The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root. Bug report: https://bugzilla.suse.com/show_bug.cgi?id=910500
Upstream patch: https://github.com/mapcollab/mdadm/commit/979b1feb093b1c2e0f8b58716329f2da092741d4
The mdcheck script was added to mdadm in the upstream version 3.3.1, and it was fixed via the the commit linked above in upstream version 3.3.3.
Affected upstream versions of mdadm were included in Red Hat Enterprise Linux 6.7, 7.1, and 7.2. However, in the Red Hat Enterprise Linux mdadm packages, the mdcheck script is only included in the /usr/share/doc/mdadm* directory and is not installed executable. Therefore, it is not used by default, and is not expected to be commonly used.