Index: usr.sbin/pw/pw_user.c
===================================================================
--- usr.sbin/pw/pw_user.c
+++ usr.sbin/pw/pw_user.c
@@ -641,6 +641,13 @@
 		/* Userids and groups can not have a leading '-'. */
 		if (*ch == '-')
 			reject = 1;
+		/*
+		 * Reject the user names "." and ".." to avoid bogus entries
+		 * like (from "pw useraddd .."):
+		 *   ..:*:1002:1002:User &:/home/..:/bin/sh
+		 */
+		if (strcmp(".", name) == 0 || strcmp("..", name) == 0)
+			errx(EX_DATAERR, "invalid user %s %s", showtype, name);
 	}
 	if (!reject) {
 		while (*ch) {