$OpenBSD$

A local attacker with the ability to alter .htpasswd files could
cause a Denial of Service in thttpd by specially-crafting them.
CVE-2012-5640

--- extras/htpasswd.c.orig	Thu Mar 14 04:10:47 2013
+++ extras/htpasswd.c	Thu Mar 14 04:11:29 2013
@@ -136,7 +136,10 @@ add_password( char* user, FILE* f )
     (void) srandom( (int) time( (time_t*) 0 ) );
     to64( &salt[0], random(), 2 );
     cpw = crypt( pw, salt );
-    (void) fprintf( f, "%s:%s\n", user, cpw );
+    if (cpw)
+        (void) fprintf( f, "%s:%s\n", user, cpw );
+    else
+        (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
     }
 
 static void usage(void) {
