From seclists.org/oss-sec/2015/q4/284
CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability

Be aware that if compiled with -D_FORTIFY_SOURCE=2 the a2ps
does abort with

  a2ps --prologue=exploit /etc/hosts -o /dev/null
  *** %n in writable segment detected ***
  Abort

Also the explpoit has to be installed as a pro file in the
appropiate system paths or $HOME/.a2ps of the attacked user.

---
 lib/output.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- lib/output.c
+++ lib/output.c	2015-11-16 15:01:23.414079544 +0000
@@ -525,7 +525,7 @@ output_file (struct output * out, a2ps_j
 		     expand_user_string (job, FIRST_FILE (job),
 					 (const uchar *) "Expand: requirement",
 					 (const uchar *) token));
-	output (dest, expansion);
+	output (dest, "%s", expansion);
 	continue;
       }