Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ba44b91e3
)
This commit is contained in:
parent
d7ca4b7139
commit
4185af737d
|
@ -336,7 +336,7 @@ LockServer(void)
|
|||
/*
|
||||
* Read the pid from the existing file
|
||||
*/
|
||||
lfd = open(LockFile, O_RDONLY);
|
||||
lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
|
||||
if (lfd < 0) {
|
||||
unlink(tmp);
|
||||
FatalError("Can't read lock file %s\n", LockFile);
|
||||
|
|
Loading…
Reference in New Issue