The fact that 'su' reads the password from stdin allows any user to fake a login prompt and collect other users' passwords. I've not been able to get a shell out of this bug, but execution of commands as another user is indeed possible. Solution: compile 'su' so that it does not read the password from stdin (as other dists do)
Erik please verify if this is incorrect, and please close it if so.
Christian, look at this and verify that is incorrect, if so then please close it.
fixed in sh-utils-1.16-18