Follow-up Comment #1, bug #36276 (project cvs):
All parse_config() calls do not check return value, run_exec() does not close
unneeded descriptors and CVS_FOPEN does not set O_CLOEXEC, so there is
possibility external command gets access to CVS configuration file.
I think copying final fclose() after set_defaults_and_return label is the
best
solution. Move is not enough because the non-error path would return without
closing the file.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?36276>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
_______________________________________________
Bug-cvs mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/bug-cvs
