xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option.
http://www.debian.org/security/2000/20000816
http://archives.neohapsis.com/archives/freebsd/2000-08/0340.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0294.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0212.html