“A format string vulnerability present in the pw_error()
function of OpenBSD 2.7’s libutil library can yield localhost users
root access through the setuid /usr/bin/chpass utility. This
particular vulnerability was repaired three months ago on June 30th
in OpenBSD-current during a complete source tree audit for format
string problems.”
“OpenBSD developers became aware of an exploit circulating for
the chpass(1) program on the evening of October 2, 2000….”
“In recent months a myriad of “format string” vulnerabilities
have been discovered in a number of software packages. In response
to this threat, the OpenBSD team immediately began a complete
source tree audit, identifying and fixing dozens of these format
bugs. While most of the issues were harmless, a few such as the bug
in xlock and one in the OpenBSD ftpd daemon raised the red flag and
patches were released to correct these problems. Unfortunately,
the severity of the format string bug that was fixed in pw_error()
was not fully realized at the time.“