From $URL: Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392 Reproducer from the Debian bug: #include <assert.h> #include <regex.h> #include <stdio.h> int main(int argc, char **argv) { int rc; regex_t preg; regmatch_t pmatch[2]; rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); assert(rc == 0); regexec(&preg, "", 2, pmatch, 0); regfree(&preg); return 0; } This was assigned CVE-2015-8985 even though it is debatable whether this is a security bug.
All affected packages are masked. No cleanup (toolchain package). Security please proceed.
This issue was resolved and addressed in GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06 by GLSA coordinator Aaron Bauman (b-man).