Software Engineering Institute

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

OpenServer, Open UNIX and UnixWare do not ship pwck and grpck set{uid,gid}, therefore these operating systems are not vulnerable.

OpenLinux versions do include pwck and grpck, but they are neither setuid or setgid.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 25, 2002 Updated: June 03, 2002

Status

Not Affected

Vendor Statement

Conectiva Linux is not vulnerable to this problem as we never shipped pwck SUID root.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

FreeBSD does not contain the `grpck' nor `pwck' utilities, and is therefore not vulnerable to VU#121891 nor VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

Regarding VU#121891 and VU#877811, Fujitsu's UXP/V operating system is not vulnerable because it does not have the setuid attribute.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

HP is not effected by this issue as presented to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 09, 2002

Status

Not Affected

Vendor Statement

IBM has tested and examined the commands and code regarding pwdck and grpck. We do not believe they are vulnerable to the command-line buffer-overflow exploits mentioned in VU#121891 and VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The "pwck" utility is known as "pwdck" on AIX systems and is related to an additional syntax checking utility named "usrck". The statement provided by IBM applies to both of these utilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

NetBSD does not ship with pwck or grpck, and is therefore not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Updated:  July 05, 2002

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We install the pwck and grpck utilities mode 700 (that is, restricted to just root).

The buffer overflow is fixed in shadow-4.0.0 and thus in Owl-current after 2001/11/12. It has never been a security issue for us and for most (all?) other Linux distributions and thus hasn't been handled as such.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 08, 2002

Status

Not Affected

Vendor Statement

We are not vulnerable to this vulnerability in any release of Red Hat Linux, as we do not ship either of these utilities SUID.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

Pwck and grpck are not distributed as suid, and we have not been able to replicate the problem as it has been described to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.