CVE-2016-4445 – setroubleshoot: insecure use of commands.getstatusoutput in sealert
https://notcve.org/view.php?id=CVE-2016-4445
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. La función fix_lookup_id en sealert en setroubleshoot en versiones anteriores a 3.2.23 permite a los usuarios locales ejecutar comandos arbitrarios como root activando una denegación de SELinux con un nombre de archivo manipulado, relacionado con la ejecución de comandos externos con la función commands.getstatusoutput. A shell command injection flaw was found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use this flaw to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/575 http://www.securityfocus.com/bid/91430 http://www.securitytracker.com/id/1036144 https://bugzilla.redhat.com/show_bug.cgi?id=1339183 https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7 https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4445 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-4444 – setroubleshoot-plugins: insecure commands.getstatusoutput use in the allow_execmod plugin
https://notcve.org/view.php?id=CVE-2016-4444
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. El complemento allow_execmod para setroubleshoot en versiones anteriores a 3.2.23 permite a los usuarios locales ejecutar comandos arbitrarios al activar una denegación de SELinux de execmod con un nombre de archivo binario manipulado, relacionado con la función commands.getstatusoutput. A shell command injection flaw was found in the way the setroubleshoot allow_execmod plugin executed external commands. A local attacker able to trigger an execmod SELinux denial could use this flaw to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/575 http://www.securityfocus.com/bid/91476 http://www.securitytracker.com/id/1036144 https://access.redhat.com/errata/RHSA-2016:1293 https://bugzilla.redhat.com/show_bug.cgi?id=1332644 https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5 https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4444 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2015-1815 – Fedora 21 setroubleshootd 3.2.22 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2015-1815
The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name. La función get_rpm_nvr_by_file_path_temporary en util.py en setroubleshoot anterior a 3.2.22 permite a atacantes remotos ejecutar cpmandos arbitrarios a través de metacaracteres de shell en el nombre de un fichero. It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command. • https://www.exploit-db.com/exploits/36564 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154427.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154444.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154147.html http://rhn.redhat.com/errata/RHSA-2015-0729.html http://www.openwall.com/lists/oss-security/2015/03/26/1 http://www.osvdb.org/119966 http://www.securityfocus.com/bid/73374 https://bugzilla.redhat.com/ • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2007-5495 – setroubleshoot insecure logging
https://notcve.org/view.php?id=CVE-2007-5495
sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file. Vulnerabilidad en sealert in setroubleshoot 2.0.5, permite a los usuarios locales sobrescribir ficheros arbitrarios a través de un ataque mediate enlace simbólico en el fichero temporal sealert.log • http://secunia.com/advisories/30339 http://securitytracker.com/id?1020077 http://www.redhat.com/support/errata/RHSA-2008-0061.html http://www.securityfocus.com/bid/29320 https://bugzilla.redhat.com/show_bug.cgi?id=288221 https://exchange.xforce.ibmcloud.com/vulnerabilities/42591 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9705 https://access.redhat.com/security/cve/CVE-2007-5495 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2007-5496 – setroubleshoot log injection
https://notcve.org/view.php?id=CVE-2007-5496
Cross-site scripting (XSS) vulnerability in setroubleshoot 2.0.5 allows local users to inject arbitrary web script or HTML via a crafted (1) file or (2) process name, which triggers an Access Vector Cache (AVC) log entry in a log file used during composition of HTML documents for sealert. Vulnerabilidad de ejecución de código en sitios cruzados en setroubleshoot 2.0.5, permite a usuarios locales inyectar código web oi HTMl a através de (1) un fichero o (2) un nombre de proceso, con disparadores en la entrada del fichero de registro de Access Vector Cache (AVC), durante la creación de documentos HTML para sealert • http://secunia.com/advisories/30339 http://securitytracker.com/id?1020078 http://www.redhat.com/support/errata/RHSA-2008-0061.html http://www.securityfocus.com/bid/29324 https://bugzilla.redhat.com/show_bug.cgi?id=288271 https://exchange.xforce.ibmcloud.com/vulnerabilities/42592 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10455 https://access.redhat.com/security/cve/CVE-2007-5496 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •