A vulnerability has been reported in the GNU C Library, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the implementation of the "fnmatch()" function, which can be exploited to cause a stack corruption by e.g. tricking an application into using the function on specially crafted input. The vulnerability is reported in versions prior to 2.12.2.
From $URL, the upstream bug is http://sourceware.org/bugzilla/show_bug.cgi?id=11883. @toolchain, thoughts?
More details can be found here http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html
if the issue is already resolved in glibc-2.12.2 in the tree, then i'm not sure we'd look at trying to backport. we're at the point where glibc-2.12.x should be looked at for stabilization in general. i'll start a thread on gentoo-dev to see if we need to shake out any dependencies first.
Stable by now.
toolchain work done.
This issue was resolved and addressed in GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml by GLSA coordinator Chris Reffett (creffett).