There are two issues here. The first is that Webmin shouldn't be using untrusted strings from the outside world. This is asking them to get DOSed. Something like

$untrusted_format = "%10000000d";
sprintf( $untrusted_format, 1 );
[download]

is going to generate a one million character string.

The other problem is that there is indeed an integer overflow in sprintf that is explained in http://www.dyadsecurity.com/adv/perl.adv. Add this with Webmin's bad use of format strings, and we've got a case where a box could get 0wned.

We're working on it in p5p, and will be announcing fixes soon.