FreeBSD Information for VU#369427
Format string vulnerability in libutil pw_error(3) function
- Vendor Information Help Date Notified: 23 Oct 2000
- Statement Date:
- Date Updated: 31 Oct 2000
FreeBSD was also vulnerable to this problem since the affected code has a common ancestor. Like OpenBSD, we fixed the problem during security auditing in 2000/07, but did not realise it to be a security vulnerability since the function is not part of a library on FreeBSD, but the source code file containing the function is included directly in the affected setuid programs. FreeBSD 3.5.1 and 4.0 are the most recent affected versions - 4.1 and 4.1.1 are unaffected.
An advisory is under preparation and will likely be released on 2000/10/30.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.