Most developers (at least some of them), seem to think that if a program is compiled with fortify_source enabled, it was protected against, any format string flaw, This however is not completely true, a lot of glibc functions in fact are not protected. One example is the warn() function.
As per the man page:
The err() and warn() family of functions display a formatted error message on the standard error output. In all cases, the last component of the program name, a colon character, and a space are output. If the fmt argument is not NULL, the printf(3)-like formatted error message is output. The output is terminated by a newline character.
Both err() and warn() and other functions described in that man page, take printf() like "formatted" data as its input. And since its not protected by FORTIFY_SOURCE, something like warn(message) could be exploited.
There may be other glibc functions which take formatted user-arguement, and are not protected as well. I leave finding this as an excercise for the reader :)
In the mean time the following bugs were filed:
1. glibc upstream
2. Red Hat Bugzilla