Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
fb84be47db
commit
6ba44b91e3
|
@ -318,7 +318,7 @@ LockServer(void)
|
|||
/*
|
||||
* Read the pid from the existing file
|
||||
*/
|
||||
lfd = open(LockFile, O_RDONLY);
|
||||
lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
|
||||
if (lfd < 0) {
|
||||
unlink(tmp);
|
||||
FatalError("Can't read lock file %s\n", LockFile);
|
||||
|
|
Loading…
Reference in New Issue