CVE-2016-4470 – kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path
https://notcve.org/view.php?id=CVE-2016-4470
The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command. La función key_reject_and_link en security/keys/key.c en el kernel de Linux hasta la versión 4.6.3 no asegura que cierta estructura de datos esté inicializada, lo que permite a usuarios locales provocar una denegación de servicio (caída del sistema) a través de vectores involucrando un comando keyctl request2 manipulado. A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.html http://lists.opensuse.org • CWE-253: Incorrect Check of Function Return Value •
CVE-2016-4445 – setroubleshoot: insecure use of commands.getstatusoutput in sealert
https://notcve.org/view.php?id=CVE-2016-4445
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. La función fix_lookup_id en sealert en setroubleshoot en versiones anteriores a 3.2.23 permite a los usuarios locales ejecutar comandos arbitrarios como root activando una denegación de SELinux con un nombre de archivo manipulado, relacionado con la ejecución de comandos externos con la función commands.getstatusoutput. A shell command injection flaw was found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use this flaw to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/575 http://www.securityfocus.com/bid/91430 http://www.securitytracker.com/id/1036144 https://bugzilla.redhat.com/show_bug.cgi?id=1339183 https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7 https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4445 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-4446 – setroubleshoot-plugins: insecure commands.getoutput use in the allow_execstack plugin
https://notcve.org/view.php?id=CVE-2016-4446
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. El complemento allow_execstack para setroubleshoot permite a los usuarios locales ejecutar comandos arbitrarios al activar una denegación SELinux de execstack con un nombre de archivo manipulado, relacionado con la función commands.getoutput. A shell command injection flaw was found in the way the setroubleshoot allow_execstack plugin executed external commands. A local attacker able to trigger an execstack SELinux denial could use this flaw to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/575 http://www.securityfocus.com/bid/91427 http://www.securitytracker.com/id/1036144 https://access.redhat.com/errata/RHSA-2016:1293 https://bugzilla.redhat.com/show_bug.cgi?id=1339250 https://github.com/fedora-selinux/setroubleshoot/commit/eaccf4c0d20a27d3df5ff6de8c9dcc80f6f40718 https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4446 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-4989 – setroubleshoot: command injection issues
https://notcve.org/view.php?id=CVE-2016-4989
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445. Setroubleshoot permite a los usuarios locales evitar un mecanismo de protección de contenedor previsto y ejecutar comandos arbitrarios al activar una denegación de SELinux con un nombre de archivo manipulado, que es manejado por la función _set_tpath en audit_data.py oa través de un (2) local_id o ( 3) campo analysis_id en un documento XML manipulado a la función run_fix en SetroubleshootFixit.py, relacionado con las funciones subprocess.check_output y commands.getstatusoutput, una vulnerabilidad diferente de CVE-2016-4445. Shell command injection flaws were found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use these flaws to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/574 http://securitytracker.com/id/1036144 https://access.redhat.com/errata/RHSA-2016:1293 https://bugzilla.redhat.com/show_bug.cgi?id=1346461 https://github.com/fedora-selinux/setroubleshoot/commit/dda55aa50db95a25f0d919c3a0d5871827cdc40f https://github.com/fedora-selinux/setroubleshoot/commit/e69378d7e82a503534d29c5939fa219341e8f2ad https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4989 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-4444 – setroubleshoot-plugins: insecure commands.getstatusoutput use in the allow_execmod plugin
https://notcve.org/view.php?id=CVE-2016-4444
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. El complemento allow_execmod para setroubleshoot en versiones anteriores a 3.2.23 permite a los usuarios locales ejecutar comandos arbitrarios al activar una denegación de SELinux de execmod con un nombre de archivo binario manipulado, relacionado con la función commands.getstatusoutput. A shell command injection flaw was found in the way the setroubleshoot allow_execmod plugin executed external commands. A local attacker able to trigger an execmod SELinux denial could use this flaw to execute arbitrary code with root privileges. • http://seclists.org/oss-sec/2016/q2/575 http://www.securityfocus.com/bid/91476 http://www.securitytracker.com/id/1036144 https://access.redhat.com/errata/RHSA-2016:1293 https://bugzilla.redhat.com/show_bug.cgi?id=1332644 https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5 https://rhn.redhat.com/errata/RHSA-2016-1267.html https://access.redhat.com/security/cve/CVE-2016-4444 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •