diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.23/glibc-2.23-gshadow-handle-erange.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.23/glibc-2.23-gshadow-handle-erange.patch
index 7ccf8aef88..d223e9f088 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.23/glibc-2.23-gshadow-handle-erange.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.23/glibc-2.23-gshadow-handle-erange.patch
@@ -1,31 +1,114 @@
---- gshadow/fgetsgent_r.c
-+++ gshadow/fgetsgent_r.c
-@@ -37,6 +37,7 @@
+From 74250a7cdf106d4ca7d9506e6d5dc7c448dc3434 Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Thu, 15 Dec 2016 15:22:57 -0800
+Subject: [PATCH] gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c
+
+	[BZ #20338]
+	* gshadow/fgetsgent_r.c: Include <libio/iolibio.h>.
+	(flockfile): New macro.
+	(funlockfile): Likewise.
+	(__fgetsgent_r): Sync with __fgetgrent_r.
+	* nss/nss_files/files-sgrp.c: Fix "fgetsgent_r.c" typo.
+---
+ gshadow/fgetsgent_r.c      | 35 ++++++++++++++++++++++++-----------
+ nss/nss_files/files-sgrp.c |  2 +-
+ 2 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/gshadow/fgetsgent_r.c b/gshadow/fgetsgent_r.c
+index b70f6fa..02cd33a 100644
+--- a/gshadow/fgetsgent_r.c
++++ b/gshadow/fgetsgent_r.c
+@@ -20,39 +20,44 @@
+ #include <gshadow.h>
+ #include <stdio.h>
+ 
++#include <libio/iolibio.h>
++#define flockfile(s) _IO_flockfile (s)
++#define funlockfile(s) _IO_funlockfile (s)
++
+ /* Define a line parsing function using the common code
+    used in the nss_files module.  */
+ 
+ #define STRUCTURE	sgrp
+ #define ENTNAME		sgent
+-#define	EXTERN_PARSER	1
++#define EXTERN_PARSER	1
+ struct sgent_data {};
+ 
+ #include <nss/nss_files/files-parse.c>
+ 
+ 
+-/* Read one shadow entry from the given stream.  */
++/* Read one entry from the given stream.  */
+ int
+ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen,
  	       struct sgrp **result)
  {
    char *p;
-+  int rc;
++  int parse_result;
  
-   _IO_flockfile (stream);
+-  _IO_flockfile (stream);
++  flockfile (stream);
    do
-@@ -64,11 +65,18 @@
-     } while (*p == '\0' || *p == '#' ||	/* Ignore empty and comment lines.  */
+     {
+       buffer[buflen - 1] = '\xff';
+       p = fgets_unlocked (buffer, buflen, stream);
+-      if (p == NULL && feof_unlocked (stream))
++      if (__builtin_expect (p == NULL, 0) && feof_unlocked (stream))
+ 	{
+-	  _IO_funlockfile (stream);
++	  funlockfile (stream);
+ 	  *result = NULL;
+ 	  __set_errno (ENOENT);
+ 	  return errno;
+ 	}
+-      if (p == NULL || buffer[buflen - 1] != '\xff')
++      if (__builtin_expect (p == NULL, 0) || buffer[buflen - 1] != '\xff')
+ 	{
+-	  _IO_funlockfile (stream);
++	  funlockfile (stream);
+ 	  *result = NULL;
+ 	  __set_errno (ERANGE);
+ 	  return errno;
+@@ -61,13 +66,21 @@ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen,
+       /* Skip leading blanks.  */
+       while (isspace (*p))
+ 	++p;
+-    } while (*p == '\0' || *p == '#' ||	/* Ignore empty and comment lines.  */
++    } while (*p == '\0' || *p == '#'	/* Ignore empty and comment lines.  */
  	     /* Parse the line.  If it is invalid, loop to
  		get the next line of the file to parse.  */
 -	     ! parse_line (buffer, (void *) resbuf, (void *) buffer, buflen,
 -			   &errno));
-+	     !(rc = parse_line (buffer, (void *) resbuf,
-+				(void *) buffer, buflen, &errno)));
++	     || ! (parse_result = parse_line (p, resbuf,
++					      (void *) buffer, buflen,
++					      &errno)));
++
++  funlockfile (stream);
  
