CVE-2020-28012: Missing close-on-exec flag for privileged pipe

(cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3)
(cherry picked from commit 645a31d16195bb6b73f0a0d0c04b2251e5b28421)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index adf43bc4bf18279589ea39210aadfbd87cd0665c..bcace272d3c442d6e6ec6882e9e8007df55a3ef3 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -302,6 +302,9 @@ QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
 QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
       runtime user.
 
+QS/03 When reading the output from interpreted forward files we do not
+      pass the pipe between the parent and the interpreting process to
+      executed child processes (if any).
 
 Exim version 4.94
 -----------------

diff --git a/src/src/rda.c b/src/src/rda.c
index 5615b64d5b893edb93f0e0c5686b31d0e1dbba58..fb3714ea21bc2e35cd507d42e35f4a0761620fd1 100644 (file)
--- a/src/src/rda.c
+++ b/src/src/rda.c
@@ -618,9 +618,14 @@ search_tidyup();
 if ((pid = exim_fork(US"router-interpret")) == 0)
   {
   header_line *waslast = header_last;   /* Save last header */
+  int fd_flags = -1;
 
   fd = pfd[pipe_write];
   (void)close(pfd[pipe_read]);
+
+  if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
+  if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
+
   exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
 
   /* Addresses can get rewritten in filters; if we are not root or the exim