This problem appears to go all the way back to RHEL3.

I'm not completely certain if this should be called a security flaw, as it's very dangerous to use arbitrary user input as part of a format string. Allowing arbitrary user input could quite likely be considered a flaw in itself.

Upstream ticket created.

This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

This issue is recorded as CVE-2005-3962 and recorded as fixed by redhat in Bug 174683.  Could you take that patch and apply it to fedora?

I'd like to close it as solved in next releases because in F-13 with perl-5.10.1-112.fc13.i686 it's solved.

perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'
Out of memory!

Interesting.  It still fails on my fedora 13.

$ rpm -q perl
perl-5.10.1-112.fc13.i686
$ /usr/bin/perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'
panic: snprintf buffer overflow at ../../lib/POSIX.pm (autosplit into ../../lib/auto/POSIX/sprintf.al) line 387.

have you got similar readings for the sprintf.al file?

$ ls -la /usr/lib/perl5/auto/POSIX/sprintf.al
-rw-r--r-- 1 root root 338 Mar  7 17:03 /usr/lib/perl5/auto/POSIX/sprintf.al
$ md5sum /usr/lib/perl5/auto/POSIX/sprintf.al
17b07c02a407ab2778db1a9b2352a996  /usr/lib/perl5/auto/POSIX/sprintf.al
$ rpm -qf /usr/lib/perl5/auto/POSIX/sprintf.al
perl-5.10.1-112.fc13.i686

and finally 

$ rpm -V perl
$

i think that means my perl installation is sound. any ideas on what is happening?

I have the same data as you. I'll try on different machines.

I've just tried it here, and on RHEL6 I get the "out of memory" exit as well.  I suspect this is due to not having much RAM in my VM (756MB RAM, 512MB swap).  I tried it on my RHEL5 box (8GB physical RAM) and it happily chewed up all the RAM and a whole lot of CPU before zsh eventually killed it.

% /usr/bin/perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'
zsh: killed     /usr/bin/perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'

However it does exit with a panic on my F13 box (also 8GB RAM):

% /usr/bin/perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'              
panic: snprintf buffer overflow at ../../lib/POSIX.pm (autosplit into ../../lib/auto/POSIX/sprintf.al) line 387.

I think this is a different issue than the CVE-2005-3692 however, unless it has regressed.  On RHEL3 it exits quickly (VM with 512MB RAM):

% /usr/bin/perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'
panic: malloc at ../../lib/POSIX.pm (autosplit into ../../lib/auto/POSIX/sprintf.al) line 367.

I had 4Gb of RAM for my f13 test if that helps.

This issue is public in rt [1], where can anyone access. Could you remove security tag? Or I can sum up our discussion and post it there.

I also believe this is a different issue than CVE-2005-369. 

None of my computers have more than 2M RAM, so that might be the reason, why I can't reproduce it. The different error on RHEL-5 and F-13 is given by perl release.

[1] http://rt.perl.org/rt3/Public/Bug/Display.html?id=68764

Wow, that's an old bug and has been public for a long time.  There's no reason to keep this private.

This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

This issue still wasn't resolved.

I don't believe this is CVE-2005-3962. The %n is checked for current Perl already (the tests from <http://use.perl.org/article.pl?sid=05/12/15/0916221> patch set are part of standard test suite of perl package run at RPM package build time).

The message "panic: snprintf buffer overflow" comes from perl.h:1666 (Perl 5.14) where following macro is defined (formatted by me):

#define my_snprintf(buffer, len, ...) \
({ int __len__ = snprintf(buffer, len, __VA_ARGS__); \
   if ((len) > 0 && (Size_t)__len__ >= (len)) \
     Perl_croak_nocontext("panic: snprintf buffer overflow");\
   __len__; })

Thus it just says the requested string could not fit into buffer (see snprintf(3)). And dies.

So the problem is why buffer has not been preallocated large enough and `len' set to the length to accommodate the string.

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

perl-5.20.3-328.fc22.x86_64 has different error message:

$ perl -MPOSIX -e 'POSIX::sprintf("%.2147483640f", 1);'
panic: snprintf buffer overflow at /usr/lib64/perl5/POSIX.pm line 233.

perl-5.24.0-363.fc25 has the same error message

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

This can be reduced to:

$ perl -e 'sprintf("%.2147483640f", 1);'
panic: snprintf buffer overflow at -e line 1.

The error message basically says arguments to be passed to libc's sprintf() would cause a buffer overflow and thus Perl interpreter will rather abort than continue.

So this is an intended behavior.

One could argue that Perl could invoke an exception instead that would be catchable or use better wording for the error message. But this up to the Perl authors.