-   _IO_funlockfile (stream);
- 
-+  if (rc < 0)
+-  _IO_funlockfile (stream);
++  if (__builtin_expect (parse_result, 0) == -1)
 +    {
++      /* The parser ran out of space.  */
 +      *result = NULL;
-+      __set_errno (ERANGE);
 +      return errno;
 +    }
-+
+ 
    *result = resbuf;
    return 0;
- }
+diff --git a/nss/nss_files/files-sgrp.c b/nss/nss_files/files-sgrp.c
+index 15dc659..05c3805 100644
+--- a/nss/nss_files/files-sgrp.c
++++ b/nss/nss_files/files-sgrp.c
+@@ -23,7 +23,7 @@
+ #define DATABASE	"gshadow"
+ struct sgent_data {};
+ 
+-/* Our parser function is already defined in sgetspent_r.c, so use that
++/* Our parser function is already defined in sgetsgent_r.c, so use that
+    to parse lines from the database file.  */
+ #define EXTERN_PARSER
+ #include "files-parse.c"
+-- 
+2.7.4
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_postinst.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_postinst.eblit
index 8178fa1fdb..827cba9b51 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_postinst.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_postinst.eblit
@@ -16,12 +16,6 @@ eblit-glibc-pkg_postinst() {
 		# errors from this step #253697
 		/sbin/telinit U 2>/dev/null
 
-		# if the host locales.gen contains no entries, we'll install everything
-		local locale_list="${EROOT}etc/locale.gen"
-		if [[ -z $(locale-gen --list --config "${locale_list}") ]] ; then
-			ewarn "Generating all locales; edit /etc/locale.gen to save time/space"
-			locale_list="${EROOT}usr/share/i18n/SUPPORTED"
-		fi
-		locale-gen -j $(makeopts_jobs) --config "${locale_list}"
+		## COREOS: locale-gen is not installed
 	fi
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
index a7975e2966..65c7c958af 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
@@ -46,11 +46,7 @@ eblit-glibc-pkg_preinst() {
 	# prepare /etc/ld.so.conf.d/ for files
 	mkdir -p "${EROOT}"/etc/ld.so.conf.d
 
-	# Default /etc/hosts.conf:multi to on for systems with small dbs.
-	if [[ $(wc -l < "${EROOT}"/etc/hosts) -lt 1000 ]] ; then
-		sed -i '/^multi off/s:off:on:' "${ED}"/etc/host.conf
-		elog "Defaulting /etc/host.conf:multi to on"
-	fi
+	## COREOS: host.conf is not installed
 
 	[[ ${ROOT} != "/" ]] && return 0
 	[[ -d ${ED}/$(get_libdir) ]] || return 0
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_pretend.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_pretend.eblit
index 47e2987274..03c947f3e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_pretend.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_pretend.eblit
@@ -46,30 +46,8 @@ glibc_run_test() {
 }
 
 check_devpts() {
-	# Make sure devpts is mounted correctly for use w/out setuid pt_chown.
-
-	# If merely building the binary package, then there's nothing to verify.
-	[[ ${MERGE_TYPE} == "buildonly" ]] && return
-
-	# Only sanity check when installing the native glibc.
-	[[ ${ROOT} != "/" ]] && return
-
-	# Older versions always installed setuid, so no need to check.
-	in_iuse suid || return
-
-	# If they're opting in to the old suid code, then no need to check.
-	use suid && return
-
-	if awk '$3 == "devpts" && $4 ~ /[, ]gid=5[, ]/ { exit 1 }' /proc/mounts ; then
-		eerror "In order to use glibc with USE=-suid, you must make sure that"
-		eerror "you have devpts mounted at /dev/pts with the gid=5 option."
-		eerror "Openrc should do this for you, so you should check /etc/fstab"
-		eerror "and make sure you do not have any invalid settings there."
-		# Do not die on older kernels as devpts did not export these settings #489520.
-		if version_is_at_least 2.6.25 $(uname -r) ; then
-			die "mount & fix your /dev/pts settings"
-		fi
-	fi
+	## COREOS: Ignore /dev/pts settings, the chroot has no control over them.
+	return 0
 }
 
 eblit-glibc-pkg_pretend() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
index 7a38b3e6e4..2d9aa90bb3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
@@ -14,6 +14,17 @@ toolchain-glibc_src_compile() {
 	done
 }
 
+## COREOS: fix compilation of cross-rpcgen during compiler bootstrap
+toolchain-glibc_headers_compile() {
+	[[ ${EAPI:-0} == [01] ]] && toolchain-glibc_headers_configure
+
+	tc-export_build_env
+	local builddir=$(builddir "headers")
+	cd "${builddir}"
+	emake -C "${S}/sunrpc" subdir=sunrpc objdir="${builddir}" \
+		"${builddir}/sunrpc/cross-rpcgen" || die "make cross-rpcgen failed"
+}
+
 eblit-glibc-src_compile() {
 	if just_headers ; then
 		[[ ${EAPI:-0} == [01] ]] && toolchain-glibc_headers_configure
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
index 11ef2a4d2a..bb20991e55 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
@@ -139,70 +139,40 @@ toolchain-glibc_src_install() {
 		return 0
 	fi
 
