From 158fee17330032cdbaee8b19cba582c795180024 Mon Sep 17 00:00:00 2001
From: Nathan Scott <nathans@redhat.com>
Date: Wed, 17 Apr 2024 10:34:15 +1000
Subject: [PATCH] Back-port pmproxy RESP proxying configuration defaults

Change pmproxy default configuration for CVE-2024-3019

Resolves: RHEL-30715
---
 pcp.spec                                      |  6 ++++-
 ...EL-30715-pmproxy-resp-proxy-disabled.patch | 27 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch

diff --git a/pcp.spec b/pcp.spec
index 1d9825b..ba9d9b3 100644
--- a/pcp.spec
+++ b/pcp.spec
@@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.7
-Release: 19%{?dist}
+Release: 20%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@@ -27,6 +27,7 @@ Patch16: redhat-bugzilla-2211263-pmcd-conf-rewrite.patch
 Patch17: redhat-build-jsonsl.patch
 Patch18: redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
 Patch19: redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
+Patch20: redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
 
 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@@ -3365,6 +3366,9 @@ fi
 %files zeroconf -f pcp-zeroconf-files.rpm
 
 %changelog
+* Wed Apr 17 2024 Nathan Scott <nathans@redhat.com> - 5.3.7-20
+- Disable RESP proxying by default in pmproxy (RHEL-30715)
+
 * Tue Nov 21 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-19
 - Fix OpenMetrics PMDA mishandling systemd metrics (RHEL-7507)
 - Additional pmlogger_farm service SELinux policy (RHEL-7501)
diff --git a/redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch b/redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
new file mode 100644
index 0000000..7ecacbd
--- /dev/null
+++ b/redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
@@ -0,0 +1,27 @@
+commit 3bde240a2acc85e63e2f7813330713dd9b59386e
+Author: Nathan Scott <nathans@redhat.com>
+Date:   Wed Mar 27 14:51:28 2024 +1100
+
+    pmproxy: disable Redis protocol proxying by default
+    
+    If a redis-server has been locked down in terms of connections,
+    we want to prevent pmproxy from being allowed to send arbitrary
+    RESP commands to it.
+    
+    This protocol proxying doesn't affect PCP functionality at all,
+    its more of a developer/sysadmin convenience when Redis used in
+    cluster mode (relatively uncommon compared to localhost mode).
+
+diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
+index e54891792e..4cbc1c96af 100644
+--- a/src/pmproxy/pmproxy.conf
++++ b/src/pmproxy/pmproxy.conf
+@@ -29,7 +29,7 @@ pcp.enabled = true
+ http.enabled = true
+ 
+ # support Redis protocol proxying
+-redis.enabled = true
++redis.enabled = false
+ 
+ # support SSL/TLS protocol wrapping
+ secure.enabled = true