This is not public yet, but the Gentoo Bugzilla has been partially patched already.
I haven't included the name of it, because that would give away a large of where & what it is; it's nasty however.
Embargo end date is targeted for Monday, Oct 6, 14:00 UTC.
Both bugs are publicly accessible upstream now. Opening bug.
Added to existing GLSA.
This issue was resolved and addressed in
GLSA 201607-11 at https://security.gentoo.org/glsa/201607-11
by GLSA coordinator Aaron Bauman (b-man).