Bug#764814: freecad downloads and executes code

[D Haley]

Hi, and thanks for the quick response.

I was unaware of the licensing issue - I don't really have an opinion on 
the licencing problem, but more the technical issue of unsigned code 
execution. Whilst you/upstream control the resource, freecad doesn't 
confirm that the download actually comes from said resource - python 
will not check this.

An attacker can intercept the https initial handshake and impersonate 
the resource, as no signatures are checked. This is not hard if they 
control the network (eg public wifi/fake access point).

I think there are several possible solutions, in varying orders of 
difficulty:

* Hard-code a given .py git identifier, then check the downloads SHA1 or 
SHA1 _and_ MD5 after the download. Hard-code the matching SHA1 in the 
freecad sources. Convert the url stream into a binary stream and pass it 
to python's SHA1 module, then check the result. The downside is of 
course, this is not upgradeable.

* Implement certificate checking in the freecad source, by locating and 
finding the debian certificates, parsing them and checking the 
provider's validity (pretty hard? I'm no python guru, but I understand 
the next python release will include certificate validation). Upgrades 
remain, but more complex.

Slightly less serious suggestions :
* Change freecad to use a different dxf backend (eg librecad's internal 
(BSD))
* Chance licence ;)

Thanks!