The init script for jabberd2 gives ownership of its PID file directory to the "jabber" user: start_pre() { checkpath -d -o jabber /var/run/jabber } This can be exploited by the "jabber" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of any PID files he finds. The problem is ultimately due to the fact that jabberd is allowed to create the PID files, while start-stop-daemon is responsible for dropping privileges (which happens first). Instead, I recommend commenting out all of the <pidfile> directives in the jabberd XML config files, and passing "--make-pidfile" to start-stop-daemom in the init script. That will cause start-stop-daemon to create the PID files as root:root, and they can all be placed directly in /run to avoid the vulnerability. (This init script is a mess because it's used to start more than one service. I would also strongly recommend that it be split up into three or four init scripts, one for each service -- all of them would then become considerably simpler.)
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6. New GLSA request filed.
CVE-2017-18226 was assigned for this issue.
This issue was resolved and addressed in GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
