oldhash) fail". If the existing hashed password entry from getpwnam_shadow
is blank (i.e. no password set) then crypt fails, so as-is the "is locked"
error is logged when the password is blank.
Swap the "locked password" and "blank password" checks, so that the
correct message is logged for a blank password.
(CVE-2016-7406) and a problem importing malicious OpenSSH keys (CVE-2016-7407)
both of which could result in arbitrary code running as root in some conditions
(though the worst one requires usernames including '%' which is uncommon with
OpenBSD as adduser and useradd reject this, however it is possible by editing
the password file directly). See https://matt.ucc.asn.au/dropbear/CHANGES for
more details.