The glob implementation in the GNU C Library (aka glibc or libc6) allows
remote authenticated users to cause a denial of service (CPU and memory
consumption) via crafted glob expressions that do not match any pathnames,
as demonstrated by glob expressions in STAT commands to an FTP daemon, a
different vulnerability than CVE-2010-2632.
sounds like Bug 340061. so i would punt this for the same reason.
Agreed. Nothing toolchain is going to do on this one.