mirror of
https://github.com/X11Libre/xserver.git
synced 2026-04-14 17:18:09 +00:00
Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
@@ -318,7 +318,7 @@ LockServer(void)
|
||||
/*
|
||||
* Read the pid from the existing file
|
||||
*/
|
||||
lfd = open(LockFile, O_RDONLY);
|
||||
lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
|
||||
if (lfd < 0) {
|
||||
unlink(tmp);
|
||||
FatalError("Can't read lock file %s\n", LockFile);
|
||||
|
||||
Reference in New Issue
Block a user