vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.
https://exchange.xforce.ibmcloud.com/vulnerabilities/6851
http://www.securityfocus.com/bid/3036