CVE-2009-2657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2657): nilfs-utils before 2.0.14 installs multiple programs with unnecessary setuid privileges, which allows local users to execute arbitrary commands via the device string in a -c command line option to mkfs.nilfs2.
I had dropped setuid by files/nilfs-utils-2.0.12-gentoo.patch. I contacted to upstream and got an answer that it has no effect in gentoo. cf. https://www.nilfs.org/pipermail/users/2009-July/000826.html > Users using a distro package do not suffer the problem because the suid bit is dropped in that case.
Ok, thanks & sorry! Closing INVALID.