This just made public upstream:
Prevent potential directory traversal with malicious EC2 image tarballs,
by making sure the tarfile is safe before unpacking it. Fixes bug 894755
Prevent potential directory traversal with malicious file names in
EC2 image manifests. Fixes bug 885167
Created openstack-nova tracking bugs for this issue
Affects: fedora-16 [bug 767251]
openstack-nova-2011.3-13.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.