After careful analysis by Red Hat and several Glibc developers, it has been determined that this bug is not exploitable. A technical analysis of this flaw can be found here: http://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html