On Wed, 31 Aug 2016 19:33:41 +0200 Markus Teich <[email protected]> wrote:
Hey Marcus, > after reading Erics original CVE report and proposed fix again and > thinking about it, I came to the conclusion that this is a cleaner > fix. It calls crypt() pre-locking with a bogus "x" as password just > to see if the pws value is correct and other system requirements are > met to call crypt later on after the password has been entered. > > I will apply it tomorrow if there are no objections. are you sure we are not hitting any TOCTTOU problems here? Cheers FRIGN -- FRIGN <[email protected]>
