Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 07, 2002
Not Affected
OpenServer, Open UNIX and UnixWare do not ship pwck and grpck set{uid,gid}, therefore these operating systems are not vulnerable. OpenLinux versions do include pwck and grpck, but they are neither setuid or setgid.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 25, 2002 Updated: June 03, 2002
Not Affected
Conectiva Linux is not vulnerable to this problem as we never shipped pwck SUID root.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 24, 2002
Not Affected
FreeBSD does not contain the `grpck' nor `pwck' utilities, and is therefore not vulnerable to VU#121891 nor VU#877811.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 24, 2002
Not Affected
Regarding VU#121891 and VU#877811, Fujitsu's UXP/V operating system is not vulnerable because it does not have the setuid attribute.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 24, 2002
Not Affected
HP is not effected by this issue as presented to us.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 09, 2002
Not Affected
IBM has tested and examined the commands and code regarding pwdck and grpck. We do not believe they are vulnerable to the command-line buffer-overflow exploits mentioned in VU#121891 and VU#877811.
The vendor has not provided us with any further information regarding this vulnerability.
The "pwck" utility is known as "pwdck" on AIX systems and is related to an additional syntax checking utility named "usrck". The statement provided by IBM applies to both of these utilities.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 07, 2002
Not Affected
NetBSD does not ship with pwck or grpck, and is therefore not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: July 05, 2002
Not Affected
Openwall GNU/*/Linux is not vulnerable. We install the pwck and grpck utilities mode 700 (that is, restricted to just root). The buffer overflow is fixed in shadow-4.0.0 and thus in Owl-current after 2001/11/12. It has never been a security issue for us and for most (all?) other Linux distributions and thus hasn't been handled as such.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 08, 2002
Not Affected
We are not vulnerable to this vulnerability in any release of Red Hat Linux, as we do not ship either of these utilities SUID.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 07, 2002
Not Affected
Pwck and grpck are not distributed as suid, and we have not been able to replicate the problem as it has been described to us.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 07, 2002
Not Affected
Sun does not ship pwck with any additional privileges in Solaris so Sun is not affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 04, 2002 Updated: January 04, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.