MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent.
The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges. With older Portage versions this user is created with a valid login shell and no password.
A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server.
See Resolution.
Change the p2p user's shell to disallow login. For example, as root run the following command:
# usermod -s /bin/false p2p
NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future.