Bug 1339183 (CVE-2016-4445) - CVE-2016-4445 setroubleshoot: insecure use of commands.getstatusoutput in sealert
Summary: CVE-2016-4445 setroubleshoot: insecure use of commands.getstatusoutput in sea...
Status: CLOSED ERRATA
Alias: CVE-2016-4445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160621,repor...
Keywords: Security
Depends On: 1339375 1339377
Blocks: 1332645
TreeView+ depends on / blocked
 
Reported: 2016-05-24 10:49 UTC by Tomas Hoger
Modified: 2019-06-08 21:12 UTC (History)
7 users (show)

(edit)
A shell command injection flaw was found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use this flaw to execute arbitrary code with root privileges.
Clone Of:
(edit)
Last Closed: 2016-06-22 09:09:48 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1267 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-22 01:24:18 UTC

Description Tomas Hoger 2016-05-24 10:49:55 UTC
It was discovered that sealert executed external fix commands using commands.getstatusoutput() without properly sanitizing untrusted inputs used as command arguments.  These inputs originated from SELinux AVC messages.  A local user could use this flaw to execute arbitrary code as root if they could trigger an SELinux denial using a file with a specially crafted name.

The use of commands.getstatusoutput() was already removed upstream via the following commit:

https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7

Comment 1 Tomas Hoger 2016-05-24 10:53:36 UTC
Acknowledgments:

Name: Red Hat Product Security

Comment 8 Tomas Hoger 2016-06-21 11:36:48 UTC
Lifting embargo.

Comment 9 errata-xmlrpc 2016-06-21 21:24:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1267 https://access.redhat.com/errata/RHSA-2016:1267

Comment 10 Tomas Hoger 2016-06-22 09:04:59 UTC
This issue was fixed upstream in version 3.2.23.  The setroubleshoot packages in Red Hat Enterprise Linux 7 were updated from version 3.2.17 to version 3.2.24 via RHBA-2015:2287, released as part of Red Hat Enterprise Linux 7.2.

https://rhn.redhat.com/errata/RHBA-2015-2287.html

Therefore, this issue was corrected in that update.


Note You need to log in before you can comment on or make changes to this bug.