View Issue Details

IDProjectCategoryView StatusLast Update
0003295FreeCADBugpublic2018-12-24 12:58
Reporterinformant42Assigned Touser2853 
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version0.16 
Target Version0.17Fixed in Version0.17 
Summary0003295: Windows version of FreeCad 0.16 and 0.17 is shipped with Python <=2.7.13 that has a critical security vulnerability
DescriptionThe Windows packages of FreeCad 0.16 stable and 0.17_pre are shipped with a Python version that is vulnerable to a critical security vulnerability.

Here is the CERT CVE-2017-1000158 report:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000158

The vulnerability is fixed in Python 2.7.14.
I highly recommend to create a new Windows package of FreeCad 0.16 shipping with a new version of Python >= 2.7.14.

I also recommend to the developers to subscribe to one of the CERT mailings-lists. That way you will be always get informed about new security vulnerabilities related to Python. Some of the CERT mailings-lists also allow it to filter the CERT reports by application name.
Tagssecurity

Activities

normandc

2018-01-02 07:01

manager   ~0010656

That may affect many Linux distributions as well...

Seems like affected python packages in Ubuntu versions have been patched already. https://usn.ubuntu.com/usn/usn-3496-1/

Kunda1

2018-01-02 12:44

administrator   ~0010659

@wmayer
@yorik

normandc

2018-01-02 15:34

manager   ~0010669

Yorik has nothing to do with Windows packaging; for Linux distros, we have no choice but to trust them to patch this vulnerability (which assuredly was done by Ubuntu and Debian). @sgrogan should be informed as well, he is the Windows packager.

user2853

2018-01-03 20:58

  ~0010688

On Win this requires building Python from scratch. I've never done this, or really know where to start. I'll reach out to @peterl94.

I'll leave to @wmayer if this should block the 0.17 release.

peterl94

2018-01-03 21:17

developer   ~0010690

Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.

peterl94

2018-01-03 21:19

developer   ~0010691

If I remember correctly, the config has to be patched in addition to upgrading the 2010 project to work with VS2013.

user2853

2018-01-03 22:04

  ~0010692

Thanks Peter! I'm hoping for binary compatibility with 2.7.x
I haven't looked yet, but did you use CLBundler for Python?

peterl94

2018-01-03 22:17

developer   ~0010693

Yes, I did. I changed the project properties to link to the libraries in the bundle (this can be done manually with the GUI, no need to edit the project xml directly unless you want to.)

Relevant patches: https://github.com/peterlama/clbundler-freecad/blob/master/freecad/win/patches/python/pyconfig.diff
https://github.com/peterlama/clbundler-freecad/blob/master/freecad/win/patches/python/vcproj_bundle_libs.diff

wmayer

2018-01-03 23:43

administrator   ~0010695

peterl94 wrote

Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.

Yes, it's sufficient to only rebuild the Python library. Dependent libraries don't need to be rebuilt because the patch for Python 7.14 doesn't affect ABI compatibility

user2853

2018-01-05 22:04

  ~0010718

I assigned this to myself. Wish me luck building Python. Thanks @peterl94 for the hints.

wmayer

2018-01-16 18:36

administrator   ~0010772

Steps to build the Python dlls are as follows:
1. Get sources from https://www.python.org/ftp/python/2.7.14/Python-2.7.14.tgz
2. Unpack and open e.g. VS2013 x64 Cross Tools Command Prompt. cd into the PCBuild directory
3. Build 64-bit Release dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64
4. Build 64-bit Debug dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64 /p:Configuration=Debug

user2853

2018-01-16 22:19

  ~0010773

Thanks wmayer! I used the same procedure to build the release and debug executables.
So I need to get the stuff from: Python-2.7.14/Lib, Python-2.7.14/Include, and Python-2.7.14/PCBuild into the proper place in the libpack. Am I missing anything?

user2853

2018-02-08 00:27

  ~0010931

relevant forum discussion https://forum.freecadweb.org/viewtopic.php?f=4&t=26617

Issue History

Date Modified Username Field Change
2018-01-01 23:14 informant42 New Issue
2018-01-01 23:14 informant42 Tag Attached: security
2018-01-01 23:14 informant42 Tag Attached: vulnerability
2018-01-02 07:01 normandc Note Added: 0010656
2018-01-02 12:44 Kunda1 Note Added: 0010659
2018-01-02 15:34 normandc Note Added: 0010669
2018-01-03 20:58 user2853 Note Added: 0010688
2018-01-03 21:17 peterl94 Note Added: 0010690
2018-01-03 21:19 peterl94 Note Added: 0010691
2018-01-03 22:04 user2853 Note Added: 0010692
2018-01-03 22:17 peterl94 Note Added: 0010693
2018-01-03 23:43 wmayer Note Added: 0010695
2018-01-03 23:44 wmayer Severity major => block
2018-01-03 23:44 wmayer Target Version => 0.17
2018-01-05 22:03 user2853 Assigned To => user2853
2018-01-05 22:03 user2853 Status new => assigned
2018-01-05 22:04 user2853 Note Added: 0010718
2018-01-16 18:36 wmayer Note Added: 0010772
2018-01-16 22:19 user2853 Note Added: 0010773
2018-02-08 00:27 user2853 Note Added: 0010931
2018-09-12 15:55 wmayer Status assigned => closed
2018-09-12 15:55 wmayer Resolution open => fixed
2018-09-12 15:55 wmayer Fixed in Version => 0.17
2018-12-24 12:58 Kunda1 Tag Detached: vulnerability