Bug 1154608

Summary: freecad: potential remote code execution when opening DXF files
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hobbes1069, john, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20141011,reported=20141020,source=debian,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-20/freecad=affected,epel-6/freecad=affected,cwe=CWE-295
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-25 21:22:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1154609, 1154610    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-10-20 10:03:22 UTC
It was reported [1] that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https 
certificates. The files that are downloaded occur when attempting to 
activate non-present module features, such as via opening a DXF file.
This can allow Man-in-the-Middle attack, leading to code execution.

Upstream patch is at [2].

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764814
[2]: https://github.com/FreeCAD/FreeCAD_sf_master/commit/bd1bbff874f5e5a86f4308aa2f840cbd64a77b77

Comment 1 Vasyl Kaigorodov 2014-10-20 10:03:50 UTC
Created freecad tracking bugs for this issue:

Affects: fedora-20 [bug 1154609]
Affects: epel-6 [bug 1154610]

Comment 2 Richard Shaw 2014-11-17 20:38:29 UTC
This has been fixed upstream for release 0.15 but the fix is not easily ported to the current 0.14 release. Can we call this "fixed"?

Comment 3 Richard Shaw 2015-05-25 21:22:31 UTC
0.15 has been updated for rawhide and f22. Due to a library conflict f20 and f21 cannot be updated to 0.15.

Comment 4 Fedora Update System 2015-06-10 19:14:48 UTC
freecad-0.15-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.