Bug 1339183 (CVE-2016-4445) - CVE-2016-4445 setroubleshoot: insecure use of commands.getstatusoutput in sealert
Summary: CVE-2016-4445 setroubleshoot: insecure use of commands.getstatusoutput in sea...
Alias: CVE-2016-4445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1339375 1339377
Blocks: 1332645
TreeView+ depends on / blocked
Reported: 2016-05-24 10:49 UTC by Tomas Hoger
Modified: 2021-02-17 03:51 UTC (History)
7 users (show)

Fixed In Version: setroubleshoot 3.2.23
Doc Type: Bug Fix
Doc Text:
A shell command injection flaw was found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use this flaw to execute arbitrary code with root privileges.
Clone Of:
Last Closed: 2016-06-22 09:09:48 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1267 0 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-22 01:24:18 UTC

Description Tomas Hoger 2016-05-24 10:49:55 UTC
It was discovered that sealert executed external fix commands using commands.getstatusoutput() without properly sanitizing untrusted inputs used as command arguments.  These inputs originated from SELinux AVC messages.  A local user could use this flaw to execute arbitrary code as root if they could trigger an SELinux denial using a file with a specially crafted name.

The use of commands.getstatusoutput() was already removed upstream via the following commit:


Comment 1 Tomas Hoger 2016-05-24 10:53:36 UTC

Name: Red Hat Product Security

Comment 8 Tomas Hoger 2016-06-21 11:36:48 UTC
Lifting embargo.

Comment 9 errata-xmlrpc 2016-06-21 21:24:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1267 https://access.redhat.com/errata/RHSA-2016:1267

Comment 10 Tomas Hoger 2016-06-22 09:04:59 UTC
This issue was fixed upstream in version 3.2.23.  The setroubleshoot packages in Red Hat Enterprise Linux 7 were updated from version 3.2.17 to version 3.2.24 via RHBA-2015:2287, released as part of Red Hat Enterprise Linux 7.2.


Therefore, this issue was corrected in that update.

Note You need to log in before you can comment on or make changes to this bug.