The wwwoffle ebuild calls "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R wwwoffle:wwwoffle "${ROOT}/var/spool/wwwoffle" ... This can be exploited by the "wwwoffle" user to gain root if he places a hard link to a root-owned file in that directory. The next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's file to the "wwwoffle" user. For example, 1. emerge wwwoffle 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/wwwoffle/x' wwwoffle 3. emerge wwwoffle 4. /etc/passwd is owned by the "wwwoffle" user I'm marking this private, but the package is maintainer-needed, so security@ will need to find someone appropriate to CC to fix it.
No maintainer, no upstream release in 3+ years, open security bugs... treeclean!
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
CCing treecleaner as previously suggested
