...
The call to execl() is not susceptible to command injection because the shell command interpreter is not invoked (see ENV04-A. Do not call system() if you do not need a command processor).
The diff for this vulnerability is available from the CVS repository at OpenSolaris.
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
...