slackware-current/source/d/cvs/cvs.crypt-2.diff

--- cvs-1.11.23/src/server.c.orig	2013-05-17
+++ cvs-1.11.23/src/server.c		2013-05-22
@@ -5632,9 +5632,11 @@ check_repository_password (username, pas
 	    host_user_tmp = username;
 
 	/* Verify blank passwords directly, otherwise use crypt(). */
+	char *crypt_passwd = found_password ? crypt (password, found_password): NULL;
 	if ((found_password == NULL)
-	    || ((strcmp (found_password, crypt (password, found_password))
-		 == 0)))
+	    || (crypt_passwd != NULL
+               && (strcmp (found_password, crypt_passwd)
+		    == 0)))
 	{
 	    /* Give host_user_ptr permanent storage. */
 	    *host_user_ptr = xstrdup (host_user_tmp);
@@ -5645,7 +5647,7 @@ check_repository_password (username, pas
 #ifdef LOG_AUTHPRIV
 	syslog (LOG_AUTHPRIV | LOG_NOTICE,
 		"password mismatch for %s in %s: %s vs. %s", username,
-		repository, crypt(password, found_password), found_password);
+		repository, crypt_passwd, found_password);
 #endif
 	    *host_user_ptr = NULL;
 	    retval	 = 2;
@@ -5675,6 +5677,7 @@ check_password (username, password, repo
     char *host_user = NULL;
     char *found_passwd = NULL;
     struct passwd *pw;
+    char *crypt_passwd = NULL;
 
     /* First we see if this user has a password in the CVS-specific
        password file.  If so, that's enough to authenticate with.  If
@@ -5752,7 +5755,9 @@ error 0 %s: no such user\n", username);
     if (*found_passwd)
     {
 	/* user exists and has a password */
-	if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
+	crypt_passwd = crypt (password, found_passwd);
+	if ((crypt_passwd != NULL) &&
+	    (strcmp (found_passwd, crypt_passwd) == 0))
 	{
 	    host_user = xstrdup (username);
 	}
@@ -5762,7 +5767,7 @@ error 0 %s: no such user\n", username);
 #ifdef LOG_AUTHPRIV
 	    syslog (LOG_AUTHPRIV | LOG_NOTICE,
 		    "password mismatch for %s: %s vs. %s", username,
-		    crypt(password, found_passwd), found_passwd);
+		    crypt_passwd, found_passwd);
 #endif
 	}
 	goto handle_return;
Slackware 14.1 Mon Nov 4 17:08:47 UTC 2013 Slackware 14.1 x86_64 stable is released! It's been another interesting release cycle here at Slackware bringing new features like support for UEFI machines, updated compilers and development tools, the switch from MySQL to MariaDB, and many more improvements throughout the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-) 2013-11-04 18:08:47 +01:00			`--- cvs-1.11.23/src/server.c.orig 2013-05-17`
			`+++ cvs-1.11.23/src/server.c 2013-05-22`
			`@@ -5632,9 +5632,11 @@ check_repository_password (username, pas`
			`host_user_tmp = username;`

			`/* Verify blank passwords directly, otherwise use crypt(). */`
			`+ char *crypt_passwd = found_password ? crypt (password, found_password): NULL;`
			`if ((found_password == NULL)`
			`- \|\| ((strcmp (found_password, crypt (password, found_password))`
			`- == 0)))`
			`+ \|\| (crypt_passwd != NULL`
			`+ && (strcmp (found_password, crypt_passwd)`
			`+ == 0)))`
			`{`
			`/* Give host_user_ptr permanent storage. */`
			`*host_user_ptr = xstrdup (host_user_tmp);`
			`@@ -5645,7 +5647,7 @@ check_repository_password (username, pas`
			`#ifdef LOG_AUTHPRIV`
			`syslog (LOG_AUTHPRIV \| LOG_NOTICE,`
			`"password mismatch for %s in %s: %s vs. %s", username,`
			`- repository, crypt(password, found_password), found_password);`
			`+ repository, crypt_passwd, found_password);`
			`#endif`
			`*host_user_ptr = NULL;`
			`retval = 2;`
			`@@ -5675,6 +5677,7 @@ check_password (username, password, repo`
			`char *host_user = NULL;`
			`char *found_passwd = NULL;`
			`struct passwd *pw;`
			`+ char *crypt_passwd = NULL;`

			`/* First we see if this user has a password in the CVS-specific`
			`password file. If so, that's enough to authenticate with. If`
			`@@ -5752,7 +5755,9 @@ error 0 %s: no such user\n", username);`
			`if (*found_passwd)`
			`{`
			`/* user exists and has a password */`
			`- if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)`
			`+ crypt_passwd = crypt (password, found_passwd);`
			`+ if ((crypt_passwd != NULL) &&`
			`+ (strcmp (found_passwd, crypt_passwd) == 0))`
			`{`
			`host_user = xstrdup (username);`
			`}`
			`@@ -5762,7 +5767,7 @@ error 0 %s: no such user\n", username);`
			`#ifdef LOG_AUTHPRIV`
			`syslog (LOG_AUTHPRIV \| LOG_NOTICE,`
			`"password mismatch for %s: %s vs. %s", username,`
			`- crypt(password, found_passwd), found_passwd);`
			`+ crypt_passwd, found_passwd);`
			`#endif`
			`}`
			`goto handle_return;`