[osgeo4w-dev] [osgeo4w] #811: Vulnerable Python 3.9.5 executable exists after install latest of QGIS LTR 3.28.14 using the OSGEO4W installer
OSGeo4W
trac_osgeo4w at osgeo.org
Thu Jan 11 03:57:36 PST 2024
#811: Vulnerable Python 3.9.5 executable exists after install latest of QGIS LTR
3.28.14 using the OSGEO4W installer
----------------------+------------------------------------------
Reporter: ascottwwf | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: major | Component: Package
Version: | Keywords: Python 3.9.5 Vulnerabilities
----------------------+------------------------------------------
Hello,
I have just packaged up the latest QGIS LTR 3.28.14 install (Released back
around 22nd December) for distribution to our users, we install using the
OSGEO4W installer.\\
I have discovered that the latest installer is deploying an old 3.9.5
version of Python. This version was released on 3rd May 2021
([https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-5-final])
and has been superceded by numerous 3.9.x versions (mainly to fix various
bugs and security vulnerabilities) - the latest 3.9.x branch is currently
3.9.18 (Released 24th August 2023 -
[https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-18-final]),
this latest version cumulatively fixes 15 security vulnerabilities (CVEs)
that exist in v3.9.5 - Two of these CVEs are classified as critical.\\
N.B. There are later branches of Python 3.x available:
[https://www.python.org/downloads/] (all which have a longer support life
than 3.9), the latest being 3.12.1 although it is worth noting v3.13 is
due for release any day now - You may wish to consider updating Python to
a later supported branch.\\
FYI: This is my PowerShell install script which we trigger on the users
machines to install or upgrade to the latest QGIS LTR version:
{{{
Write-Host "=== Start installing / upgrading QGIS LTR..." -ForegroundColor
Green
# Save current working directory
$starter_path = Get-Location
# Move into the user download directory
Set-Location -Path "$($env:TEMP)"
# Set saved name of File to be downloaded
$OutFile = "osgeo4w-setup.exe"
# Download installer
Write-Host " = Start downloading the OSGeo4W installer..."
-ForegroundColor Yellow
Invoke-WebRequest -Uri "https://download.osgeo.org/osgeo4w/v2/osgeo4w-
setup.exe" -OutFile $OutFile
# Download and install (same command to upgrade with clean up)
Write-Host " = Start installing / upgrading QGIS LTR..." -ForegroundColor
Yellow
& .\$($OutFile) `
--quiet-mode `
--advanced `
--arch x86_64 `
--autoaccept `
--delete-orphans `
--local-package-dir "$($env:APPDATA)\OSGeo4W_v2-Packages" `
--menu-name "QGIS LTR" `
--no-desktop `
--packages qgis-ltr-full `
--root "$($env:ProgramFiles)\OSGeo4W_v2" `
--site "https://www.norbit.de/osgeo4w/v2" `
--site "https://download.osgeo.org/osgeo4w/v2" `
--site "https://ftp.osuosl.org/pub/osgeo/download/osgeo4w/v2" `
--upgrade-also `
| out-null
# Return to the initial directory
Set-Location -Path $starter_path
Write-Host "==== Work is done!" -ForegroundColor Green
}}}
**Evidence**
Using PowerShell, I can show the existence of these Python 3.9.x files
along with their versions within our QGIS install:
{{{
PS C:\Program Files\OSGeo4W_v2> Get-ChildItem python*.dll,python*.exe
-Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo
-ExpandProperty versioninfo | Sort-Object
ProductVersion,FileVersionRaw,Filename | Select-Object
ProductVersion,FileVersionRaw,Filename | ft -auto
ProductVersion FileVersionRaw FileName
-------------- -------------- --------
3.9.304.0 3.9.304.0 C:\Program
Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pythonwin\Pythonwin.exe
3.9.304.0 3.9.304.0 C:\Program
Files\OSGeo4W_v2\apps\Python39\Lib\site-
packages\pywin32_system32\pythoncom...
3.9.304.0 3.9.304.0 C:\Program
Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\win32\pythonservice.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\python.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\pythonw.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\python.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\python3.dll
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\python3.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\python39.dll
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\pythonw.exe
3.9.5 3.9.5150.1013 C:\Program
Files\OSGeo4W_v2\apps\Python39\pythonw3.exe
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\python.exe
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\python3.dll
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\python3.exe
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\python39.dll
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\pythonw.exe
3.9.5 3.9.5150.1013 C:\Program Files\OSGeo4W_v2\bin\pythonw3.exe
}}}
I am unsure if Python is installed as a requirement of QGIS LTR or the
OSGEO4W installer, but as this bundled software contains such critical
vulnerabilities it needs to be updated as soon as possible to remove the
security risk.\\
* Please can you advise whether I need to raise this with QGIS or if the
OSGEO4W installer needs to be updated / fixed?\\
* If it is the OSGEO4W installer, please can you give an indication when
we can expect to see a fix available?\\
Thanks in advance,\\
Regards,\\
Adrian Scott
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/811>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
More information about the osgeo4w-dev
mailing list