CVE-2022-31252 – permissions: chkstat does not check for group-writable parent directories or target files in safeOpen()

https://notcve.org/view.php?id=CVE-2022-31252

06 Oct 2022 — A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. op... • https://bugzilla.suse.com/show_bug.cgi?id=1203018 • CWE-863: Incorrect Authorization •