A bug in cvs versions up to and including 1.11.4 was recently found where, under certain conditions, a pointer is free()\'d, and then free()\'d again without being re-initialised. The reports with regards to the exploitability of the condition in question range from - \"it is a classical exploitable double-free()\" to \"may possibly be exploited\". I have written an exploit for Linux for pserver, and contrary to my usual practice, decided to make it public. First, I couldn\'t find any papers on the internet that would explain the...