From secunia security advisory at $URL:
The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.
Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.
The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.
Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB
1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted
remote attackers to execute arbitrary code via vectors involving a long
error message, as demonstrated by a crafted acc file for TORCS. NOTE: some
of these details are obtained from third party information.
@games: openSUSE has a patch  for this and bug 440762 we may be able to use since upstream has not updated.
that patch looks terrible. vsnprintf null-terminates.
Created attachment 423696 [details, diff]
Patch from debian
Extracted from the patch at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654785
Package revbumped per .
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : alpha amd64 hppa ppc sparc x86
@arches, still pending stabilization on: alpha, hppa, ppc, sparc, and x86.
@games, once stable please remove vulnerable version 1.8.5.
*** Bug 576016 has been marked as a duplicate of this bug. ***
Stable for HPPA.
Stable on alpha.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
New GLSA opened.
This issue was resolved and addressed in
GLSA 201606-16 at https://security.gentoo.org/glsa/201606-16
by GLSA coordinator Aaron Bauman (b-man).