$OpenBSD: patch-extras_th_htpasswd_c,v 1.1 2014/05/06 09:00:37 jasper Exp $

A local attacker with the ability to alter .htpasswd files could
cause a Denial of Service in thttpd by specially-crafting them.
CVE-2012-5640

--- extras/th_htpasswd.c.orig	Thu May  1 10:49:44 2014
+++ extras/th_htpasswd.c	Thu May  1 10:50:16 2014
@@ -140,7 +140,10 @@ add_password( char* user, FILE* f )
     (void) srandom( (int) time( (time_t*) 0 ) );
     to64( &salt[0], random(), 2 );
     cpw = crypt( pw, salt );
-    (void) fprintf( f, "%s:%s\n", user, cpw );
+    if (cpw)
+       (void) fprintf( f, "%s:%s\n", user, cpw );
+     else
+       (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
     }
 
 static void usage(void) {
