pack() will only read from arbitrary memory. It won't write back. pack( "p", ... ) returns a pointer, unpack( "p", ... ) reads from a pointer.

Anyway, I'm just noticing that this is an unexpected way to write to memory (or more likely just segfault). Prior to coming up with the list of references in the original post, I wasn't sure that some CGI module wasn't going to be using sprintf() or something and maybe then be a commonly accessible remote exploit. It turned out that there weren't all that many places that user data might actually go through a format. If anything, I'd imagine that Sys::Syslog would be biggest problem just because its easy to omit the format from the parameter list.