Dan Kenigsberg of Red Hat reports:
Description of problem:
In numerous places, ovirt-node puts an input string on a command line, without safely quoting it. With this, whoever controls the input string may gain complete control on the host.
For example, http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=src/ovirtnode/ovirtfunctions.py;h=caef7ef019ca12b49aa3c030792538956fb4caad;hb=e11e02cd9256c854dd0419515097637d6829b4f1#l1091
"ls '%s'" % filename
is not going to end up well if the filename is actually "bla\'; rm -fr /; echo \'". pipes.quote() or its like must be used in such occasions.
It may be safer to disallow shell=True completely (but would require to avoid in-shell pipes).
Version-Release number of selected component (if applicable):
ovirt-node-3.0.0-474-gb852fd7
So this vulnerability is actually only exposed to authenticated attackers or attackers with physical access, both of which would allow them to do much worse things.
Statement:
This issue affects the versions of ovirt-node as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.