| Name | CVE-2021-45844 |
| Description | Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more) |
| References | DLA-2934-1, DLA-3076-1, DSA-5229-1 |
| Debian Bugs | 1005747 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| freecad (PTS) | buster | 0.18~pre1+dfsg1-5 | vulnerable |
| buster (security) | 0.18~pre1+dfsg1-5+deb10u1 | fixed | |
| bullseye (security), bullseye | 0.19.1+dfsg1-2+deb11u1 | fixed | |
| bookworm, sid | 0.20.2+dfsg1-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| freecad | source | stretch | 0.16+dfsg2-3+deb9u1 | DLA-2934-1 | ||
| freecad | source | buster | 0.18~pre1+dfsg1-5+deb10u1 | DLA-3076-1 | ||
| freecad | source | bullseye | 0.19.1+dfsg1-2+deb11u1 | DSA-5229-1 | ||
| freecad | source | (unstable) | 0.19.4+dfsg1-1 | 1005747 |
Fixed by; https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 (master)
Fxied by: https://github.com/FreeCAD/FreeCAD/commit/ad6977f940d3e64d78a4367452d9a338ad43fa1c (0.19.4)
https://tracker.freecad.org/view.php?id=4809