From 30a64932e8240f457e45df22c157acea18f36ef1 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Fri, 29 Mar 2024 15:49:05 +0800
Subject: [PATCH] Fix CVE-2024-3019

(cherry picked from commit 1443bbc845b7065c4df4324bb9fb263fa3a74484)
---
 CVE-2024-3019.patch | 31 +++++++++++++++++++++++++++++++
 pcp.spec            |  6 +++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-3019.patch

diff --git a/CVE-2024-3019.patch b/CVE-2024-3019.patch
new file mode 100644
index 0000000..925b8e3
--- /dev/null
+++ b/CVE-2024-3019.patch
@@ -0,0 +1,31 @@
+From 3bde240a2acc85e63e2f7813330713dd9b59386e Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Wed, 27 Mar 2024 14:51:28 +1100
+Subject: [PATCH] pmproxy: disable Redis protocol proxying by default
+
+origin: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e
+
+If a redis-server has been locked down in terms of connections,
+we want to prevent pmproxy from being allowed to send arbitrary
+RESP commands to it.
+
+This protocol proxying doesn't affect PCP functionality at all,
+its more of a developer/sysadmin convenience when Redis used in
+cluster mode (relatively uncommon compared to localhost mode).
+---
+ src/pmproxy/pmproxy.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
+index e54891792e..4cbc1c96af 100644
+--- a/src/pmproxy/pmproxy.conf
++++ b/src/pmproxy/pmproxy.conf
+@@ -29,7 +29,7 @@ pcp.enabled = true
+ http.enabled = true
+ 
+ # support Redis protocol proxying
+-redis.enabled = true
++redis.enabled = false
+ 
+ # support SSL/TLS protocol wrapping
+ secure.enabled = true
diff --git a/pcp.spec b/pcp.spec
index d1dc2fe..fc3f4fb 100644
--- a/pcp.spec
+++ b/pcp.spec
@@ -55,12 +55,13 @@
 Name:             pcp
 Version:          5.3.7
 Summary:          System-level performance monitoring and performance management
-Release:          3
+Release:          4
 License:          GPL-2.0-or-later and LGPL-2.0-or-later and CC-BY-SA-3.0
 URL:              https://pcp.io
 Source0:          https://github.com/performancecopilot/pcp/archive/refs/tags/%{version}.tar.gz
 #Refer:           https://github.com/performancecopilot/pcp/pull/822
 Patch0:           fix-out-of-range-mpstat.patch
+Patch1:           CVE-2024-3019.patch
 BuildRequires: make
 BuildRequires: gcc gcc-c++
 BuildRequires: procps autoconf bison flex
@@ -1932,6 +1933,9 @@ systemctl condrestart pmproxy.service >/dev/null 2>&1
 
 
 %changelog
+* Fri Mar 29 2024 wangkai <13474090681@163.com> - 5.3.7-4
+- Fix CVE-2024-3019
+
 * Mon Feb 13 2023 wangkai <wangkai385@h-partners.com> - 5.3.7-3
 - Fix out of range in pcp-mpstat
 
-- 
Gitee