Red Hat Bugzilla – Bug 1011616
CVE-2013-4367 ovirt-engine: some config files left world-writable due to improper use of os.chmod()
Last modified: 2014-03-27 04:47:42 EDT
It was found that ovirt-engine would create certain files world-writable (such as /etc/sysconfig/nfs). This is due to an upstream kernel change  which impacts how python's os.chmod() works when passed a mode of '-1'. Prior to this kernel change, a mode of '-1' would have implied "do nothing", however with the upstream kernel change this will turn all possible bits on (thus making the file world-writable).
As a result, this only affects ovirt-engine (or other python scripts using os.chmod() in this way) with newer Linux kernels (version 3.1 and newer).
This has been in upstream git  to fix permissions on installations that upgrade from 3.2. In 3.3, the entire setup package was rewritten and the copyFile() function (from common_utils.py, where this os.chmod() call is made) has been removed. As a result, this only affects ovirt-engine 3.2 running on a Linux kernel 3.1+.
This issue was discovered by Yedidyah Bar David of Red Hat.
Not vulnerable. This issue did not affect Red Hat Enterprise Virtualization Manager 3.
Created ovirt-engine tracking bugs for this issue:
Affects: fedora-all [bug 1011619]
Another fix noted here: http://gerrit.ovirt.org/#/c/19557/
Can we close this? in 3.3 setup was re-written without using this -1 magic.