From the Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=724005: It was found that libgssapi and libgssglue GSSAPI interface exporting libraries did not properly sanitize content of user-provided configuration file, determining which GSS mechanisms and their definitions will be loaded during library initialization. A local attacker, allowed to mount a network file system (NFS) share could use this flaw to execute arbitrary code with the privileges of the the privileged system user (root). There appears to be a patch at: http://article.gmane.org/gmane.comp.security.oss.general/5712
according to... https://bugzilla.redhat.com/show_bug.cgi?id=724005#c9 ...this is fixed with version 0.4 which is now in Portage arches, please test and stabilize it (beware, this was non-maintainer commit):
amd64 stable
Stable for HPPA.
ppc stable.
x86 stable.
Stable arm
Stable ppc64
alpha/ia64/s390/sh/sparc stable
Thanks, everyone. GLSA draft ready for review.
This issue was resolved and addressed in GLSA 201209-22 at http://security.gentoo.org/glsa/glsa-201209-22.xml by GLSA coordinator Sean Amoss (ackle).