In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached.


!DSPAM:55f7df0641553245911066!
diff -uPr vpopmail-5.5.0.orig/vpopmail.c vpopmail-5.5.0/vpopmail.c
--- vpopmail-5.5.0.orig/vpopmail.c      2015-09-08 11:33:44.818094999 +0100
+++ vpopmail-5.5.0/vpopmail.c   2015-09-08 11:39:56.791096019 +0100
@@ -686,13 +686,11 @@
 
   if ( vauth_getpw( username, domain ) != NULL ) return(VA_USERNAME_EXISTS);
 
-  /*
-     Check password strength
-  */
-
-  ret = pw_strength(password);
-  if (ret != 1)
-        return ret;
+  /* Check password strength */
+  if ( password[0] != '\0' ) {
+    ret = pw_strength(password);
+    if (ret != 1) return ret;
+  }
 
   /* record the dir where the vadduser command was run from */
   getcwd(calling_dir, sizeof(calling_dir));

Reply via email to