Apple Computer Inc. Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDI Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Caldera Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

OpenServer, Open UNIX and UnixWare do not ship pwck and grpck set{uid,gid}, therefore these operating systems are not vulnerable. OpenLinux versions do include pwck and grpck, but they are neither setuid or setgid.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Not Affected

Notified:  January 25, 2002 Updated: June 03, 2002

Status

Not Affected

Vendor Statement

Conectiva Linux is not vulnerable to this problem as we never shipped pwck SUID root.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

FreeBSD does not contain the `grpck' nor `pwck' utilities, and is therefore not vulnerable to VU#121891 nor VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

Regarding VU#121891 and VU#877811, Fujitsu's UXP/V operating system is not vulnerable because it does not have the setuid attribute.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett Packard Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

HP is not effected by this issue as presented to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Not Affected

Notified:  January 04, 2002 Updated: January 09, 2002

Status

Not Affected

Vendor Statement

IBM has tested and examined the commands and code regarding pwdck and grpck. We do not believe they are vulnerable to the command-line buffer-overflow exploits mentioned in VU#121891 and VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The "pwck" utility is known as "pwdck" on AIX systems and is related to an additional syntax checking utility named "usrck". The statement provided by IBM applies to both of these utilities.

MandrakeSoft Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

NetBSD does not ship with pwck or grpck, and is therefore not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall Not Affected

Updated:  July 05, 2002

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We install the pwck and grpck utilities mode 700 (that is, restricted to just root). The buffer overflow is fixed in shadow-4.0.0 and thus in Owl-current after 2001/11/12. It has never been a security issue for us and for most (all?) other Linux distributions and thus hasn't been handled as such.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Not Affected

Notified:  January 04, 2002 Updated: January 08, 2002

Status

Not Affected

Vendor Statement

We are not vulnerable to this vulnerability in any release of Red Hat Linux, as we do not ship either of these utilities SUID.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

Pwck and grpck are not distributed as suid, and we have not been able to replicate the problem as it has been described to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

Sun does not ship pwck with any additional privileges in Solaris so Sun is not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 21 vendors View less vendors