Unrated severityNVD Advisory· Published Dec 5, 2019· Updated Sep 16, 2024
chkstat follows untrusted symbolic links
CVE-2019-3690
Description
The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
26- osv-coords25 versionspkg:rpm/opensuse/permissions&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/permissions&distro=openSUSE%20Tumbleweedpkg:rpm/suse/permissions&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/permissions&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/permissions&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/permissions&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/permissions&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 20181116-lp151.4.9.1+ 24 more
- (no CPE)range: < 20181116-lp151.4.9.1
- (no CPE)range: < 1550_20210901.1550-29.2
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 20170707-3.14.1
- (no CPE)range: < 20180125-3.21.1
- (no CPE)range: < 20180125-3.21.1
- (no CPE)range: < 20180125-3.18.1
- (no CPE)range: < 2013.1.7-0.6.5.1
- (no CPE)range: < 2013.1.7-0.6.5.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 20170707-3.14.1
- (no CPE)range: < 20170707-3.14.1
- (no CPE)range: < 20180125-3.21.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 20170707-3.14.1
- (no CPE)range: < 20170707-3.14.1
- (no CPE)range: < 20180125-3.21.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- (no CPE)range: < 2015.09.28.1626-17.20.1
- Range: unspecified
Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.htmlmitrevendor-advisoryx_refsource_SUSE
- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.