CVE-2020-1752 (https://nvd.nist.gov/vuln/detail/CVE-2020-1752): A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
@maintainer(s), please let us know which patchset (if any) this has been included in.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c
As per upstream 2020-03-18 00:23:54 UTC Was committed to 2.31 Master branch Was committed to 2.30 master branch Maintainers please confirm if this made it in to 2.30-r8, if not please create ebuild and stable appropriately.
Ping
Is fixed in sys-libs/glibc-2.31-r6
All masked. Security please proceed. No cleanup.
This issue was resolved and addressed in GLSA 202101-20 at https://security.gentoo.org/glsa/202101-20 by GLSA coordinator Aaron Bauman (b-man).