Bug#764814: freecad downloads and executes code
D Haley
mycae at gmx.com
Sat Oct 11 12:53:26 UTC 2014
Subject: freecad: Downloads and executes code
Package: freecad
Version: 0.14.3702+dfsg-2
Severity: important
Dear Maintainer,
As per discussions with the security team, I am marking the severity as
grave.
Freecad downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https
certificates. The files that are downloaded occur when attempting to
activate non-present module features, such as via opening a DXF file.
Sample session console output:
DXF libraries not found. Downloading...
downloading
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfColorMap.py
...
downloading
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfImportObjects.py
...
downloading
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfLibrary.py
...
downloading
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfReader.py
...
I believe arbitrary code could be (theoretically) injected into these
downloads, then executed. I am not an expert in such matters, and have
not attempted to do so, so please review this for actual vulnerability
(I may be wrong, and this could be mitigated in some other way).
I would hazard that this vulnerability would be minor, due to the
low-ish user base of freecad who are opening dxf files on untrusted
networks.
The file in question i believe to be :
freecad-0.14.3702+dfsg/src/Mod/Arch/ArchCommands.py
I further note that urllib is referenced in the following files:
$ find ./ -type f -name \* -exec grep -H "urllib" {} \; | grep urlopen
./Tools/wiki2qhelp.py:from urllib2 import urlopen, HTTPError
./Tools/generateBase/generateDS.py: implFile =
urllib2.urlopen(implUrl)
./Tools/generateBase/generateDS.py:## implFile =
urllib2.urlopen(implUrl)
./Mod/Arch/ArchCommands.py: response = urllib2.urlopen(url)
./Mod/Start/StartPage/StartPage.py: xml =
parse(urllib.urlopen(url)).getroot()
Looking at generateDS.py, this may also be affected. I do not believe
StartPage.py affected in the scope of this bug.
Thanks!
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages freecad depends on:
ii libboost-filesystem1.55.0 1.55.0+dfsg-2
ii libboost-program-options1.55.0 1.55.0+dfsg-3
ii libboost-regex1.55.0 1.55.0+dfsg-2
ii libboost-signals1.55.0 1.55.0+dfsg-3
ii libboost-system1.55.0 1.55.0+dfsg-2
ii libboost-thread1.55.0 1.55.0+dfsg-2
ii libc6 2.19-7
ii libcoin80 3.1.4~abc9f50-7
ii libfreeimage3 3.15.4-3+b2
ii libfreetype6 2.5.2-1
ii libgcc1 1:4.9.0-7
ii libgfortran3 4.9.0-7
ii libgl1-mesa-glx [libgl1] 10.2.4-1
ii libglu1-mesa [libglu1] 9.0.0-2
ii libice6 2:1.0.9-1
ii liboce-foundation8 0.15-4
ii liboce-modeling8 0.15-4
ii liboce-ocaf-lite8 0.15-4
ii liboce-ocaf8 0.15-4
ii liboce-visualization8 0.15-4
ii libpyside1.2 1.2.2-1+b1
ii libpython2.7 2.7.8-3
ii libqt4-network 4:4.8.6+git49-gbc62005+dfsg-1
ii libqt4-opengl 4:4.8.6+git49-gbc62005+dfsg-1
ii libqt4-svg 4:4.8.6+git49-gbc62005+dfsg-1
ii libqt4-xml 4:4.8.6+git49-gbc62005+dfsg-1
ii libqt4-xmlpatterns 4:4.8.6+git49-gbc62005+dfsg-1
ii libqtcore4 4:4.8.6+git49-gbc62005+dfsg-1
ii libqtgui4 4:4.8.6+git49-gbc62005+dfsg-1
ii libqtwebkit4 2.2.1-7
ii libquadmath0 4.9.0-7
ii libshiboken1.2 1.2.2-1+b1
ii libsm6 2:1.2.2-1
ii libsoqt4-20 1.6.0~e8310f-1
ii libspnav0 0.2.2-1
ii libstdc++6 4.9.0-7
ii libx11-6 2:1.6.2-2
ii libxerces-c3.1 3.1.1-5
ii libxext6 2:1.3.2-1
ii libzipios++0c2a 0.1.5.9+cvs.2007.04.28-5.1
ii python-collada 0.4-2
ii python-matplotlib 1.3.1-2
ii python-pivy 0.5.0~v609hg-3
ii python-ply 3.4-3
ii python-pyside 1.2.2-1
ii python2.7 2.7.8-3
pn python:any <none>
ii zlib1g 1:1.2.8.dfsg-1
freecad recommends no packages.
Versions of packages freecad suggests:
pn freecad-doc <none>
-- no debconf information
More information about the debian-science-maintainers
mailing list