Logging messages displayed using the Asterisk ast_verbose logging API call are not displayed as a character string, they are displayed as a format string. Output as a result of the Manager command "command" is not appended to the resulting response message as a character string, it is appended as a format string. It is possible in both instances for an attacker to provide a formatted string as a value for input which can cause a crash.

http://www.securiteam.com/unixfocus/5PP0G2KNPE.html