A shell command injection flaw was found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use this flaw to execute arbitrary code with root privileges.
It was discovered that sealert executed external fix commands using commands.getstatusoutput() without properly sanitizing untrusted inputs used as command arguments. These inputs originated from SELinux AVC messages. A local user could use this flaw to execute arbitrary code as root if they could trigger an SELinux denial using a file with a specially crafted name.
The use of commands.getstatusoutput() was already removed upstream via the following commit:
Name: Red Hat Product Security
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1267 https://access.redhat.com/errata/RHSA-2016:1267
This issue was fixed upstream in version 3.2.23. The setroubleshoot packages in Red Hat Enterprise Linux 7 were updated from version 3.2.17 to version 3.2.24 via RHBA-2015:2287, released as part of Red Hat Enterprise Linux 7.2.
Therefore, this issue was corrected in that update.