The ebuilds for qmail-scanner call "chown -R" in pkg_postinst: pkg_postinst () { einfo "Fixing ownerships" chown -R qscand:qscand /var/spool/qscan ... This can be exploited by the "qscand" user to gain root, if he places a link in /var/spool/qscand and if the user upgrades or reinstalls the package. For example, 1. emerge qmail-scanner 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/qscan/x' qscand 3. emerge qmail-scanner 4. /etc/passwd is owned by qscand
This package was removed a year and a half ago: commit ec7079c0c95dd1dac40e7b67fba9383a5498dcb8 Author: Pacho Ramos <pacho@gentoo.org> Date: Sun Apr 29 20:13:13 2018 +0200 Remove masked for removal package mail-filter/qmail-scanner/Manifest | 8 - .../files/qmail-scanner-2.05.logrotate | 4 - .../files/qmail-scanner-2.06.logrotate | 4 - .../qmail-scanner-2.08-disable-suid-check.patch | 17 -- .../files/qmail-scanner-2.08.logrotate | 4 - .../qmail-scanner/files/qmailscanner.cronjob | 2 - .../qmail-scanner/files/qmailscanner.logrotate | 4 - mail-filter/qmail-scanner/metadata.xml | 15 -- .../qmail-scanner/qmail-scanner-1.25-r1.ebuild | 163 ----------------- .../qmail-scanner/qmail-scanner-2.05.ebuild | 190 -------------------- .../qmail-scanner/qmail-scanner-2.06.ebuild | 193 -------------------- .../qmail-scanner/qmail-scanner-2.08.ebuild | 194 --------------------- 12 files changed, 798 deletions(-)
unrestricting and re-assigning per bug 705894