Disclaimer: I'm definitely not a security expert (I'm actually a mathematician, my programming "competence" is mostly "by proxy"), so what I write here might not make sense.
I've searched the source code and found "setuid" in the following places:
- ./binaries/data/mods/public/simulation/ai/common-api/shared.js and entitycollection.js.
These seem to not be the real deal*.
- gloox, again, probably not the real thing*.
- mongoose. We use a version from 2011(!), since then the development seems to have moved from Hg to git (https://github.com/cesanta/mongoose seems to be where it's now) and, obviously, the source code is completely different. It says it's an embedded web server library; I know very little about these things so I can't help with updating it.
- These seem to be custom functions that set a variable called _uid or m_uid.
The situation for "gethostbyname" is as follows:
So, to conclude, the culprit is likely that ancient version of mongoose (and who can blame it, back then people were still typing on stone tablets).
It would be an "easy" fix to update it, but since this kind of thing is going to be (and already is for some other libraries we use) a recurring theme, we should probably also create a wiki page (or something like it) where third party libraries are tracked together with their upstream locations, related bugs/issues (e.g. this) and our porting/updating/staging/... branches. Or, if that already exists, it should be way more front-and-center (I couldn't find it on the Wiki at a quick glance).
I'd like to apologize. It's certainly not ideal that security concerns/bugs (however exploitable they might be) stand unanswered for this long. It's also unfortunate that little effort went into keeping up with (some) third-party library updates. There is no point in laying blame somewhere, I just hope we can make sure these problems get fixed before they blow up in our faces.
PS: I'm slightly pissed that I had to step way out of my area of competence here because some people think it's cool to ignore a distribution's maintainer for our package or something. It's possible it was decided to keep the fix private/secret until it was ready; anyway, you could have at least written something like "acknowledged" or a more informed version of what I cobbled together.