68,8 +68,9 @@ class ProcSched(Monitor): + raise err + + for app in self.__applications: +- pid = subprocess.getoutput( +- "ps -A | grep {} | awk '{{print $1}}'".format(app)).split() ++ pid = subprocess.getoutput("ps -A") ++ app_processes = [line for line in pid.split('\n') if app in line] ++ pid = [line.split()[0] for line in app_processes] + app_pid_flag = True if pid else False + proc_flag.append(app_pid_flag) + if pid: +-- +2.33.0 + diff --git a/atune-collector.spec b/atune-collector.spec index 3e1fe0d..ae977dc 100644 --- a/atune-collector.spec +++ b/atune-collector.spec @@ -2,7 +2,7 @@ Name: atune-collector Version: 1.3.0 -Release: 1 +Release: 2 Summary: A-Tune-Collector is used to collect various system resources. License: Mulan PSL v2 URL: https://gitee.com/openeuler/A-Tune-Collector @@ -11,6 +11,8 @@ Source: https://gitee.com/openeuler/A-Tune-Collector/repository/archive/v%{versi BuildRequires: python3-setuptools Requires: python3-dict2xml python3-werkzeug +Patch9000: CVE-2024-24897.patch + %description The A-Tune-Collector is used to collect various system resources and can also be used as the collector of the A-Tune project. @@ -32,6 +34,9 @@ The A-Tune-Collector is used to collect various system resources and can also be %attr(0600,root,root) %{_sysconfdir}/atune_collector/* %changelog +* Tue Mar 12 2024 zhoupengcheng - 1.3.0-2 +- fix CVE-2024-24897 + * Sat Jan 27 2024 zhoupengcheng - 1.3.0-1 - update v1.3.0 -- Gitee