Vulnerability Note VU#369427

Format string vulnerability in libutil pw_error(3) function

Original Release date: 07 Nov 2000 | Last revised: 29 Mar 2001


There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility.


On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pw_error function of the OpenBSD 2.7 libutil library.

It was later discovered that when this function is called by the setuid program /usr/bin/chpass on unpatched systems, it is possible for users to obtain superuser access.


Attackers with an account on affected systems can obtain superuser access via the chpass utility.


Apply a patch from your vendor.
See the vendors section of this document for further information from your vendor.

The CERT/CC recommends that vulnerable users protect their systems by removing the SUID bit on chpass.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected23 Oct 200031 Oct 2000
NetBSDAffected23 Oct 200027 Oct 2000
OpenBSDAffected23 Oct 200017 Nov 2000
AppleNot Affected23 Oct 200027 Oct 2000
BSDINot Affected23 Oct 200027 Oct 2000
Compaq Computer CorporationNot Affected23 Oct 200027 Oct 2000
FujitsuNot Affected23 Oct 200020 Jan 2001
Hewlett PackardNot Affected23 Oct 200003 Jan 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2000-0993
  • Date Public: 03 Oct 2000
  • Date First Published: 07 Nov 2000
  • Date Last Updated: 29 Mar 2001
  • Severity Metric: 11.16
  • Document Revision: 9


If you have feedback, comments, or additional information about this vulnerability, please send us email.