there iz a fmt string vuln in xine-ui (specifically in errors.c func errors_create_window() ) that can be used to maliciously execuute arbitary code