In cyrus-sasl.spec
217 %pre
218 #Convert password file from berkely into gdbm
219 #In %pre the existing file will be dumped out
220 if [ -e /etc/sasldb2 ]; then
221 cat <<EOF > /tmp/saslpw.awk
222 {
223         split(\$0,b,/\\\00/)
224         if( b[3] == "userPassword" ) {
225                 user=b[1]
226                 domain=b[2]
227         } else {
228                 if( user != "" ) {
229                         printf("echo '%s' | saslpasswd2 -p -u %s %s\n",substr(b[1],2),user,domain)
230                         user = ""
231                         domain = ""
232                 }
233         }
234 }
235 EOF
236 db_dump -p /etc/sasldb2 | gawk -f /tmp/saslpw.awk > /var/adm/update-scripts/saslpwd

allows users on the system to escalate to root. If a user creates /tmp/saslpw.awk before this runs and then monitors the file (e.g. inotifywait /tmp/saslpw.awk) he can change it to arbitrary content after cat writes it, but before gawk is called. When something like this
BEGIN {system("chown johannes /etc/shadow")}
is written to the file this allows escalating to root as this snippet is executed with root privileges.

Rating low since this can only be triggered once and the race is hard to win. Reproduction:
as root (if /etc/sasldb2 doesn't exist)
cp /etc/postfix/relocated.db /etc/sasldb2
otherwise db_dump will fails and it stops there.

As user:
inotifywait /tmp/saslpw.awk; echo 'BEGIN {system("chown johannes /etc/shadow")}' > /tmp/saslpw.awk

Then as root install the package
zypper in -y -f cyrus-sasl

It's hard to win the race, but with a more optimized exploit this should work.

This was recently introduced into Factory, so we need a CVE for it: CVE-2020-8032

Please use a safe way to create temporary files or (better) don't write them to a location that users can influence.

CRD: 2021-04-07
as specified in https://en.opensuse.org/openSUSE:Security_disclosure_policy, but I would ask you to fix it right away to keep the window where this can be abused short.