The executables installed to /usr/bin by net-im/jabberd2 are owned by the "jabber" user: -rwxr-x--- 1 jabber jabber 9.5K 2017-08-30 21:34 jabberd -rwxr-x--- 1 jabber jabber 192K 2017-08-30 21:34 jabberd2-c2s -rwxr-x--- 1 jabber jabber 160K 2017-08-30 21:34 jabberd2-router -rwxr-x--- 1 jabber jabber 180K 2017-08-30 21:34 jabberd2-s2s -rwxr-x--- 1 jabber jabber 180K 2017-08-30 21:34 jabberd2-sm Those are in root's PATH, and could conceivably be run as root during debugging or experimentation. If that ever happens, it's trivial for the "jabber" user to gain root; instead, those should likely all be root:root, or maybe root:jabber if you want to leave them mode 750.
Is this a Gentoo specific issue? it may be good to report upstream about this. Gentoo Security Padawan ChrisADR
The ebuild does, fowners jabber:jabber /usr/bin/{jabberd,router,sm,c2s,s2s} so I doubt it's an upstream issue.
Either ones takes care of deeply reviewing the ebuild and init files (due to other opened bugs affecting them) or this should be treecleaned (there is also a pending security issue revbump in other bug)
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6. Added to an existing GLSA request filed.
CVE-2017-18225 was assigned for this issue.
This issue was resolved and addressed in GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
