The anomy-sanitizer ebuild calls "chown -R" in pkg_postinst: pkg_postinst() { chown -R sanitizer:sanitizer "${ROOT}"/${SANI_WORKDIR} The "sanitizer" user can exploit this to gain root by placing a link in SANI_WORKDIR. For example, 1. emerge anomy-sanitizer 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/sanitizer/x' sanitizer 3. emerge anomy-sanitizer 4. /etc/passwd is owned by "sanitizer" I'm marking this private but the package is maintainer-needed, so security@ please CC someone who might want to fix it.
The package has been removed.