-	# Files for Debian-style locale updating
-	dodir /usr/share/i18n
-	sed \
-		-e "/^#/d" \
-		-e "/SUPPORTED-LOCALES=/d" \
-		-e "s: \\\\::g" -e "s:/: :g" \
-		"${S}"/localedata/SUPPORTED > "${ED}"/usr/share/i18n/SUPPORTED \
-		|| die "generating /usr/share/i18n/SUPPORTED failed"
-	cd "${WORKDIR}"/extra/locale
-	dosbin locale-gen || die
-	doman *.[0-8]
-	insinto /etc
-	doins locale.gen || die
+	## COREOS ##
+	# For reference, the rest of this function has been modified to do:
+	# - The SDK just gets the full locale archive, no need for locale-gen.
+	# - CoreOS targets (which are cross compiled) don't get any locales.
+	# - Config files are installed by baselayout, not glibc.
+	# - Forget about nscd for now, we have the use flag off anyway.
+
+	if ! tc-is-cross-compiler ; then
+		emake install_root="${D}$(alt_prefix)" localedata/install-locales || die
+		# Sanity check the above command worked
+		[[ -f ${ED}/usr/$(get_libdir)/locale/locale-archive ]] || die
+	else
+		keepdir /usr/$(get_libdir)/locale
+	fi
 
 	# Make sure all the ABI's can find the locales and so we only
 	# have to generate one set
 	local a
-	keepdir /usr/$(get_libdir)/locale
 	for a in $(get_install_abis) ; do
 		if [[ ! -e ${ED}/usr/$(get_abi_LIBDIR ${a})/locale ]] ; then
 			dosym /usr/$(get_libdir)/locale /usr/$(get_abi_LIBDIR ${a})/locale
 		fi
 	done
 
-	cd "${S}"
-
-	# Install misc network config files
-	insinto /etc
-	doins nscd/nscd.conf posix/gai.conf nss/nsswitch.conf || die
-	doins "${WORKDIR}"/extra/etc/*.conf || die
-
-	if ! in_iuse nscd || use nscd ; then
-		doinitd "${WORKDIR}"/extra/etc/nscd || die
-
-		local nscd_args=(
-			-e "s:@PIDFILE@:$(strings "${ED}"/usr/sbin/nscd | grep nscd.pid):"
-		)
-		version_is_at_least 2.16 || nscd_args+=( -e 's: --foreground : :' )
-		sed -i "${nscd_args[@]}" "${ED}"/etc/init.d/nscd
-
-		# Newer versions of glibc include the nscd.service themselves.
-		# TODO: Drop the $FILESDIR copy once 2.19 goes stable.
-		if version_is_at_least 2.19 ; then
-			systemd_dounit nscd/nscd.service || die
-			systemd_newtmpfilesd nscd/nscd.tmpfiles nscd.conf || die
-		else
-			systemd_dounit "${FILESDIR}"/nscd.service || die
-			systemd_newtmpfilesd "${FILESDIR}"/nscd.tmpfilesd nscd.conf || die
-		fi
-	else
-		# Do this since extra/etc/*.conf above might have nscd.conf.
-		rm -f "${ED}"/etc/nscd.conf
-	fi
+	# Clean out any default configs
+	rm -rf "${ED}"/etc
 
 	echo 'LDPATH="include ld.so.conf.d/*.conf"' > "${T}"/00glibc
 	doenvd "${T}"/00glibc || die
 
+	cd "${S}"
 	for d in BUGS ChangeLog* CONFORMANCE FAQ NEWS NOTES PROJECTS README* ; do
 		[[ -s ${d} ]] && dodoc ${d}
 	done
-
-	# Prevent overwriting of the /etc/localtime symlink.  We'll handle the
-	# creation of the "factory" symlink in pkg_postinst().
-	rm -f "${ED}"/etc/localtime
 }
 
 toolchain-glibc_headers_install() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.23-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.23-r3.ebuild
index 971f8978c9..a649c6ce16 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.23-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.23-r3.ebuild
@@ -169,6 +169,10 @@ eblit-src_prepare-post() {
 	cd "${S}"
 
 	epatch "${FILESDIR}"/2.19/${PN}-2.19-ia64-gcc-4.8-reloc-hack.patch #503838
+	## COREOS: features and bug fixes missing from the Gentoo patch set.
+	epatch "${FILESDIR}"/2.23/glibc-2.23-gshadow-handle-erange.patch
+	epatch "${FILESDIR}"/2.23/glibc-2.23-c-utf8-locale.patch
+	epatch "${FILESDIR}"/2.23/glibc-2.23-pthread-use-after-free.patch
 
 	if use hardened ; then
 		# We don't enable these for non-hardened as the output is very terse --