From the reporter: Time-interval parsing for the "-r" and "-l" command-line options calls a library routine which uses sscanf("%d%[d]") and passes the address of an automatic int variable to correspond to the second %-sequence. But the %[ sequence needs an arbitrarily large string buffer. So it's possible to get an arbitrary-length string consisting entirely of the letter 'd' written to the stack. Other sscanf formats it tries to use will also allow a string of 'h', 'm', or 's' characters to be written, with all characters the same in any string. Impact: Local user may be able to crash the machine by overwriting the stack with the characters 'd', 'h', 'm', or 's'