Multiple buffer overflows in the POSIX readdir_r function, as used in multiple packages, allow local users to cause a denial of service and possibly execute arbitrary code via (1) a symlink attack that exploits a race condition between opendir and pathcon calls and changes the filesystem to one with a larger maximum directory-entry name length, or (2) possibly via programmer-introduced errors on operating systems with a small struct dirent, such as Solaris or BeOS, as demonstrated in packages including (a) gcj, (b) KDE, © libwww, (d) the Rudiments library, (e) teTeX, (f) xmail, (g) bfbtester, (h) ncftp, (i) netwib, (j) OpenOffice.org, (k) Pike, (l) reprepro, (m) Tcl, and (n) xgsmlib.
womble.decadentplace.org.uk/readdir_r-advisory.html
www.securityfocus.com/archive/1/415781
www.securityfocus.com/archive/1/415790/30/0/threaded
www.securityfocus.com/archive/1/415995/30/0/threaded
www.securityfocus.com/archive/1/415998/30/0/threaded
www.securityfocus.com/archive/1/415999/30/0/threaded
www.securityfocus.com/archive/1/416002/30/0/threaded
www.securityfocus.com/archive/1/416048/30/0/threaded
www.securityfocus.com/bid/15259