Package: nvi
Version: 1.81.6-13
Severity: important
Tags: patch upstream

[sorry for opening another bug report instead of replying to the bug log,
but replies to the bug log seem to go *completely* ignored by everybody;
just check the end of;
that virus/phishing message is there since more than a year!]

Opening the file read-only is enough for flock() -- please notice that
ep->fd is only used to keep the lock hot, that's not the descriptor that
is used for reading or writing data to the file.

--- nvi-1.81.6.orig/common/exf.c
+++ nvi-1.81.6/common/exf.c
@@ -408,7 +408,7 @@ postinit:
         * an error.
        if (rcv_name == NULL && ep->refcnt == 0) {
-               if ((ep->fd = open(oname, O_RDWR)) == -1)
+               if ((ep->fd = open(oname, O_RDONLY)) == -1)
                    goto no_lock;
                switch (file_lock(sp, oname, &ep->fcntl_fd, ep->fd, 1)) {

Reply via email to