Local users can obtain root access because setuid programs are misconfigured. This affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools.
We do not compile shadow-utils with --with-libpam option.
This issue only affects the shadow-utils package when compiled with the "with-libpam" option. The shadow-utils package, as shipped by Red Hat, is not compiled with that option and is therefore not affected by this flaw.