A format string exploit occurs when the data of an input string is evaluated as a command by the program. This class of attacks is very similar to buffer overflows since an attacker could execute code, read the stack or cause new behaviors that compromise security. Learn more about format string attacks on OWASP attack index.
Potential format string problem.
The highlighted line of code below is the trigger point of this particular Alpine 3.8 format weakness.
scientific: TRACE (printf (" scientific s.sss\n")); intlen = MIN (1, len); intzeros = (intlen == 0 ? 1 : 0); fraczeros = 0; fraclen = len - intlen; expval = (exp-intlen); if (p->exptimes4) expval <<= 2; /* Split out the sign since %o or %x in expfmt give negatives as twos complement, not with a sign. */ expsign = (expval >= 0 ? '+' : '-'); expval = ABS (expval); #if HAVE_VSNPRINTF explen = snprintf (exponent, sizeof(exponent), p->expfmt, expsign, expval); /* test for < sizeof-1 since a glibc 2.0.x return of sizeof-1 might mean truncation */ ASSERT (explen >= 0 && explen < sizeof(exponent)-1); #else sprintf (exponent, p->expfmt, expsign, expval); explen = strlen (exponent); ASSERT (explen < sizeof(exponent)); #endif TRACE (printf (" expfmt %s gives %s\n", p->expfmt, exponent)); } break; default: ASSERT (0); /*FALLTHRU*/ /* to stop variables looking uninitialized */ case DOPRNT_CONV_GENERAL: /* The exponent for "scientific" will be exp-1, choose scientific if this is < -4 or >= prec (and minimum 1 for prec). For f==0 will have exp==0 and get the desired "fixed". This rule follows glibc. For fixed there's no need to truncate, the desired ndigits will already be as required. */ if (exp-1 < -4 || exp-1 >= MAX (1, prec)) goto scientific; else goto fixed; } TRACE (printf (" intlen %d intzeros %d fraczeros %d fraclen %d\n", intlen, intzeros, fraczeros, fraclen));