sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf.
(In reply to Huzaifa S. Sidhpurwala from comment #4)
> External References:
FTR, that is not the fix for the issue; it is incorrect and in fact in the context of upstream, it is a nop. What fixed the problem upstream are these patches:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This is essentially a crash which can only be triggered by a non-standard argument passed as a long double input to a member of printf family of functions. The application has to be written in this way to allow this issue to be triggered. The maximum impact is an application crash.