[Osgeo4w-trac] [osgeo4w] #811: Vulnerable Python 3.9.5 executable exists after install latest of QGIS LTR 3.28.14 using the OSGEO4W installer

OSGeo4W trac_osgeo4w at osgeo.org
Thu Jan 11 03:57:36 PST 2024


#811: Vulnerable Python 3.9.5 executable exists after install latest of QGIS LTR
3.28.14 using the OSGEO4W installer
----------------------+------------------------------------------
Reporter:  ascottwwf  |      Owner:  osgeo4w-dev@…
    Type:  defect     |     Status:  new
Priority:  major      |  Component:  Package
 Version:             |   Keywords:  Python 3.9.5 Vulnerabilities
----------------------+------------------------------------------
 Hello,



 I have just packaged up the latest QGIS LTR 3.28.14 install (Released back
 around 22nd December) for distribution to our users, we install using the
 OSGEO4W installer.\\

 I have discovered that the latest installer is deploying an old 3.9.5
 version of Python. This version was released on 3rd May 2021
 ([https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-5-final])
 and has been superceded by numerous 3.9.x versions (mainly to fix various
 bugs and security vulnerabilities) - the latest 3.9.x branch is currently
 3.9.18 (Released 24th August 2023 -
 [https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-18-final]),
 this latest version cumulatively fixes 15 security vulnerabilities (CVEs)
 that exist in v3.9.5 - Two of these CVEs are classified as critical.\\

 N.B. There are later branches of Python 3.x available:
 [https://www.python.org/downloads/] (all which have a longer support life
 than 3.9), the latest being 3.12.1 although it is worth noting v3.13 is
 due for release any day now - You may wish to consider updating Python to
 a later supported branch.\\


 FYI: This is my PowerShell install script which we trigger on the users
 machines to install or upgrade to the latest QGIS LTR version:

 {{{
 Write-Host "=== Start installing / upgrading QGIS LTR..." -ForegroundColor
 Green

 # Save current working directory
 $starter_path = Get-Location

 # Move into the user download directory
 Set-Location -Path "$($env:TEMP)"

 # Set saved name of File to be downloaded
 $OutFile = "osgeo4w-setup.exe"

 # Download installer
 Write-Host " = Start downloading the OSGeo4W installer..."
 -ForegroundColor Yellow
 Invoke-WebRequest -Uri "https://download.osgeo.org/osgeo4w/v2/osgeo4w-
 setup.exe" -OutFile $OutFile

 # Download and install (same command to upgrade with clean up)
 Write-Host " = Start installing / upgrading QGIS LTR..." -ForegroundColor
 Yellow
 & .\$($OutFile) `
     --quiet-mode `
     --advanced `
     --arch x86_64 `
     --autoaccept `
     --delete-orphans `
     --local-package-dir "$($env:APPDATA)\OSGeo4W_v2-Packages" `
     --menu-name "QGIS LTR" `
     --no-desktop `
     --packages qgis-ltr-full `
     --root "$($env:ProgramFiles)\OSGeo4W_v2" `
     --site "https://www.norbit.de/osgeo4w/v2" `
     --site "https://download.osgeo.org/osgeo4w/v2" `
     --site "https://ftp.osuosl.org/pub/osgeo/download/osgeo4w/v2" `
     --upgrade-also `
  | out-null

  # Return to the initial directory
 Set-Location -Path $starter_path
 Write-Host "==== Work is done!" -ForegroundColor Green
 }}}

 **Evidence**

 Using PowerShell, I can show the existence of these Python 3.9.x files
 along with their versions within our QGIS install:
 {{{
 PS C:\Program Files\OSGeo4W_v2> Get-ChildItem python*.dll,python*.exe
 -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo
 -ExpandProperty versioninfo | Sort-Object
 ProductVersion,FileVersionRaw,Filename | Select-Object
 ProductVersion,FileVersionRaw,Filename | ft -auto

 ProductVersion FileVersionRaw FileName
 -------------- -------------- --------
 3.9.304.0      3.9.304.0      C:\Program
 Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pythonwin\Pythonwin.exe
 3.9.304.0      3.9.304.0      C:\Program
 Files\OSGeo4W_v2\apps\Python39\Lib\site-
 packages\pywin32_system32\pythoncom...
 3.9.304.0      3.9.304.0      C:\Program
 Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\win32\pythonservice.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\python.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\pythonw.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\python.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\python3.dll
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\python3.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\python39.dll
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\pythonw.exe
 3.9.5          3.9.5150.1013  C:\Program
 Files\OSGeo4W_v2\apps\Python39\pythonw3.exe
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python.exe
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python3.dll
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python3.exe
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python39.dll
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\pythonw.exe
 3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\pythonw3.exe

 }}}

 I am unsure if Python is installed as a requirement of QGIS LTR or the
 OSGEO4W installer, but as this bundled software contains such critical
 vulnerabilities it needs to be updated as soon as possible to remove the
 security risk.\\
 * Please can you advise whether I need to raise this with QGIS or if the
 OSGEO4W installer needs to be updated / fixed?\\
 * If it is the OSGEO4W installer, please can you give an indication when
 we can expect to see a fix available?\\

 Thanks in advance,\\
 Regards,\\

 Adrian Scott
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/811>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.


More information about the Osgeo4w-trac mailing list