From Net-security.org: "There is local root compromise in FreeBSD 4.3 due to design flaw
which allows injecting signal handlers in other processes.
The problem is rfork(RFPROC|RFSIGSHARE) which shares the signal
If the child does exec() on a setuid program and then the parent set
a signal handler, the signal handler is replicated in the child. The
address of the signal handler may be in the environment and after
a signal to the child our signal handler gets executed. Examine the
code for more information."