Bug 1154608 - freecad: potential remote code execution when opening DXF files
Summary: freecad: potential remote code execution when opening DXF files
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1154609 1154610
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-20 10:03 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-25 21:22:31 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-10-20 10:03:22 UTC
It was reported [1] that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https 
certificates. The files that are downloaded occur when attempting to 
activate non-present module features, such as via opening a DXF file.
This can allow Man-in-the-Middle attack, leading to code execution.

Upstream patch is at [2].

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764814
[2]: https://github.com/FreeCAD/FreeCAD_sf_master/commit/bd1bbff874f5e5a86f4308aa2f840cbd64a77b77

Comment 1 Vasyl Kaigorodov 2014-10-20 10:03:50 UTC
Created freecad tracking bugs for this issue:

Affects: fedora-20 [bug 1154609]
Affects: epel-6 [bug 1154610]

Comment 2 Richard Shaw 2014-11-17 20:38:29 UTC
This has been fixed upstream for release 0.15 but the fix is not easily ported to the current 0.14 release. Can we call this "fixed"?

Comment 3 Richard Shaw 2015-05-25 21:22:31 UTC
0.15 has been updated for rawhide and f22. Due to a library conflict f20 and f21 cannot be updated to 0.15.

Comment 4 Fedora Update System 2015-06-10 19:14:48 UTC
freecad-0.15-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.