packages/A-Tune-Collector
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-24897

Browse Source 
(cherry picked from commit 5960d2e3e02441399f0317a13dcce5172e540ba9)
This commit is contained in:
zhoupengcheng 2024-03-12 15:21:23 +08:00 committed by openeuler-sync-bot
parent fed1820343
commit bf9bb1c1ba
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2024-24897.patch Normal file
View File

@ -0,0 +1,28 @@
From c59e9b4dd509a456fb1fedb50cc7ff9ef7ad55f9 Mon Sep 17 00:00:00 2001
From: zhoupengcheng <zhoupengcheng11@huawei.com>
Date: Mon, 11 Mar 2024 19:05:07 +0800
Subject: [PATCH] preventing possible Shell command injection
---
atune_collector/plugin/monitor/process/sched.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/atune_collector/plugin/monitor/process/sched.py b/atune_collector/plugin/monitor/process/sched.py
index 0fadeba..82e6d9f 100644
--- a/atune_collector/plugin/monitor/process/sched.py
+++ b/atune_collector/plugin/monitor/process/sched.py
@@ -68,8 +68,9 @@ class ProcSched(Monitor):
raise err
for app in self.__applications:
- pid = subprocess.getoutput(
- "ps -A | grep {} | awk '{{print $1}}'".format(app)).split()
+ pid = subprocess.getoutput("ps -A")
+ app_processes = [line for line in pid.split('\n') if app in line]
+ pid = [line.split()[0] for line in app_processes]
app_pid_flag = True if pid else False
proc_flag.append(app_pid_flag)
if pid:
--
2.33.0

7
atune-collector.spec
View File

@ -2,7 +2,7 @@
Name: atune-collector
Version: 1.3.0
Release: 1
Release: 2
Summary: A-Tune-Collector is used to collect various system resources.
License: Mulan PSL v2
URL: https://gitee.com/openeuler/A-Tune-Collector
@ -11,6 +11,8 @@ Source: https://gitee.com/openeuler/A-Tune-Collector/repository/archive/v%{versi
BuildRequires: python3-setuptools
Requires: python3-dict2xml python3-werkzeug
Patch9000: CVE-2024-24897.patch
%description
The A-Tune-Collector is used to collect various system resources and can also be used as the collector of the A-Tune project.
@ -32,6 +34,9 @@ The A-Tune-Collector is used to collect various system resources and can also be
%attr(0600,root,root) %{_sysconfdir}/atune_collector/*
%changelog
* Tue Mar 12 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.3.0-2
- fix CVE-2024-24897
* Sat Jan 27 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.3.0-1
- update v1.3.0