Dan Kenigsberg of Red Hat reports: Description of problem: In numerous places, ovirt-node puts an input string on a command line, without safely quoting it. With this, whoever controls the input string may gain complete control on the host. For example, http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=src/ovirtnode/ovirtfunctions.py;h=caef7ef019ca12b49aa3c030792538956fb4caad;hb=e11e02cd9256c854dd0419515097637d6829b4f1#l1091 "ls '%s'" % filename is not going to end up well if the filename is actually "bla\'; rm -fr /; echo \'". pipes.quote() or its like must be used in such occasions. It may be safer to disallow shell=True completely (but would require to avoid in-shell pipes). Version-Release number of selected component (if applicable): ovirt-node-3.0.0-474-gb852fd7
So this vulnerability is actually only exposed to authenticated attackers or attackers with physical access, both of which would allow them to do much worse things.
Statement: This issue affects the versions of ovirt-node as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created ovirt-node tracking bugs for this issue: Affects: fedora-all [bug 1199392]