Since the vulnerability has been fixed and a new version of the XNU kernel of OS X is available, I released a detailed security advisory on my website today.^[80] The bug was assigned CVE-2007-4686.

After I published the advisory, Theo de Raadt (the founder of OpenBSD and OpenSSH) hinted that this bug is older than 4.4BSD and was fixed roughly 15 years ago by everyone but Apple. In the initial revision of FreeBSD from 1994, the implementation of the TIOCSETD IOCTL looks like this:^[81]

[..]
804       case TIOCSETD: {        /* set line discipline */
805           register int t = *(int *)data;
806           dev_t device = tp->t_dev;
807
808           if ((u_int)t >= nlinesw)
809               return (ENXIO); 810 if (t != tp->t_line) { 811 s = spltty(); 812 (*linesw[tp->t_line].l_close)(tp, ...