CVE-2021-41387: 
NixOS vulnerability analysis and mitigation

seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root. The vulnerability was discovered on September 15, 2021, and was fixed in seatd release 0.6.2. This security issue affects versions 0.6.0 and 0.6.1 of seatd-launch (Seatd Announce).

The vulnerability exists because seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable to execute seatd. This implementation allowed attackers to control what executable was loaded by adding a user-writable directory to PATH. When seatd-launch had the SUID bit set, this could be exploited by a malicious user with execution permissions to perform privilege escalation to the owner of seatd-launch (typically root). The vulnerability was introduced in commit 1e98727ae9df when implementing the seatd-launch executable (Seatd Announce).

If successfully exploited, this vulnerability allows local attackers to escalate their privileges to root level when seatd-launch is installed with the SUID bit set. It's important to note that the SUID bit is not set by the build system installation process and must be explicitly set by either the package maintainer or user (Seatd Announce).

The vulnerability was fixed in seatd 0.6.2 by hardcoding an absolute path to seatd at compile-time and replacing execlp with execve, which also avoids environment inheritance as a preventive measure. Users are recommended to either upgrade to version 0.6.2 or remove seatd-launch if installed with SUID bit set (Seatd Announce).