Based on an article that was mentioned on this list
I found two attacker controlled memory leaks in the option parsing of pkcheck.c. These memory leaks allow a local attacker the ability to
“spray the heap”, i.e. initialize large parts of the heap before launching his attack.
The original attack uses a setuid binary, because the author “is giving himself a break”.
However, the fact that the binary in the example is setuid is orthogonal to the fact that heap spraying is a very serious attack vector.
Bug reports are filed but closed WONTFIX. I think this is a mistake so I
would hope people could weigh in on this.