Bug#764814: freecad downloads and executes code

D Haley Sat, 11 Oct 2014 05:58:23 -0700

Subject: freecad: Downloads and executes code
Package: freecad
Version: 0.14.3702+dfsg-2
Severity: important


Dear Maintainer,

As per discussions with the security team, I am marking the severity asgrave.


Freecad downloads and executes code (e.g. ArchCommands.py) from the

network, from https. This uses urllib2, which does not check httpscertificates. The files that are downloaded occur when attempting toactivate non-present module features, such as via opening a DXF file.


Sample session console output:
DXF libraries not found. Downloading...

downloadinghttps://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfColorMap.py...downloadinghttps://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfImportObjects.py...downloadinghttps://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfLibrary.py...downloadinghttps://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfReader.py...



I believe arbitrary code could be (theoretically) injected into these
downloads, then executed. I am not an expert in such matters, and have

not attempted to do so, so please review this for actual vulnerability(I may be wrong, and this could be mitigated in some other way).

I would hazard that this vulnerability would be minor, due to thelow-ish user base of freecad who are opening dxf files on untrustednetworks.

The file in question i believe to be :freecad-0.14.3702+dfsg/src/Mod/Arch/ArchCommands.py


I further note that urllib is referenced in the following files:

$ find ./ -type f -name \* -exec grep -H "urllib" {} \; | grep urlopen
./Tools/wiki2qhelp.py:from urllib2 import urlopen, HTTPError

./Tools/generateBase/generateDS.py: implFile =urllib2.urlopen(implUrl)./Tools/generateBase/generateDS.py:## implFile =urllib2.urlopen(implUrl)

./Mod/Arch/ArchCommands.py:        response = urllib2.urlopen(url)

./Mod/Start/StartPage/StartPage.py: xml =parse(urllib.urlopen(url)).getroot()

Looking at generateDS.py, this may also be affected. I do not believeStartPage.py affected in the scope of this bug.


Thanks!


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages freecad depends on:
ii  libboost-filesystem1.55.0       1.55.0+dfsg-2
ii  libboost-program-options1.55.0  1.55.0+dfsg-3
ii  libboost-regex1.55.0            1.55.0+dfsg-2
ii  libboost-signals1.55.0          1.55.0+dfsg-3
ii  libboost-system1.55.0           1.55.0+dfsg-2
ii  libboost-thread1.55.0           1.55.0+dfsg-2
ii  libc6                           2.19-7
ii  libcoin80                       3.1.4~abc9f50-7
ii  libfreeimage3                   3.15.4-3+b2
ii  libfreetype6                    2.5.2-1
ii  libgcc1                         1:4.9.0-7
ii  libgfortran3                    4.9.0-7
ii  libgl1-mesa-glx [libgl1]        10.2.4-1
ii  libglu1-mesa [libglu1]          9.0.0-2
ii  libice6                         2:1.0.9-1
ii  liboce-foundation8              0.15-4
ii  liboce-modeling8                0.15-4
ii  liboce-ocaf-lite8               0.15-4
ii  liboce-ocaf8                    0.15-4
ii  liboce-visualization8           0.15-4
ii  libpyside1.2                    1.2.2-1+b1
ii  libpython2.7                    2.7.8-3
ii  libqt4-network                  4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-opengl                   4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-svg                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xml                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xmlpatterns              4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtcore4                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtgui4                       4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtwebkit4                    2.2.1-7
ii  libquadmath0                    4.9.0-7
ii  libshiboken1.2                  1.2.2-1+b1
ii  libsm6                          2:1.2.2-1
ii  libsoqt4-20                     1.6.0~e8310f-1
ii  libspnav0                       0.2.2-1
ii  libstdc++6                      4.9.0-7
ii  libx11-6                        2:1.6.2-2
ii  libxerces-c3.1                  3.1.1-5
ii  libxext6                        2:1.3.2-1
ii  libzipios++0c2a                 0.1.5.9+cvs.2007.04.28-5.1
ii  python-collada                  0.4-2
ii  python-matplotlib               1.3.1-2
ii  python-pivy                     0.5.0~v609hg-3
ii  python-ply                      3.4-3
ii  python-pyside                   1.2.2-1
ii  python2.7                       2.7.8-3
pn  python:any                      <none>
ii  zlib1g                          1:1.2.8.dfsg-1

freecad recommends no packages.

Versions of packages freecad suggests:
pn  freecad-doc  <none>

-- no debconf information

--
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers

Bug#764814: freecad downloads and executes code

Reply via email to