The logcheck ebuilds all call "chown -R" on the root filesystem during pkg_postinst:
chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die
This is exploitable in the same way that the init scripts were: the first install is safe, but then the logcheck user can place a hard link in either of those directories pointing to e.g. /root/.bashrc. The next time logcheck is installed, the ebuild will call chown on the hardlink, and give ownership of /root/.bashrc to the "logcheck" user.
I'm marking this private, but the package is maintainer-needed, so it's up to @security who to CC. If someone wants to take a shot at it, my first attempt would be to use "fowners root:logcheck ..." and to do it on $D in src_install. Another call to fperms could then make those directories group-rwx. Neither call should operate recursively.
@mrueg: Hi Manuel, I see you're the last dev to touch this package with a version bump earlier this year. Maybe you want to take a crack at fixing this issue and taking over maintainership of the package?
I'm not interested in maintaining it.
the cronjob is probably similarly vulnerable in /etc/cron.hourly/logcheck.cron
> chown -R logcheck:logcheck /var/lock/logcheck
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894