A local format string vulnerability has been found in pam_ldap. The vulnerability was reported in Blackshell Advistory #5, and was introduced in pam_ldap-80 along with support for runtime selectable LDAP configuration files (a third party contribution). It cannot be exploited remotely. Versions prior to pam_ldap-80 and subsequent to pam_ldap-143 are not vulnerable. Contrary to reports, the nss_ldap module is not affected by this bug (confusingly, pam_ldap is sometimes distributed by vendors in the same package as nss_ldap).
To exploit this vulnerability, one would have to embed a format string in the PAM configuration stanza for pam_ldap (either in /etc/pam.conf or a file within /etc/pam.d). These configuration files should never be writable by a non-privileged user, so it is highly unlikely that such an exploit could be used to elevate privilege in a typical installation. (Were the PAM configuration writable by a non-privileged user, an arbitrary module could be inserted in the PAM stack, presenting a much simpler means of elevating privilege.)
More information on vulnerabilities and exposures in PADL open source software is available here. This vulnerability has been assigned CVE number CAN-2002-0374.
This vulnerability was corrected in pam_ldap-144; see bug #90. The current version of pam_ldap is available by FTP, or HTTP.