Dan Kenigsberg of Red Hat reports:
Description of problem:
In numerous places, ovirt-node puts an input string on a command line, without safely quoting it. With this, whoever controls the input string may gain complete control on the host.
For example, http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=src/ovirtnode/ovirtfunctions.py;h=caef7ef019ca12b49aa3c030792538956fb4caad;hb=e11e02cd9256c854dd0419515097637d6829b4f1#l1091
"ls '%s'" % filename
is not going to end up well if the filename is actually "bla\'; rm -fr /; echo \'". pipes.quote() or its like must be used in such occasions.
It may be safer to disallow shell=True completely (but would require to avoid in-shell pipes).
Version-Release number of selected component (if applicable):
So this vulnerability is actually only exposed to authenticated attackers or attackers with physical access, both of which would allow them to do much worse things.
This issue affects the versions of ovirt-node as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created ovirt-node tracking bugs for this issue:
Affects: fedora-all [bug 1199392]