After seeing a tweet about a command line buffer overflow in nagios plugins I took a look myself. Seems there are probably a bunch of them.

http://packetstormsecurity.org/files/108160

uttwer@b0rk:~/test/nagios-plugins-1.4.15/plugins$ grep strcpy .c |grep -v \"

check_dns.c:      strcpy(adrp, addresses[i]);
check_dns.c:      strcpy (query_address, optarg);
check_dns.c:      strcpy (dns_server, optarg);
check_dns.c:      strcpy (ptr_server, optarg);

check_hpjd.c:                           strcpy (errmsg, input_buffer);
check_hpjd.c:                           strcpy (display_message, temp_buffer + 1);
check_http.c:  strcpy (newpath + 1, path);
check_http.c:      strcpy (url, HTTP_URL);
check_http.c:      strcpy (url, HTTP_URL);
check_http.c:      strcpy (type, server_type);
check_http.c:      strcpy (addr, host_name ? host_name : server_address);
check_http.c:  strcpy (server_type, type);
check_nagios.c:                         strcpy(procprog, temp_string);
check_pgsql.c:                  else / we know length, and know optarg is terminated, so us strcpy */
check_pgsql.c:                          strcpy (dbName, optarg);
check_procs.c:                  strcpy(procprog, base_name(procprog));
check_snmp.c:                   strcpy(&state_string[current_length],temp_string);
check_ups.c:    strcpy (temp_buffer, recv_buffer);
popen.c:        strcpy (cmd, cmdstring);