Package: nvi Version: 1.81.6-13 Severity: important Tags: patch upstream [sorry for opening another bug report instead of replying to the bug log, but replies to the bug log seem to go *completely* ignored by everybody; just check the end of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497342; that virus/phishing message is there since more than a year!]
Opening the file read-only is enough for flock() -- please notice that ep->fd is only used to keep the lock hot, that's not the descriptor that is used for reading or writing data to the file. --- nvi-1.81.6.orig/common/exf.c +++ nvi-1.81.6/common/exf.c @@ -408,7 +408,7 @@ postinit: * an error. */ if (rcv_name == NULL && ep->refcnt == 0) { - if ((ep->fd = open(oname, O_RDWR)) == -1) + if ((ep->fd = open(oname, O_RDONLY)) == -1) goto no_lock; switch (file_lock(sp, oname, &ep->fcntl_fd, ep->fd, 1)) {