Local root exploit for FreeBSD nmount(). This affects FreeBSD 7.0-RELEASE and 7.0-STABLE.
f73657bff4c5f05a9a63c9564bcf7f676f9adf0f6b8a1b9a13e53473275ca23d
FreeBSD Security Advisory - Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel.
8265017f0c4b0022d978e1e3604993352ecac41efc8b787596bf55e18a09b5bb