Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0992 to the following vulnerability: Array index error in pax in Apple Mac OS X 10.5.2 allows context-dependent attackers to execute arbitrary code via an archive with a crafted length value. References: http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
Relevant part of Apple security advisory: pax archive utility CVE-ID: CVE-2008-0992 Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2 Impact: Running the pax command on a maliciously crafted archive may lead to arbitrary code execution Description: The pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5. No further details available.
Apple clarified that this issue is specific to their version of pax as used in Mac OS X Leopard and does not affect BSD pax version we ship.