Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file.
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html