Bug#764814: marked as done (freecad downloads and executes code)

Fri, 24 Oct 2014 14:25:16 -0700 

Your message dated Fri, 24 Oct 2014 21:21:05 +0000
with message-id <e1xhmid-0001qy...@franck.debian.org>
and subject line Bug#764814: fixed in freecad 0.14.3702+dfsg-3
has caused the Debian Bug report #764814,
regarding freecad downloads and executes code
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
764814: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764814
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Subject: freecad: Downloads and executes code
Package: freecad
Version: 0.14.3702+dfsg-2
Severity: important

Dear Maintainer,
As per discussions with the security team, I am marking the severity as grave. 

Freecad downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https certificates. The files that are downloaded occur when attempting to activate non-present module features, such as via opening a DXF file. 

Sample session console output:
DXF libraries not found. Downloading...
downloading https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfColorMap.py ... downloading https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfImportObjects.py ... downloading https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfLibrary.py ... downloading https://raw.github.com/yorikvanhavre/Draft-dxf-importer/master/dxfReader.py ... 


I believe arbitrary code could be (theoretically) injected into these
downloads, then executed. I am not an expert in such matters, and have
not attempted to do so, so please review this for actual vulnerability (I may be wrong, and this could be mitigated in some other way).
I would hazard that this vulnerability would be minor, due to the low-ish user base of freecad who are opening dxf files on untrusted networks.
The file in question i believe to be : freecad-0.14.3702+dfsg/src/Mod/Arch/ArchCommands.py 

I further note that urllib is referenced in the following files:

$ find ./ -type f -name \* -exec grep -H "urllib" {} \; | grep urlopen
./Tools/wiki2qhelp.py:from urllib2 import urlopen, HTTPError
./Tools/generateBase/generateDS.py: implFile = urllib2.urlopen(implUrl) ./Tools/generateBase/generateDS.py:## implFile = urllib2.urlopen(implUrl) 
./Mod/Arch/ArchCommands.py:        response = urllib2.urlopen(url)
./Mod/Start/StartPage/StartPage.py: xml = parse(urllib.urlopen(url)).getroot()
Looking at generateDS.py, this may also be affected. I do not believe StartPage.py affected in the scope of this bug. 

Thanks!


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages freecad depends on:
ii  libboost-filesystem1.55.0       1.55.0+dfsg-2
ii  libboost-program-options1.55.0  1.55.0+dfsg-3
ii  libboost-regex1.55.0            1.55.0+dfsg-2
ii  libboost-signals1.55.0          1.55.0+dfsg-3
ii  libboost-system1.55.0           1.55.0+dfsg-2
ii  libboost-thread1.55.0           1.55.0+dfsg-2
ii  libc6                           2.19-7
ii  libcoin80                       3.1.4~abc9f50-7
ii  libfreeimage3                   3.15.4-3+b2
ii  libfreetype6                    2.5.2-1
ii  libgcc1                         1:4.9.0-7
ii  libgfortran3                    4.9.0-7
ii  libgl1-mesa-glx [libgl1]        10.2.4-1
ii  libglu1-mesa [libglu1]          9.0.0-2
ii  libice6                         2:1.0.9-1
ii  liboce-foundation8              0.15-4
ii  liboce-modeling8                0.15-4
ii  liboce-ocaf-lite8               0.15-4
ii  liboce-ocaf8                    0.15-4
ii  liboce-visualization8           0.15-4
ii  libpyside1.2                    1.2.2-1+b1
ii  libpython2.7                    2.7.8-3
ii  libqt4-network                  4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-opengl                   4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-svg                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xml                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqt4-xmlpatterns              4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtcore4                      4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtgui4                       4:4.8.6+git49-gbc62005+dfsg-1
ii  libqtwebkit4                    2.2.1-7
ii  libquadmath0                    4.9.0-7
ii  libshiboken1.2                  1.2.2-1+b1
ii  libsm6                          2:1.2.2-1
ii  libsoqt4-20                     1.6.0~e8310f-1
ii  libspnav0                       0.2.2-1
ii  libstdc++6                      4.9.0-7
ii  libx11-6                        2:1.6.2-2
ii  libxerces-c3.1                  3.1.1-5
ii  libxext6                        2:1.3.2-1
ii  libzipios++0c2a                 0.1.5.9+cvs.2007.04.28-5.1
ii  python-collada                  0.4-2
ii  python-matplotlib               1.3.1-2
ii  python-pivy                     0.5.0~v609hg-3
ii  python-ply                      3.4-3
ii  python-pyside                   1.2.2-1
ii  python2.7                       2.7.8-3
pn  python:any                      <none>
ii  zlib1g                          1:1.2.8.dfsg-1

freecad recommends no packages.

