From ${URL} : It was reported [1] that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the network, from https. This uses urllib2, which does not check https certificates. The files that are downloaded occur when attempting to activate non-present module features, such as via opening a DXF file. This can allow Man-in-the-Middle attack, leading to code execution. Upstream patch is at [2]. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764814 [2]: https://github.com/FreeCAD/FreeCAD_sf_master/commit/bd1bbff874f5e5a86f4308aa2f840cbd64a77b77 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Despite the fact that it's not even checking the cert. , shouldn't this package be hard-masked for plain stupidity? Runtime downloading and execution of code behind the user's back is really not acceptable. If I wanted that sort of thing I'd be running MS operating systems.
I'm not sure about the version this bug depends on but with default options current FreeCAD (0.15.4671) is asking for permission to download the missing filter. Only if set so in preferences it would download without asking. So at least it's not behind users back. I don't know if the certificate checking is OK now, I could not verify as it does not respect system proxy settings, but that may be (also) urllib2's fold.
This was fixed in 0.15 as previously mentioned and confirmed here: https://github.com/FreeCAD/FreeCAD/commit/bd1bbff874f5e5a86f4308aa2f840cbd64a77b77 @maintainer, please cleanup the vulnerable versions.
Tree has been cleaned by maintainer.
