- use O_CLOEXEC for all opened files in all applications (rhbz#438189)

iptables-1.4.0-cloexec.patch

@@ -1,6 +1,66 @@
+diff -up iptables-1.4.0/iptables-save.c.cloexec iptables-1.4.0/iptables-save.c
+--- iptables-1.4.0/iptables-save.c.cloexec	2008-03-20 15:17:38.000000000 +0100
++++ iptables-1.4.0/iptables-save.c	2008-03-20 15:17:40.000000000 +0100
+@@ -255,7 +255,7 @@ static int for_each_table(int (*func)(co
+ 	FILE *procfile = NULL;
+ 	char tablename[IPT_TABLE_MAXNAMELEN+1];
+ 
+-	procfile = fopen("/proc/net/ip_tables_names", "r");
++	procfile = fopen("/proc/net/ip_tables_names", "re");
+ 	if (!procfile)
+ 		exit_error(OTHER_PROBLEM,
+ 			   "Unable to open /proc/net/ip_tables_names: %s\n",
+diff -up iptables-1.4.0/ip6tables-save.c.cloexec iptables-1.4.0/ip6tables-save.c
+--- iptables-1.4.0/ip6tables-save.c.cloexec	2008-03-20 15:17:40.000000000 +0100
++++ iptables-1.4.0/ip6tables-save.c	2008-03-20 15:17:40.000000000 +0100
+@@ -232,7 +232,7 @@ static int for_each_table(int (*func)(co
+ 	FILE *procfile = NULL;
+ 	char tablename[IP6T_TABLE_MAXNAMELEN+1];
+ 
+-	procfile = fopen("/proc/net/ip6_tables_names", "r");
++	procfile = fopen("/proc/net/ip6_tables_names", "re");
+ 	if (!procfile)
+ 		exit_error(OTHER_PROBLEM,
+ 			   "Unable to open /proc/net/ip6_tables_names: %s\n",
+diff -up iptables-1.4.0/ip6tables-restore.c.cloexec iptables-1.4.0/ip6tables-restore.c
+--- iptables-1.4.0/ip6tables-restore.c.cloexec	2008-03-20 15:21:36.000000000 +0100
++++ iptables-1.4.0/ip6tables-restore.c	2008-03-20 15:21:53.000000000 +0100
+@@ -165,7 +165,7 @@ int main(int argc, char *argv[])
+ 	}
+ 	
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
+ 				strerror(errno));
+diff -up iptables-1.4.0/iptables-xml.c.cloexec iptables-1.4.0/iptables-xml.c
+--- iptables-1.4.0/iptables-xml.c.cloexec	2008-03-20 15:17:40.000000000 +0100
++++ iptables-1.4.0/iptables-xml.c	2008-03-20 15:17:38.000000000 +0100
+@@ -664,7 +664,7 @@ main(int argc, char *argv[])
+ 	}
+ 
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s", argv[optind],
+ 				strerror(errno));
+diff -up iptables-1.4.0/iptables-restore.c.cloexec iptables-1.4.0/iptables-restore.c
+--- iptables-1.4.0/iptables-restore.c.cloexec	2008-03-20 15:17:40.000000000 +0100
++++ iptables-1.4.0/iptables-restore.c	2008-03-20 15:17:40.000000000 +0100
+@@ -170,7 +170,7 @@ main(int argc, char *argv[])
+ 	}
+ 	
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
+ 				strerror(errno));
 diff -up iptables-1.4.0/xtables.c.cloexec iptables-1.4.0/xtables.c
---- iptables-1.4.0/xtables.c.cloexec	2008-02-11 13:50:20.000000000 +0100
+--- iptables-1.4.0/xtables.c.cloexec	2008-03-20 15:17:40.000000000 +0100
-+++ iptables-1.4.0/xtables.c	2008-02-11 13:51:03.000000000 +0100
++++ iptables-1.4.0/xtables.c	2008-03-20 15:17:40.000000000 +0100
 @@ -428,6 +428,12 @@ static int compatible_revision(const cha
  		exit(1);
  	}

iptables.spec

@@ -4,7 +4,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.4.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -163,6 +163,9 @@ fi
 %endif
 
 %changelog
+* Thu Mar 20 2008 Thomas Woerner <twoerner@redhat.com> 1.4.0-4
+- use O_CLOEXEC for all opened files in all applications (rhbz#438189)
+
 * Mon Mar  3 2008 Thomas Woerner <twoerner@redhat.com> 1.4.0-3
 - use the kernel headers from the build tree for iptables for now to be able to 
   compile this package, but this makes the package more kernel dependant