Versions of packages freecad suggests:
pn  freecad-doc  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: freecad
Source-Version: 0.14.3702+dfsg-3

We believe that the bug you reported is fixed in the latest version of
freecad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 764...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gl...@debian.org> (supplier of updated freecad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Oct 2014 18:59:03 +0200
Source: freecad
Binary: freecad freecad-dev freecad-doc
Architecture: source amd64 all
Version: 0.14.3702+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers 
<debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Anton Gladky <gl...@debian.org>
Description:
 freecad    - Extensible Open Source CAx program (alpha)
 freecad-dev - FreeCAD development files
 freecad-doc - FreeCAD documentation
Closes: 764814
Changes:
 freecad (0.14.3702+dfsg-3) unstable; urgency=medium
 .
   [ Yorik van Havre ]
   * [9ddbf15] Disable automatic DXF library download. (Closes: #764814)
Checksums-Sha1:
 e1754fbaa507c380ddc18f1e8d5e7020abf29c0a 2913 freecad_0.14.3702+dfsg-3.dsc
 a64a037a358f0c86a5a6f4b430cec9d305f66741 287652 
freecad_0.14.3702+dfsg-3.debian.tar.xz
 f7c87dc70890fc9527f531fb6ecb08259ca176ad 13520072 
freecad_0.14.3702+dfsg-3_amd64.deb
 2644141b5ab8ca9fc3ca28a9889b4678bdf9a349 30956 
freecad-dev_0.14.3702+dfsg-3_amd64.deb
 5cd7735d80cda8d6dce208801e191dbcb152a4a1 41839600 
freecad-doc_0.14.3702+dfsg-3_all.deb
Checksums-Sha256:
 ca6993626f48251c35c2e9a3ace8215ac98c410cd6970d3d83a0a6e06661842b 2913 
freecad_0.14.3702+dfsg-3.dsc
 f61d8025a1ee6aa7e1b5e22b2719d6abd0a1f04d532ca52cfcdc04794af5c264 287652 
freecad_0.14.3702+dfsg-3.debian.tar.xz
 90265b476cdec5f502acf443f30086733d7e11b0f132cda28d5726bc05464d14 13520072 
freecad_0.14.3702+dfsg-3_amd64.deb
 c8caf3521f8a559c8d8255c0402724cf016eb00cfc4f8e5019478098c6bb6fcd 30956 
freecad-dev_0.14.3702+dfsg-3_amd64.deb
 a9dcd2404a426924a1b124d0f3d99dda18eb2451ffc59c59b132c102dcc1287e 41839600 
freecad-doc_0.14.3702+dfsg-3_all.deb
Files:
 ec6d46e06d8960ebc2f596ed17732000 2913 science extra 
freecad_0.14.3702+dfsg-3.dsc
 36587b7990ada7e03b1de96759ae321e 287652 science extra 
freecad_0.14.3702+dfsg-3.debian.tar.xz
 d15cc15d96743dcff02243dccc4cbe6b 13520072 science extra 
freecad_0.14.3702+dfsg-3_amd64.deb
 d3d635f05938932b76dae78e2840c049 30956 libdevel extra 
freecad-dev_0.14.3702+dfsg-3_amd64.deb
 98ee22137c3ca6e3179c1e6bf092b20c 41839600 doc extra 
freecad-doc_0.14.3702+dfsg-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUSrUhAAoJENPhc4PPp/8GlI4P/jZjJukMvWWrtAcfeF9TjSik
cswisIJzCRJ8Y4SkCFrfGvjSUIQibqPF/83+2LNP5/8XYB6IrssLd/GBubIX5YTu
LDhOKge28lJQJLMPGAmb7CBFN1VX/+cbFCqbhq5GbwW70EGfdIyPAobOp+knDswl
x6PO8bgKYpSyJjTe8Bb6trXsLLWPwY7IUL4s2JtejhUNKkyXgMOpm61jb9+7eC4a
aweNmkG3LA4rwU3rm7IK5w0/sc3a2WDSRKfeZ3/gibQreeZxhY0OyvJdS/aKUbdW
IJEbJJA7r2Z3pApyMRyotg8yvjfs2veIDg0bLIgSbEkw9QuzGeSDCrkx3hO04l8C
GkWVGOGSBV8eF9jBsxlUDyiFEbNg+OylFslGR24ADK7h6KFTY5maklYMOhEshVAI
YAzN+3cDNCqmWDOLjqQ3cqvXDZ2I70rCMTEFPBD79lAbxRazxerltLJCv7iZ70j4
jD/iMOsKw4VWvyrQN2EoEUtCnsZe8Qkg/bl1ZJNMIpdOrLd2SEXwdcL35r79QcjP
zbZ+yET//whPx5zxKk5HA86/31cdulDKNuqWM9j8VUikBZyv06sesEgWtEejyli1
jL9ir4vBfGC0MZmHAryQWVrYgDCn3Fm3PHKyoLvWBbhYeEXRc3n35izzH8oe5vx3
bug1pzLlvHORFkwoLr4O
=4RGa
-----END PGP SIGNATURE-----

--- End Message ---
-- 
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers

Reply via email to