The replicatorg ebuilds call "chown -R" in pkg_postinst: pkg_postinst() { ... chmod -R g+w "${ROOT}"/opt/replicatorg chown -R root:replicator "${ROOT}"/opt/replicatorg This can be exploited by anyone in the "replicator" group to gain root. A member of that group can place a hard link to a root-owned file under /opt/replicatorg, and the next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's stuff to the member of the "replicator" group. For example, 1. emerge replicatorg 2. add yourself to the "replicator" group 3. ln /etc/passwd /opt/replicatorg/lib/x 4. emerge replicatorg 5. /etc/passwd is group-writable by the "replicator" group I've marked this private but the package is maintainer-needed, so security@ will need to pick someone to CC.
The package has been removed now.
Removing group restriction