A format string exploit occurs when the data of an input string is evaluated as a command by the program. This class of attacks is very similar to buffer overflows since an attacker could execute code, read the stack or cause new behaviors that compromise security. Learn more about format string attacks on OWASP attack index.
If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always 0-terminate.
The highlighted line of code below is the trigger point of this particular Alpine 3.8 format weakness.
* the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include "gmp.h" #include "gmp-impl.h" #if ! HAVE_VSNPRINTF #define vsnprintf __gmp_replacement_vsnprintf #endif /* vasprintf isn't used since we prefer all GMP allocs to go through __gmp_allocate_func, and in particular we don't want the -1 return from vasprintf for out-of-memory, instead __gmp_allocate_func should handle that. Using vsnprintf unfortunately means we might have to re-run it if our current space is insufficient. The initial guess for the needed space is an arbitrary 256 bytes. If that (and any extra GMP_ASPRINTF_T_NEED might give) isn't enough then an ISO C99 standard vsnprintf will tell us what we really need. GLIBC 2.0.x vsnprintf returns either -1 or space-1 to indicate overflow, without giving any indication how much is really needed. In this case keep trying with double the space each time. A return of space-1 is success on a C99 vsnprintf, but we're not bothering to identify which style vsnprintf we've got, so just take the pessimistic option and assume it's glibc 2.0.x. Notice the use of ret+2 for the new space in the C99 case. This ensures the next vsnprintf return value will be space-2, which is unambiguously successful. But actually GMP_ASPRINTF_T_NEED() will realloc to even bigger than that ret+2.