From 3a7de55e5d6ede7fc39dff294314e2836941994c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= <mpospisi@redhat.com>
Date: Thu, 26 Mar 2026 15:54:07 +0100
Subject: [PATCH] pcs-0.10.18-2.el8_10.9

- Fixed CVE-2026-31958 by patching bundled Tornado
  Resolves: RHEL-155293
---
 .gitignore                                    |  1 +
 ...isable-multipart-requests-in-Tornado.patch | 54 +++++++++++++++++++
 pcs.spec                                      | 10 +++-
 sources                                       |  2 +-
 4 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 RHEL-155293-01-disable-multipart-requests-in-Tornado.patch

diff --git a/.gitignore b/.gitignore
index a93d15d..f4645b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,4 @@
 /rexml-3.4.1.gem
 /rack-2.2.20.gem
 /tornado-v6.1.0.pcs.3.tar.gz
+/tornado-v6.1.0.pcs.4.tar.gz
diff --git a/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch b/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
new file mode 100644
index 0000000..c97a1f8
--- /dev/null
+++ b/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
@@ -0,0 +1,54 @@
+From 7fc3db518798cbbd4d11028d52837d460640fb06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= <mpospisi@redhat.com>
+Date: Wed, 25 Mar 2026 22:01:21 +0100
+Subject: [PATCH] disable multipart requests in Tornado
+
+Pcsd doesn't use multipart requests and recently, there have been
+vulnerabilities targeting both Rack and Tornado. Since we use Tornado as
+a proxy for our Ruby daemon, this also helps mitigate future Rack multipart
+vulnerabilities.
+
+Multipart vulnerabilities:
+https://www.cve.org/CVERecord?id=CVE-2026-31958
+https://www.cve.org/CVERecord?id=CVE-2025-61771
+https://www.cve.org/CVERecord?id=CVE-2025-61770
+---
+ pcs/daemon/run.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
+index 0a6b1b211..19586b18a 100644
+--- a/pcs/daemon/run.py
++++ b/pcs/daemon/run.py
+@@ -3,6 +3,11 @@ import signal
+ import socket
+ from pathlib import Path
+ 
++from tornado.httputil import (
++    ParseBodyConfig,
++    ParseMultipartConfig,
++    set_parse_body_config,
++)
+ from tornado.ioloop import IOLoop
+ from tornado.locks import Lock
+ from tornado.web import Application
+@@ -71,6 +76,16 @@ def configure_app(
+             reload its SSL certificates). A relevant handler should get this
+             object via the method `initialize`.
+         """
++
++        # Disable multipart requests to enhance security due to recent CVEs
++        # https://www.cve.org/CVERecord?id=CVE-2026-31958
++        # https://www.cve.org/CVERecord?id=CVE-2025-61771
++        # https://www.cve.org/CVERecord?id=CVE-2025-61770
++        # https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.set_parse_body_config
++        set_parse_body_config(
++            ParseBodyConfig(multipart=ParseMultipartConfig(enabled=False))
++        )
++
+         routes = sinatra_remote.get_routes(
+             ruby_pcsd_wrapper,
+             sync_config_lock,
+-- 
+2.53.0
+
diff --git a/pcs.spec b/pcs.spec
index 007978c..2b4b5e8 100644
--- a/pcs.spec
+++ b/pcs.spec
@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.8
+Release: 2%{?dist}.9
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 
 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.3
+%global tornado_version    6.1.0.pcs.4
 
 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@@ -117,6 +117,7 @@ Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
 Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
 Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
+Patch5: RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
 
 # git for patches
 BuildRequires: git-core
@@ -309,6 +310,7 @@ update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
 update_times_patch %{PATCH4}
+update_times_patch %{PATCH5}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -565,6 +567,10 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
+* Thu Mar 26 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.9
+- Fixed CVE-2026-31958 by patching bundled Tornado
+  Resolves: RHEL-155293
+
 * Mon Jan 19 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.8
 - Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado
   Resolves: RHEL-136415, RHEL-136420
diff --git a/sources b/sources
index ae2a947..bf13fa8 100644
--- a/sources
+++ b/sources
@@ -18,4 +18,4 @@ SHA512 (tilt-2.3.0.gem) = 78a3de34e3d096e40cb245807bad07cc3ebfa192986addbd228c25
 SHA512 (pcs-0.10.18.tar.gz) = 5cadb8158bd97e6f20fdf5fc492e85febf596e813b2e64a6dfb13da803ef3d2a3c1fe63d8e26d9b18279f23bfab9a8ff40fab10c9a87fa84b1da302648533ba0
 SHA512 (rexml-3.4.1.gem) = e5c104416c9f4695c124df90b39bda3ac8b39584b526fca9fbe57171ae25b13ee178a619fa1801934bd764d2c73f46316c14bc634e8efa8f7859c595ba055622
 SHA512 (rack-2.2.20.gem) = 11ad158b49bf7c3bbfe781d4f895eddbffbb66f0597b91459c33b99851607521f3366f515c1b72550b0384cf30eebf3021b68319f8fceac6d480a144596a8e79
-SHA512 (tornado-v6.1.0.pcs.3.tar.gz) = 11ea9ca160de1bd4014b90b1e6d64225d9d2768bd63ef01154cb90e7f28fe471977715fdaf39a2f63c46add392c2a2135f6c4c90dfbb13b0712438601e24d29d
+SHA512 (tornado-v6.1.0.pcs.4.tar.gz) = 03f15b475e1eba6064570ac77149a90db592d93b6755f685c1ca9e4f862ff42e0e33dfcbc2403af4fdb4e4e80f38688d67344e1d51217440fb104f94944e8fd0