[bug #36276] Potential problem in parse_config() which may leak file descriptor

Petr Pisar Tue, 24 Apr 2012 23:26:54 -0700

Follow-up Comment #1, bug #36276 (project cvs):

All parse_config() calls do not check return value, run_exec() does not close
unneeded descriptors and CVS_FOPEN does not set O_CLOEXEC, so there is
possibility external command gets access to CVS configuration file.


I think copying final fclose() after set_defaults_and_return label is the
best
solution. Move is not enough because the non-error path would return without
closing the file.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?36276>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
Bug-cvs mailing list
Bug-cvs@nongnu.org
https://lists.nongnu.org/mailman/listinfo/bug-cvs

[bug #36276] Potential problem in parse_config() which may leak file descriptor

Reply via email to