Ted Unangst wrote:
Jeremy Evans wrote:
As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not
sure if that's a security issue, but I think it is and we should fix it.
I'll see if I can get a patch for that and send it to tech@.
This is a weird edge case where niels
Stuart Henderson wrote:
On 2015/07/17 20:24, Ted Unangst wrote:
Jeremy Evans wrote:
As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not
sure if that's a security issue, but I think it is and we should fix it.
I'll see if I can get a patch for that and send it to tech@.
On Fri, Jul 17, 2015 at 06:48:31PM -0600, Theo de Raadt wrote:
my perspective is: absent clear knowledge of what programs are doing,
attempts
to second guess them in a library function are perilous. let us be standards
compliant, and then at least any resulting holes are clearly the
The only objection I can see is something stupid that does not check
the error condition, derefs NULL, drops a core file in an insecure
place, and therefore leaks information.
To my mind this is a buggy program, combined with an insecure configuration,
and we shouldn't be trying to save
my perspective is: absent clear knowledge of what programs are doing, attempts
to second guess them in a library function are perilous. let us be standards
compliant, and then at least any resulting holes are clearly the program's
fault.
such programs always deference the pointer.
So I agree
Ted Unangst wrote:
Jeremy Evans wrote:
As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not
sure if that's a security issue, but I think it is and we should fix it.
I'll see if I can get a patch for that and send it to tech@.
This is a weird edge case where niels decided to
