I've attached my fix here - I drop privileges to the invoking user before opening configuration files, and regain privileges afterwards.
I also put in checks to prevent a second security-relevant bug, which is a potentially exploitable integer overflow leading to heap corruption by providing a configuration file (or socket) with a very large number of lines, causing several malloc() calls to under-allocate space.
I've attached my fix here - I drop privileges to the invoking user before opening configuration files, and regain privileges afterwards.
I also put in checks to prevent a second security-relevant bug, which is a potentially exploitable integer overflow leading to heap corruption by providing a configuration file (or socket) with a very large number of lines, causing several malloc() calls to under-allocate space.