BSD Today: OpenBSD Security Advisory - Format string vulnerability in libutil pw_error(3) functionOct 04, 2000, 07:50 (1 Talkback[s])
(Other stories by Aaron Campbell)
"A format string vulnerability present in the pw_error() function of OpenBSD 2.7's libutil library can yield localhost users root access through the setuid /usr/bin/chpass utility. This particular vulnerability was repaired three months ago on June 30th in OpenBSD-current during a complete source tree audit for format string problems."
"OpenBSD developers became aware of an exploit circulating for the chpass(1) program on the evening of October 2, 2000...."
"In recent months a myriad of "format string" vulnerabilities have been discovered in a number of software packages. In response to this threat, the OpenBSD team immediately began a complete source tree audit, identifying and fixing dozens of these format bugs. While most of the issues were harmless, a few such as the bug in xlock and one in the OpenBSD ftpd daemon raised the red flag and patches were released to correct these problems. Unfortunately, the severity of the format string bug that was fixed in pw_error() was not fully realized at the time."