Bug 1609820

Summary: Unquoted Service Paths Windows guest tools
Product: Red Hat Enterprise Virtualization Manager Reporter: Sandro Bonazzola <sbonazzo>
Component: rhev-guest-toolsAssignee: Lev Veyde <lveyde>
Status: CLOSED NOTABUG QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2.5CC: bugs, dfediuck, didi, lsurette, lsvaty, mkenneth, pstehlik, srevivo, tburke
Target Milestone: ovirt-4.2.6Keywords: TestOnly
Target Release: ---   
Hardware: x86_64   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1609779 Environment:
Last Closed: 2018-08-09 15:32:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sandro Bonazzola 2018-07-30 14:42:55 UTC 
Upstream it has been reported an issue with unquoted binary paths.
We need to check if downstream is affected too since the upstream and downstream installers use different technologies.



+++ This bug was initially created as a clone of Bug #1609779 +++

Description of problem:
This was reported by a community user, and examined with the SRT representative to be a hardening issue and not security issue;

The services ovirt installs don't have quoted binary paths, as you can see bellow.

  OVirtGuestService : C:\Program Files (x86)\oVirt Guest Tools\OVirtGuestService.exe
  vdservice : C:\Program Files (x86)\oVirt Guest Tools\64\vdservice.exe
  BalloonService : C:\Program Files (x86)\oVirt Guest Tools\drivers\Balloon\2k12r2\amd64\blnsvr.exe

Version-Release number of selected component (if applicable):
ovirt-guest-tools-iso-4.2-1.el7.centos

Actual results:
Unquoted path with space for guest binaries.

Expected results:
Quoted path being used.

Additional info:
For more information you can take a look at https://www.commonexploits.com/unquoted-service-paths/ and http://cwe.mitre.org/data/definitions/428.html
Comment 1 Petr Matyáš 2018-08-09 11:21:42 UTC 
Using RHEV-Tools 4.2.6 I can see that all services have quoted binary paths.
Comment 2 Sandro Bonazzola 2018-08-09 15:32:38 UTC 
(In reply to Petr Matyáš from comment #1)
> Using RHEV-Tools 4.2.6 I can see that all services have quoted binary paths.

thanks, nothing to be done then. Closing not a bug.