Description
Shell command injection flaws were found in the way the setroubleshoot
executed external commands. A local attacker able to trigger certain SELinux
denials could use these flaws to execute arbitrary code with privileges of the
setroubleshoot user. (CVE-2016-4989)
* Shell command injection flaws were found in the way the setroubleshoot
allow_execmod and allow_execstack plugins executed external commands. A local
attacker able to trigger an execmod or execstack SELinux denial could use these
flaws to execute arbitrary code with privileges of the setroubleshoot user.
(CVE-2016-4444, CVE-2016-4446)
The CVE-2016-4444 and CVE-2016-4446 issues were discovered by Milos Malik (Red
Hat) and the CVE-2016-4989 issue was discovered by Red Hat Product Security.