1 files changed, 32 insertions, 0 deletions

diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
new file mode 100644
index 0000000..0b848a0
--- /dev/null
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -0,0 +1,32 @@
+Description: Set socket's FD_CLOEXEC flag before calling up script
+ Moving the set_cloexec() call from link_socket_init_phase2() to
+ link_socket_init_phase1().
+Author: Julien Cristau <jcristau@debian.org>
+Bug-Debian: http://bugs.debian.org/367716
+
+Index: openvpn/src/openvpn/socket.c
+===================================================================
+--- openvpn.orig/src/openvpn/socket.c	2016-11-21 09:58:03.562096178 +0100
++++ openvpn/src/openvpn/socket.c	2016-11-21 10:01:20.143091482 +0100
+@@ -1625,6 +1625,10 @@
+       }
+       resolve_remote (sock, 1, NULL, NULL);
+     }
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sock->sd);
+ }
+ 
+ static
+@@ -1677,10 +1681,6 @@
+   /* set socket to non-blocking mode */
+   set_nonblock (sock->sd);
+ 
+-  /* set socket file descriptor to not pass across execs, so that
+-     scripts don't have access to it */
+-  set_cloexec (sock->sd);
+-
+   if (socket_defined (sock->ctrl_sd))
+     set_cloexec (sock->ctrl_sd);
+