MITRE clarified the scope of CVE-2018-6533 and CVE-2017-16933

After querying MITRE a further sentence to the description was added (a
larger issue than CVE-2017-16933). Basically CVE-2017-16933 is for the
unsafe use of chown(1) as found by the original reporter.

In consequence of this original report, upstream started a more general
audit of the product's design, in particular, it was concluded that
using init.conf to support run-time reconfiguration of an account was a
general design flaw. The reasons are not fully explained in any pull
request, but go beyond the behaviour of the cown(1) program, e.g. using
install(1) as well in unsafe manner.

The rationale thus for two CVEs is closely related to "incomplete fix"
or better in practice categorized as an "incompletely identified
problem.".