The /usr/bin/mu-conference executable is owned by the "jabber" user:
-rwxr-x--- 1 jabber jabber 191K 2017-08-30 21:48 /usr/bin/mu-conference
That's in root's PATH, and could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "jabber" user to gain root. Instead, that executable should probably be root:root or root:jabber (the latter if you want to leave it mode 750).
Is this a Gentoo specific issue? it may be good to report upstream about this.
Gentoo Security Padawan
The ebuild does,
fowners jabber:jabber /usr/bin/mu-conference
so it's probably not an upstream issue. If the maintainer deletes that line and if /usr/bin/mu-conference is still owned by an unprivileged user, then we can blame upstream.
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <firstname.lastname@example.org>
AuthorDate: 2018-03-03 17:10:33 +0000
Commit: Thomas Deutschmann <email@example.com>
CommitDate: 2018-03-03 17:10:33 +0000
net-im/mu-conference: Removed from repository
net-im/mu-conference/Manifest | 1 -
net-im/mu-conference/files/mu-conference-0.7.init | 25 ------
.../files/mu-conference-0.8.81-sha1_64bit.patch | 31 -------
net-im/mu-conference/metadata.xml | 6 --
.../mu-conference/mu-conference-0.8.81-r2.ebuild | 94 ----------------------
5 files changed, 157 deletions(-)}
Package was removed from repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=078f330fe5a44d365eccd9da4d83b90378921da7.
Package wasn't marked stable, therefore no removal GLSA is required.
Repository is clean, all done.