+++ This bug was initially created as a clone of Bug #221482 +++

Description of problem:

inputAnswer() function that invokes printf() gets called with user
supplied argument (via CN field of the certificate) when visiting HTTPS
site and infoked with -dump/-backend.

I believe this is either very hard or impossible to exploit as the
attacker is remote and has virtually no control of the stack contents,
and it is unlikely that the stack contains address of value, overwriting
which could lead to arbitrary code execution. Correct me if you observe
the opposite.

Version-Release number of selected component (if applicable):

Versions shipped with FC5, FC6, RHEL5
RHEL2.1 is not vulnerable

How reproducible:

Always.

Steps to Reproduce:

See URL for detailed description.
  
Additional info:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404564
http://bugs.gentoo.org/show_bug.cgi?id=159145
https://bugzilla.novell.com/show_bug.cgi?id=230775

-- Additional comment from lkundrak on 2007-01-04 14:32 EST --
Created an attachment (id=144833)
Upstram patch for w3m CVE-2006-6772 format string flaw