View Issue Details

IDProjectCategoryView StatusLast Update
0003295FreeCADBugpublic2018-12-24 12:58
Reporterinformant42 Assigned Touser2853 
Status closedResolutionfixed 
Product Version0.16 
Target Version0.17Fixed in Version0.17 
Summary0003295: Windows version of FreeCad 0.16 and 0.17 is shipped with Python <=2.7.13 that has a critical security vulnerability
DescriptionThe Windows packages of FreeCad 0.16 stable and 0.17_pre are shipped with a Python version that is vulnerable to a critical security vulnerability.

Here is the CERT CVE-2017-1000158 report:

The vulnerability is fixed in Python 2.7.14.
I highly recommend to create a new Windows package of FreeCad 0.16 shipping with a new version of Python >= 2.7.14.

I also recommend to the developers to subscribe to one of the CERT mailings-lists. That way you will be always get informed about new security vulnerabilities related to Python. Some of the CERT mailings-lists also allow it to filter the CERT reports by application name.
FreeCAD Information



2018-01-02 07:01

manager   ~0010656

That may affect many Linux distributions as well...

Seems like affected python packages in Ubuntu versions have been patched already.


2018-01-02 12:44

administrator   ~0010659



2018-01-02 15:34

manager   ~0010669

Yorik has nothing to do with Windows packaging; for Linux distros, we have no choice but to trust them to patch this vulnerability (which assuredly was done by Ubuntu and Debian). @sgrogan should be informed as well, he is the Windows packager.


2018-01-03 20:58


On Win this requires building Python from scratch. I've never done this, or really know where to start. I'll reach out to @peterl94.

I'll leave to @wmayer if this should block the 0.17 release.


2018-01-03 21:17

developer   ~0010690

Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.


2018-01-03 21:19

developer   ~0010691

If I remember correctly, the config has to be patched in addition to upgrading the 2010 project to work with VS2013.


2018-01-03 22:04


Thanks Peter! I'm hoping for binary compatibility with 2.7.x
I haven't looked yet, but did you use CLBundler for Python?


2018-01-03 22:17

developer   ~0010693

Yes, I did. I changed the project properties to link to the libraries in the bundle (this can be done manually with the GUI, no need to edit the project xml directly unless you want to.)

Relevant patches:


2018-01-03 23:43

administrator   ~0010695

Hopefully we can just drop in 2.7.14 without recompiling dependent libs. I have no time to do this at the moment, though.

Yes, it's sufficient to only rebuild the Python library. Dependent libraries don't need to be rebuilt because the patch for Python 7.14 doesn't affect ABI compatibility


2018-01-05 22:04


I assigned this to myself. Wish me luck building Python. Thanks @peterl94 for the hints.


2018-01-16 18:36

administrator   ~0010772

Steps to build the Python dlls are as follows:
1. Get sources from
2. Unpack and open e.g. VS2013 x64 Cross Tools Command Prompt. cd into the PCBuild directory
3. Build 64-bit Release dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64
4. Build 64-bit Debug dll with: msbuild pythoncore.vcxproj "/p:PlatformToolset=v120" /p:Platform=x64 /p:Configuration=Debug


2018-01-16 22:19


Thanks wmayer! I used the same procedure to build the release and debug executables.
So I need to get the stuff from: Python-2.7.14/Lib, Python-2.7.14/Include, and Python-2.7.14/PCBuild into the proper place in the libpack. Am I missing anything?


2018-02-08 00:27


relevant forum discussion

Issue History

Date Modified Username Field Change
2018-01-01 23:14 informant42 New Issue
2018-01-01 23:14 informant42 Tag Attached: security
2018-01-01 23:14 informant42 Tag Attached: vulnerability
2018-01-02 07:01 normandc Note Added: 0010656
2018-01-02 12:44 Kunda1 Note Added: 0010659
2018-01-02 15:34 normandc Note Added: 0010669
2018-01-03 20:58 user2853 Note Added: 0010688
2018-01-03 21:17 peterl94 Note Added: 0010690
2018-01-03 21:19 peterl94 Note Added: 0010691
2018-01-03 22:04 user2853 Note Added: 0010692
2018-01-03 22:17 peterl94 Note Added: 0010693
2018-01-03 23:43 wmayer Note Added: 0010695
2018-01-03 23:44 wmayer Severity major => block
2018-01-03 23:44 wmayer Target Version => 0.17
2018-01-05 22:03 user2853 Assigned To => user2853
2018-01-05 22:03 user2853 Status new => assigned
2018-01-05 22:04 user2853 Note Added: 0010718
2018-01-16 18:36 wmayer Note Added: 0010772
2018-01-16 22:19 user2853 Note Added: 0010773
2018-02-08 00:27 user2853 Note Added: 0010931
2018-09-12 15:55 wmayer Status assigned => closed
2018-09-12 15:55 wmayer Resolution open => fixed
2018-09-12 15:55 wmayer Fixed in Version => 0.17
2018-12-24 12:58 Kunda1 Tag Detached: vulnerability