Bug#764814: freecad downloads and executes code

D Haley mycae at gmx.com
Sat Oct 11 12:53:26 UTC 2014 

Subject: freecad: Downloads and executes code
Package: freecad
Version: 0.14.3702+dfsg-2
Severity: important

Dear Maintainer,

As per discussions with the security team, I am marking the severity as 
grave.

Freecad downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https 
certificates. The files that are downloaded occur when attempting to 
activate non-present module features, such as via opening a DXF file.

Sample session console output:
DXF libraries not found. Downloading...
downloading 
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfColorMap.py 
...
downloading 
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfImportObjects.py 
...
downloading 
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfLibrary.py 
...
downloading 
https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfReader.py 
...


I believe arbitrary code could be (theoretically) injected into these
downloads, then executed. I am not an expert in such matters, and have
not attempted to do so, so please review this for actual vulnerability 
(I may be wrong, and this could be mitigated in some other way).

I would hazard that this vulnerability would be minor, due to the 
low-ish user base of freecad who are opening dxf files on untrusted 
networks.

The file in question i believe to be : 
freecad-0.14.3702+dfsg/src/Mod/Arch/ArchCommands.py

I further note that urllib is referenced in the following files:

$ find ./ -type f -name \* -exec grep -H "urllib" {} \; | grep urlopen
./Tools/wiki2qhelp.py:from urllib2 import urlopen, HTTPError
./Tools/generateBase/generateDS.py:            implFile = 
urllib2.urlopen(implUrl)
./Tools/generateBase/generateDS.py:##            implFile = 
urllib2.urlopen(implUrl)
./Mod/Arch/ArchCommands.py:        response = urllib2.urlopen(url)
./Mod/Start/StartPage/StartPage.py:    xml = 
parse(urllib.urlopen(url)).getroot()

Looking at generateDS.py, this may also be affected. I do not believe 
StartPage.py affected in the scope of this bug.

Thanks!


-- System Information:
Debian Release: jessie/sid
   APT prefers testing-updates
   APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages freecad depends on:
ii  libboost-filesystem1.55.0       1.55.0+dfsg-2
ii  libboost-program-options1.55.0  1.55.0+dfsg-3
ii  libboost-regex1.55.0            1.55.0+dfsg-2
ii  libboost-signals1.55.0          1.55.0+dfsg-3
ii  libboost-system1.55.0           1.55.0+dfsg-2
ii  libboost-thread1.55.0           1.55.0+dfsg-2
ii  libc6                           2.19-7
ii  libcoin80                       3.1.4~abc9f50-7
ii  libfreeimage3                   3.15.4-3+b2
ii  libfreetype6                    2.5.2-1
ii  libgcc1                         1:4.9.0-7
ii  libgfortran3                    4.9.0-7
ii  libgl1-mesa-glx [libgl1]        10.2.4-1
ii  libglu1-mesa [libglu1]          9.0.0-2
ii  libice6                         2:1.0.9-1
ii  liboce-foundation8              0.15-4
ii  liboce-modeling8                0.15-4
ii  liboce-ocaf-lite8               0.15-4
ii  liboce-ocaf8                    0.15-4
ii  liboce-visualization8           0.15-4
ii  libpyside1.2                    1.2.2-1+b1
ii  libpython2.7                    2.7.8-3
ii  libqt4-network                  4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-opengl                   4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-svg                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xml                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xmlpatterns              4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtcore4                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtgui4                       4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtwebkit4                    2.2.1-7
ii  libquadmath0                    4.9.0-7
ii  libshiboken1.2                  1.2.2-1+b1
ii  libsm6                          2:1.2.2-1
ii  libsoqt4-20                     1.6.0~e8310f-1
ii  libspnav0                       0.2.2-1
ii  libstdc++6                      4.9.0-7
ii  libx11-6                        2:1.6.2-2
ii  libxerces-c3.1                  3.1.1-5
ii  libxext6                        2:1.3.2-1
ii  libzipios++0c2a                 0.1.5.9+cvs.2007.04.28-5.1
ii  python-collada                  0.4-2
ii  python-matplotlib               1.3.1-2
ii  python-pivy                     0.5.0~v609hg-3
ii  python-ply                      3.4-3
ii  python-pyside                   1.2.2-1
ii  python2.7                       2.7.8-3
pn  python:any                      <none>
ii  zlib1g                          1:1.2.8.dfsg-1

freecad recommends no packages.

Versions of packages freecad suggests:
pn  freecad-doc  <none>

-- no debconf information

More information about the debian-science-maintainers mailing list