In sysdeps/unix/sysv/linux/if_index.c, __if_nametoindex() creates a socket descriptor but does not close it if the 'ifname' parameter is too long. This is a resource leak (CWE-404). Additionally, it is possible to call getaddrinfo() with a crafted 'node' parameter, that leads to the offending code in __if_nametoindex(). In short, untrusted hostname resolutions (via getaddrinfo()) lead to descriptor exhaustion. MITRE has assigned CVE-2018-19591 for this issue. Attribution: Guido Vranken
All affected packages are masked. No cleanup (toolchain package). Security please proceed.
This issue was resolved and addressed in GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06 by GLSA coordinator Aaron Bauman (b-man).