In C programming language, format strings are used for all sorts of formatting. Most widely known of these is printf() function.
A format bug, then, is a bug that abuses the way format strings are used. An example to illustrate:
printf("Loop count: %d\n", count++);
C handles this internally by using stack; it gets the format string first, sees that it takes one integer argument, and pops the said argument.
Now, if the situation is this:
printf("Loop count: %d %s\n", count++);
It pops the count, but then also appears to pop a string pointer from limbo - which may probably result in a segmentation fault, but it can also return, by sheer luck, a string pointer to accessible memory (in this case, that'd mean a dump of some memory to stdout).
If your program uses customizable format strings, and the program needs to do "real-world" things, this is probably also an Issue due to 3133t d00dz - some creative screwing with pointers, and lo and behold, the user's machine gets an Ownership.
For an excellent overview of the formatting bugs in general, see Inoshiro's article "The devil's in the details.", in Kuro5hin.org, September 18, 2000.http://www.kuro5hin.org/?op=displaystory&sid=2000/9/18/13910/2588