View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003295||FreeCAD||Bug||public||2018-01-01 23:14||2018-12-24 12:58|
|Target Version||0.17||Fixed in Version||0.17|
|Summary||0003295: Windows version of FreeCad 0.16 and 0.17 is shipped with Python <=2.7.13 that has a critical security vulnerability|
|Description||The Windows packages of FreeCad 0.16 stable and 0.17_pre are shipped with a Python version that is vulnerable to a critical security vulnerability.|
Here is the CERT CVE-2017-1000158 report:
The vulnerability is fixed in Python 2.7.14.
I highly recommend to create a new Windows package of FreeCad 0.16 shipping with a new version of Python >= 2.7.14.
I also recommend to the developers to subscribe to one of the CERT mailings-lists. That way you will be always get informed about new security vulnerabilities related to Python. Some of the CERT mailings-lists also allow it to filter the CERT reports by application name.
That may affect many Linux distributions as well...
Seems like affected python packages in Ubuntu versions have been patched already. https://usn.ubuntu.com/usn/usn-3496-1/
||Yorik has nothing to do with Windows packaging; for Linux distros, we have no choice but to trust them to patch this vulnerability (which assuredly was done by Ubuntu and Debian). @sgrogan should be informed as well, he is the Windows packager.|
On Win this requires building Python from scratch. I've never done this, or really know where to start. I'll reach out to @peterl94.
I'll leave to @wmayer if this should block the 0.17 release.
||Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.|
||If I remember correctly, the config has to be patched in addition to upgrading the 2010 project to work with VS2013.|
Thanks Peter! I'm hoping for binary compatibility with 2.7.x
I haven't looked yet, but did you use CLBundler for Python?
Yes, I did. I changed the project properties to link to the libraries in the bundle (this can be done manually with the GUI, no need to edit the project xml directly unless you want to.)
Relevant patches: https://github.com/peterlama/clbundler-freecad/blob/master/freecad/win/patches/python/pyconfig.diff
Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.
Yes, it's sufficient to only rebuild the Python library. Dependent libraries don't need to be rebuilt because the patch for Python 7.14 doesn't affect ABI compatibility
|I assigned this to myself. Wish me luck building Python. Thanks @peterl94 for the hints.|
Steps to build the Python dlls are as follows:
1. Get sources from https://www.python.org/ftp/python/2.7.14/Python-2.7.14.tgz
2. Unpack and open e.g. VS2013 x64 Cross Tools Command Prompt. cd into the PCBuild directory
3. Build 64-bit Release dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64
4. Build 64-bit Debug dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64 /p:Configuration=Debug
Thanks wmayer! I used the same procedure to build the release and debug executables.
So I need to get the stuff from: Python-2.7.14/Lib, Python-2.7.14/Include, and Python-2.7.14/PCBuild into the proper place in the libpack. Am I missing anything?
|relevant forum discussion https://forum.freecadweb.org/viewtopic.php?f=4&t=26617|
|2018-01-01 23:14||informant42||New Issue|
|2018-01-01 23:14||informant42||Tag Attached: security|
|2018-01-01 23:14||informant42||Tag Attached: vulnerability|
|2018-01-02 07:01||normandc||Note Added: 0010656|
|2018-01-02 12:44||Kunda1||Note Added: 0010659|
|2018-01-02 15:34||normandc||Note Added: 0010669|
||Note Added: 0010688|
|2018-01-03 21:17||peterl94||Note Added: 0010690|
|2018-01-03 21:19||peterl94||Note Added: 0010691|
||Note Added: 0010692|
|2018-01-03 22:17||peterl94||Note Added: 0010693|
|2018-01-03 23:43||wmayer||Note Added: 0010695|
|2018-01-03 23:44||wmayer||Severity||major => block|
|2018-01-03 23:44||wmayer||Target Version||=> 0.17|
||Assigned To||=> user2853|
||Status||new => assigned|
||Note Added: 0010718|
|2018-01-16 18:36||wmayer||Note Added: 0010772|
||Note Added: 0010773|
||Note Added: 0010931|
|2018-09-12 15:55||wmayer||Status||assigned => closed|
|2018-09-12 15:55||wmayer||Resolution||open => fixed|
|2018-09-12 15:55||wmayer||Fixed in Version||=> 0.17|
|2018-12-24 12:58||Kunda1||Tag Detached: vulnerability|