See also bug 530514 regarding the upstream gnulib vulnerability reported against coreutils at $URL. As pointed out in https://bugs.gentoo.org/show_bug.cgi?id=530514#c4 several packages contains embedded copies of gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.
for reference, this is the commit to look for in packages: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=a10acfb1d2118f9a180181d3fed5399dbbe1df3c
All dependent bugs closed.