CVE-2020-28012: Missing close-on-exec flag for privileged pipe

(cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3)

2 files changed, 8 insertions, 0 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e2843e3b6..a3bf92816 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -213,6 +213,9 @@ QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
 QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
       runtime user.
 
+QS/03 When reading the output from interpreted forward files we do not
+      pass the pipe between the parent and the interpreting process to
+      executed child processes (if any).
 
 Exim version 4.94
 -----------------
diff --git a/src/src/rda.c b/src/src/rda.c
index aed8abc24..ce6e7a36d 100644
--- a/src/src/rda.c
+++ b/src/src/rda.c
@@ -618,9 +618,14 @@ search_tidyup();
 if ((pid = exim_fork(US"router-interpret")) == 0)
   {
   header_line *waslast = header_last;   /* Save last header */
+  int fd_flags = -1;
 
   fd = pfd[pipe_write];
   (void)close(pfd[pipe_read]);
+
+  if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
+  if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
+
   exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
 
   /* Addresses can get rewritten in filters; if we are not root or the exim