The ebuilds for sguil-server call "chown -R" in pkg_postinst: pkg_postinst(){ ... chown -R sguil:sguil "${ROOT}"/etc/sguil/sguild.* chown -R sguil:sguil "${ROOT}"/usr/lib/sguild This can be exploited by the "sguil" user to gain root if he places a hard link to a root-owned file in one of those directories. For example, 1. emerge sguil-server 2. su -s /bin/sh -c 'ln /etc/passwd /usr/lib/sguild/x' sguil 3. emerge sguil-server 4. /etc/passwd is owned by the "sguil" user.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
Package removed.
All unstable so no GLSA.