CVE-2010-3996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3996): festival_server in Centre for Speech Technology Research (CSTR) Festival, probably 2.0.95-beta and earlier, places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. Please punt vulnerable versions and verify that the current one is fixed.
Dropped vulnerable versions from the tree.
Thanks, Jesus. Stabilization was performed in bug 380775 - last arch finished 2011-12-29. Filing a new GLSA request.
This issue was resolved and addressed in GLSA 201312-06 at http://security.gentoo.org/glsa/glsa-201312-06.xml by GLSA coordinator Chris Reffett (creffett).