Jeremy Choi of Red Hat reports:
Attackers, with normal user privilege, are able to do OS command injection
with *root* by leveraging a downloadable cartridge where its source-URL
scheme is 'file'.
In cartridge_repository.rb:
532 when 'file' == uri.scheme
533 entries = Dir.glob(PathUtils.join(uri.path, '*'), File::FNM_DO TMATCH)
534 filesystem_copy(entries, target, %w(. ..))
...
609 Utils.oo_spawn("/bin/cp -ad #{entries.join(' ')} #{target}",
610 expected_exitstatus: 0)
OpenShift Origin copies the directory structure from the user specified
cartridge when an application is created via 'file' scheme source. Due to
this attackers are able to add an arbitrary directory with system commands
(e.g. ;reboot;) in their apps and put it to cp, resulting in OS command
injection attack with root privileges.