OpenSSL 3.0.7

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

OpenSSL 3.0.7

Post by Pagrossman »

Hi,

I am new here.

As you know, OpenSSL has vulnerabilities in the version 3.0.0 - 3.0.6
The version 3.0.7 is safe.

FreeCAD uses OpenSSL 3.0.0.

Is it possible to update it to 3.0.7? (in the LibPack-0.20 Version 2.8 for example)

Thank you
Last edited by Pagrossman on Wed Nov 09, 2022 8:19 am, edited 1 time in total.
User avatar
adrianinsaval
Veteran
Posts: 5541
Joined: Thu Apr 05, 2018 5:15 pm

Re: OpenSSL 3.0.7

Post by adrianinsaval »

@uwestoehr @looo
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

Pagrossman wrote: Tue Nov 08, 2022 7:42 am As you know, OpenSSL has vulnerabilities in the version 3.0.0 - 3.0.6
The version 3.0.7 is safe.
What are the vulnerabilities? is FreeCAD actually affected by them and if so, in what way?

I am asking because updating the LibPack is a task that cost us at least a full day of spare time, therefore I only do this if it is really necessary (and when we release a new version of course.)
wmayer
Founder
Posts: 20241
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: OpenSSL 3.0.7

Post by wmayer »

What are the vulnerabilities?
https://snyk.io/blog/breaking-down-open ... erability/
https://securitylabs.datadoghq.com/arti ... ing-to-rce
is FreeCAD actually affected by them and if so, in what way?
Yes, it's affected. OpenSSL is used for https-based network traffic. In FreeCAD that happens by using the StartPage or Addon manager.
User avatar
adrianinsaval
Veteran
Posts: 5541
Joined: Thu Apr 05, 2018 5:15 pm

Re: OpenSSL 3.0.7

Post by adrianinsaval »

is it worth making a point release?
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: OpenSSL 3.0.7

Post by uwestoehr »

wmayer wrote: Wed Nov 09, 2022 3:56 pm Yes, it's affected. OpenSSL is used for https-based network traffic. In FreeCAD that happens by using the StartPage or Addon manager.
Thanks. I understand that and how we use SSL, but not yet how we are affected.
With affected I mean, is there anything critical, meaning something like this?:

* it is possible by running FreeCAD as normal user to gain Admin privileges
* it is possible to get confidential info from CAD models (intellectual property can be stolen)

FreeCAD 0.20.2 is not too far away but I would in general learn when it is really necessary to act and when not. I mean there have been 6 point releases of OpenSSL meanwhile and I don't think we need to act on every of it. However, I don't have the knowledge yet when to act.
User avatar
chennes
Veteran
Posts: 3876
Joined: Fri Dec 23, 2016 3:38 pm
Location: Norman, OK, USA
Contact:

Re: OpenSSL 3.0.7

Post by chennes »

I thought that client-side the vulnerability was purely a denial-of-service: that is, that it might crash FreeCAD because of a buffer overrun.
Chris Hennes
Pioneer Library System
GitHub profile, LinkedIn profile, chrishennes.com
User avatar
adrianinsaval
Veteran
Posts: 5541
Joined: Thu Apr 05, 2018 5:15 pm

Re: OpenSSL 3.0.7

Post by adrianinsaval »

there's mention of potential remote code execution, but I don't understand the details of when this is possible.
Pagrossman
Posts: 8
Joined: Tue Nov 08, 2022 7:36 am

Re: OpenSSL 3.0.7

Post by Pagrossman »

there is also mentioned potentially remote code execution.

Full description of vulnerability is here (https://www.openssl.org/news/vulnerabilities.html):
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Reported by Polar Bear.
duane3104
Posts: 2
Joined: Wed Dec 10, 2014 3:04 am

Re: OpenSSL 3.0.7

Post by duane3104 »

@Pagrossman

First, i am a total nube so please forgive me if this is a stupid question.

But you say in your original post that FreeCAD uses OpenSSL 3.0.0.

My windows V0.20 appears to use OpenSSL 1.1.1L not the 3.0.0 version.

Would that mean that recent Windows versions would not be affected?

Perhaps the Linux versions use the 3.0.0 library?

Thanks very much for any comments.
Post Reply