Apply by doing:
        cd /usr/src
        patch -p0 < 005_exec.patch
And then rebuild your kernel.

Index: sys/compat/ibcs2/ibcs2_exec.c
===================================================================
RCS file: /cvs/src/sys/compat/ibcs2/ibcs2_exec.c,v
retrieving revision 1.14
retrieving revision 1.14.6.1
diff -u -p -r1.14 -r1.14.6.1
--- sys/compat/ibcs2/ibcs2_exec.c	22 Aug 2002 22:04:42 -0000	1.14
+++ sys/compat/ibcs2/ibcs2_exec.c	3 Nov 2003 23:23:50 -0000	1.14.6.1
@@ -616,6 +616,8 @@ exec_ibcs2_xout_prep_nmagic(p, epp, xp, 
 	struct xseg *xs;
 
 	/* read in segment table */
+	if (xep->xe_segsize > 16 * sizeof(*xs))
+		return (ENOEXEC);
 	xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK);
 	error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,
 			xep->xe_segsize, xep->xe_segpos,
Index: sys/kern/exec_elf.c
===================================================================
RCS file: /cvs/src/sys/kern/exec_elf.c,v
retrieving revision 1.48
retrieving revision 1.48.2.1
diff -u -p -r1.48 -r1.48.2.1
--- sys/kern/exec_elf.c	21 Aug 2003 18:56:07 -0000	1.48
+++ sys/kern/exec_elf.c	3 Nov 2003 23:23:50 -0000	1.48.2.1
@@ -863,6 +863,7 @@ ELFNAME(os_pt_note)(struct proc *p, stru
 
 	for (ph = hph;  ph < &hph[eh->e_phnum]; ph++) {
 		if (ph->p_type != PT_NOTE ||
+		    ph->p_filesz > 1024 ||
 		    ph->p_filesz < sizeof(Elf_Note) + name_size)
 			continue;