Bug 1194745 (CVE-2014-8170) - CVE-2014-8170 ovirt-node: unsafe quoting in command lines
Summary: CVE-2014-8170 ovirt-node: unsafe quoting in command lines
Alias: CVE-2014-8170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1099135 1199392
Blocks: 1194751
TreeView+ depends on / blocked
Reported: 2015-02-20 16:42 UTC by Kurt Seifried
Modified: 2021-02-17 05:37 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-06 06:06:28 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2015-02-20 16:42:17 UTC
Dan Kenigsberg of Red Hat reports:

Description of problem:
In numerous places, ovirt-node puts an input string on a command line, without safely quoting it. With this, whoever controls the input string may gain complete control on the host.

For example, http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=src/ovirtnode/ovirtfunctions.py;h=caef7ef019ca12b49aa3c030792538956fb4caad;hb=e11e02cd9256c854dd0419515097637d6829b4f1#l1091

 "ls '%s'" % filename

is not going to end up well if the filename is actually "bla\'; rm -fr /; echo \'". pipes.quote() or its like must be used in such occasions.

It may be safer to disallow shell=True completely (but would require to avoid in-shell pipes).

Version-Release number of selected component (if applicable):

Comment 1 Kurt Seifried 2015-03-06 06:01:15 UTC
So this vulnerability is actually only exposed to authenticated attackers or attackers with physical access, both of which would allow them to do much worse things.

Comment 2 Kurt Seifried 2015-03-06 06:06:28 UTC

This issue affects the versions of ovirt-node as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 3 Kurt Seifried 2015-03-06 06:08:41 UTC
Created ovirt-node tracking bugs for this issue:

Affects: fedora-all [bug 1199392]

Note You need to log in before you can comment on or make changes to this bug.