Format string vulnerability in nvi prior to 1.79 allows local users to gain privileges via format string specifiers in a filename.
bsd nvi 1.79