Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
Freebsd Freebsd 7.0 releng (not an official CPE)
Freebsd Freebsd 7.0 beta4 (not an official CPE)
Freebsd Freebsd 7.0 Pre-release (not an official CPE)
FreeBSD 7.0
Freebsd Freebsd 6.0 p5 release (not an official CPE)
Freebsd Freebsd 6.0 Stable (not an official CPE)
Freebsd Freebsd 6.0 Release (not an official CPE)
FreeBSD 6.0
NetBSD 4.0