[Dovecot] using one-time passwords

Timo Sirainen tss at iki.fi
Sat May 22 06:18:01 EEST 2004


On Tue, 2004-05-18 at 17:20, Johannes Berg wrote:
> > That doesn't look very good code .. Looks like if it was possible for
> > user to set wanted seed there would be several buffer overflows. But I
> > guess normally it's not?
> 
> I'm not sure I understand you.
> opiepasswd allows you to set the seed when changing your otp settings. I
> guess I'll need to look at the code, though I'm not really a C wizard
> nor very knowledgeable about insecure C code. Can you explain further
> what possible problems you see?

opiepasswd checks that the seed is valid size so it's kind of safe, but
if you were able to directly modify the database and add a larger seed
than normally allowed, the password verifying code could overflow some
buffers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040522/2f131dbc/attachment.pgp


More information about the dovecot mailing list