From e801fa14723494d1a8d648bcd3584e873caead81 Mon Sep 17 00:00:00 2001
From: Petr Machata <pmachata@fedoraproject.org>
Date: Sep 22 2008 08:42:20 +0000
Subject: - Mark opened files as cloexec to prevent their leaking through fork

- Resolves: #462090

---

diff --git a/make-3.81-fdleak.patch b/make-3.81-fdleak.patch
new file mode 100644
index 0000000..442ee54
--- /dev/null
+++ b/make-3.81-fdleak.patch
@@ -0,0 +1,60 @@
+diff -urp make-3.81/read.c make-3.81-leak/read.c
+--- make-3.81/read.c	2006-03-17 15:24:20.000000000 +0100
++++ make-3.81-leak/read.c	2008-09-16 16:43:12.000000000 +0200
+@@ -296,6 +300,37 @@ restore_conditionals (struct conditional
+   conditionals = saved;
+ }
+ 
++/* If possible, open the file and mark it close-on-exec, so that make
++   doesn't leak the descriptor to binaries called via $(shell ...).*/
++static FILE *
++open_makefile (char *filename)
++{
++  FILE *fp;
++
++#if HAVE_FDOPEN
++  int fd = open (filename, O_RDONLY);
++  int save;
++  if (fd < 0)
++    return NULL;
++
++  fp = fdopen (fd, "r");
++  if (fp == NULL)
++    {
++      save = errno;
++      close (fd);
++      errno = save;
++      return NULL;
++    }
++
++  CLOSE_ON_EXEC (fd);
++
++#else
++  fp = fopen (filename, "r");
++#endif
++
++  return fp;
++}
++
+ static int
+ eval_makefile (char *filename, int flags)
+ {
+@@ -335,7 +376,8 @@ eval_makefile (char *filename, int flags
+ 	filename = expanded;
+     }
+ 
+-  ebuf.fp = fopen (filename, "r");
++  ebuf.fp = open_makefile (filename);
++
+   /* Save the error code so we print the right message later.  */
+   makefile_errno = errno;
+ 
+@@ -348,7 +390,7 @@ eval_makefile (char *filename, int flags
+       for (i = 0; include_directories[i] != 0; ++i)
+ 	{
+ 	  included = concat (include_directories[i], "/", filename);
+-	  ebuf.fp = fopen (included, "r");
++	  ebuf.fp = open_makefile (included);
+ 	  if (ebuf.fp)
+ 	    {
+ 	      filename = included;
diff --git a/make.spec b/make.spec
index 5d7965c..2244f6f 100644
--- a/make.spec
+++ b/make.spec
@@ -3,7 +3,7 @@ Summary: A GNU tool which simplifies the build process for users
 Name: make
 Epoch: 1
 Version: 3.81
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: Development/Tools
 URL: http://www.gnu.org/software/make/
@@ -16,6 +16,7 @@ Patch7: make-3.81-memory.patch
 Patch8: make-3.81-rlimit.patch
 Patch9: make-3.81-newlines.patch
 Patch10: make-3.81-jobserver.patch
+Patch11: make-3.81-fdleak.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires(post): /sbin/install-info
 Requires(preun): /sbin/install-info
@@ -38,6 +39,7 @@ makefile.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 %configure
@@ -76,6 +78,10 @@ fi
 %{_infodir}/*.info*
 
 %changelog
+* Tue Sep 16 2008 Petr Machata <pmachata@redhat.com> - 1:3.81-13
+- Mark opened files as cloexec to prevent their leaking through fork
+- Resolves: #462090
+
 * Tue Mar 25 2008 Petr Machata <pmachata@redhat.com> - 1:3.81-12
 - Fix the rlimit patch.  The success flag is kept in memory shared
   with parent process after vfork, and so cannot be reset.