Off-by-one vulnerability in sreplace() is used for remote root access.
vulners.com/securityvulns/securityvulns:doc:14995
vulners.com/securityvulns/securityvulns:doc:15124
vulners.com/securityvulns/securityvulns:doc:15234
vulners.com/securityvulns/securityvulns:doc:15235