CVE-2021-45844

Name	CVE-2021-45844
Description	Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2934-1, DLA-3076-1, DSA-5229-1
Debian Bugs	1005747

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
freecad (PTS)	bullseye (security), bullseye	0.19.1+dfsg1-2+deb11u1	fixed
	bookworm	0.20.2+dfsg1-4	fixed
	sid, trixie	1.0.0+dfsg-6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
freecad	source	stretch	0.16+dfsg2-3+deb9u1	DLA-2934-1
freecad	source	buster	0.18~pre1+dfsg1-5+deb10u1	DLA-3076-1
freecad	source	bullseye	0.19.1+dfsg1-2+deb11u1	DSA-5229-1
freecad	source	(unstable)	0.19.4+dfsg1-1		1005747

Notes

Fixed by; https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 (master)
Fixed by: https://github.com/FreeCAD/FreeCAD/commit/ad6977f940d3e64d78a4367452d9a338ad43fa1c (0.19.4)
https://tracker.freecad.org/view.php?id=4809