Whilst testing various format string exploits today, the security response team noticed that %n in a writable format string was not being captured by FORTIFY_SOURCE=2 as we expected. This was because the application was using vasprintf, a function that hasn't been fortified. Jakub confirmed this is true and there is no fortification for asprintf, __asprintf, vasprintf, dprintf, vdprintf, obstack_printf, obstack_vprint. Can we get vasprintf fortified in time for F9 at a minimum?
http://sources.redhat.com/ml/libc-hacker/2008-03/msg00000.html
Implemented in 2.7.90-8 and above.