Based on an article that was mentioned on this list
https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edi...
I found two attacker controlled memory leaks in the option parsing of pkcheck.c. These memory leaks allow a local attacker the ability to "spray the heap", i.e. initialize large parts of the heap before launching his attack.
The original attack uses a setuid binary, because the author "is giving himself a break".
However, the fact that the binary in the example is setuid is orthogonal to the fact that heap spraying is a very serious attack vector.
Bug reports are filed but closed WONTFIX. I think this is a mistake so I would hope people could weigh in on this.
https://bugs.freedesktop.org/show_bug.cgi?id=99626 https://bugzilla.redhat.com/show_bug.cgi?id=1418278 https://bugzilla.redhat.com/show_bug.cgi?id=1418287
Thanks for your interest.
Regards, Leonard.