Lsof 4.40 has these patches:

aix_dproc.c_patch       Patches: lsof_4.40/dialects/aix/dproc.c

                        Affects: AIX 4.3, 4.31, and 4.32

                        Importance: !!!CRITICAL!!!

                        Frequency: probably rare

                        This patch corrects a pointer addressing
                        bug, introduced in a patch to lsof 4.39
                        and propagated to lsof 4.40, related to
                        AIX 4.3, 4.3.1, and 4.3.2 systems with
                        large process tables.

                        The bug is probably rare, occurring only
                        when it is necessary to allocate more than
                        one internal process table chunk, and then
                        only when the allocation changes the base
                        address of the internal process table.

arg.c.patch             Patches: lsof_4.40/arg.c

                        Affects: all dialects

                        Importance: !!!CRITICAL!!!

                        Frequency: depends on -u option specification

                        This patch corrects a buffer overflow in
                        the processing of -u option login name
                        values.  Without this patch a login name
                        longer than 9 characters can cause an
                        internal buffer overflow and segmentation
                        fault.

Vic Abell
February 18, 1999