the libc routine glob() calls globtilde() to expand ~. globtilde() will copy $HOME to the pattern buf without any bounds checking(!)
Responsible Changed From-To: gnats-admin->freebsd-bugs Misfiled PR.
Responsible Changed From-To: freebsd-bugs->freebsd-bugs It didn't.
Responsible Changed From-To: freebsd-bugs->imp It's on my list now.
State Changed From-To: open->closed Fixed in 1.7 of glob.c by a similar, but different, patch.