On Wed, 31 Aug 2016 19:33:41 +0200
Markus Teich <markus.teich_AT_stusta.mhn.de> wrote:
Hey Marcus,
> after reading Erics original CVE report and proposed fix again and
> thinking about it, I came to the conclusion that this is a cleaner
> fix. It calls crypt() pre-locking with a bogus "x" as password just
> to see if the pws value is correct and other system requirements are
> met to call crypt later on after the password has been entered.
>
> I will apply it tomorrow if there are no objections.
are you sure we are not hitting any TOCTTOU problems here?
Cheers
FRIGN
--
FRIGN <dev_AT_frign.de>
Received on Wed Aug 31 2016 - 21:51:41 CEST