1 files changed, 32 insertions, 0 deletions

diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
new file mode 100644
index 0000000..011a8e7
--- /dev/null
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -0,0 +1,32 @@
+Description: Set socket's FD_CLOEXEC flag before calling up script
+ Moving the set_cloexec() call from link_socket_init_phase2() to
+ link_socket_init_phase1().
+Author: Julien Cristau <jcristau@debian.org>
+Bug-Debian: http://bugs.debian.org/367716
+
+Index: openvpn-2.2.0/socket.c
+===================================================================
+--- openvpn-2.2.0.orig/socket.c	2011-04-21 21:13:34.000000000 +0200
++++ openvpn-2.2.0/socket.c	2011-05-10 16:18:35.300018716 +0200
+@@ -1327,6 +1327,10 @@
+       resolve_bind_local (sock);
+       resolve_remote (sock, 1, NULL, NULL);
+     }
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sock->sd);
+ }
+ 
+ /* finalize socket initialization */
+@@ -1532,10 +1536,6 @@
+   /* set socket to non-blocking mode */
+   set_nonblock (sock->sd);
+ 
+-  /* set socket file descriptor to not pass across execs, so that
+-     scripts don't have access to it */
+-  set_cloexec (sock->sd);
+-
+ #ifdef ENABLE_SOCKS
+   if (socket_defined (sock->ctrl_sd))
+     set_cloexec (sock->ctrl_sd);