A version independent, but terminal dependent one was using the echo status line back to input mechanism of some terminals. When combined with getting the victim to to copy a setuid stub, one would get permanent access to their account - until root did a fs sweep looking for unusual setuid programs. DF