Help Net Security has an advisory for IBM's AIX versions 4.3.x and 5.1: "AIX ships with the library "libi18n" located in the "/usr/ccs/lib" directory. This library
contains a function that is vulnerable to a buffer overflow through the LANG
An ordinary user has the ability to set the "LANG" environment variable to any value
they choose. When this variable is set to a suitably formatted string and a program is
run which uses the
vulnerable library, the program will terminate abnormally. If this program is also setuid
root, aixterm for example, a malicious user has an opportunity to spawn a root shell and
gain control of the machine."