Fix CVE-2024-3019

CVE-2024-3019.patch

@@ -0,0 +1,31 @@
+From 3bde240a2acc85e63e2f7813330713dd9b59386e Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Wed, 27 Mar 2024 14:51:28 +1100
+Subject: [PATCH] pmproxy: disable Redis protocol proxying by default
+
+origin: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e
+
+If a redis-server has been locked down in terms of connections,
+we want to prevent pmproxy from being allowed to send arbitrary
+RESP commands to it.
+
+This protocol proxying doesn't affect PCP functionality at all,
+its more of a developer/sysadmin convenience when Redis used in
+cluster mode (relatively uncommon compared to localhost mode).
+---
+ src/pmproxy/pmproxy.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
+index e54891792e..4cbc1c96af 100644
+--- a/src/pmproxy/pmproxy.conf
++++ b/src/pmproxy/pmproxy.conf
+@@ -29,7 +29,7 @@ pcp.enabled = true
+ http.enabled = true
+ 
+ # support Redis protocol proxying
+-redis.enabled = true
++redis.enabled = false
+ 
+ # support SSL/TLS protocol wrapping
+ secure.enabled = true

pcp.spec

@@ -1,12 +1,13 @@
 Name:    pcp
 Version: 6.1.1
-Release: 2
+Release: 3
 Summary: System-level performance monitoring and performance management
 License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0
 URL:     https://pcp.io
 
 Source0: https://github.com/performancecopilot/pcp/releases/pcp-%{version}.src.tar.gz
 Patch0:  0001-riscv-config-pmdabpf_arch-value.patch
+Patch1:  CVE-2024-3019.patch
 
 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@@ -3099,6 +3100,9 @@ fi
 
 
 %changelog
+* Fri Mar 29 2024 wangkai <13474090681@163.com> - 6.1.1-3
+- Fix CVE-2024-3019
+
 * Wed Mar 20 2024 laokz <zhangkai@iscas.ac.cn> - 6.1.1-2
 - riscv: backport upstream patch to fix config variable