Re: [Cvs-dev] cvs-passwd patch: weird problem

[Larry Jones]

Mark D. Baushke writes:
> 
> To be honest, I am not sure I understand why the
> old-password is needed as it would already be in
> the users $HOME/.cvspass file...

Presumably for the same reason the Unix passwd command prompts your for
your old password even though you had to use it to log in -- to prevent
someone from using a temporarily unattended terminal to change the
user's password.

> > > You should also pay attention to Larry's suggestions regarding the
> > > improper use of the crypt() function.
> > 
> >    Yes, I saw that page. So, I should copy the ecrypted password from
> > crypts static buffer to some other place, and use that pointer, that's
> > it, right?

Wrong.  You've got a buffer overflow in the salt generation -- it has
nothing whatsoever to do with the encrypted password.  And you're using
crypt() in a non-portable fashion (standard crypt does not support MD5).

-Larry Jones

Physical education is what you learn from having your face in
someone's armpit right before lunch. -- Calvin