[Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries

Wed Jan 22 07:12:29 PST 2025

Hi Matteo,

thanks for raising this.

As for dependencies vulnerabilities, this depends on the packaging 
system you use to install QGIS. If you are using the windows installer, 
can you please open an issue at https://trac.osgeo.org/osgeo4w. This 
requires an osgeo login, that you can obtain at 
https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/

If you suspect this is related to QGIS core, or this is a critical 
vulnerability, you can join the security team privately at 
security at qgis.org, so that we fix and deploy corrective action before a 
public disclosure, which is the recommended workflow.

When raising a report from scanner, we will need more details about the 
exact versions spotted by the scanner, the vulnerability id (aka CVE 
number) and a copy of the full report.

Take also a close look at the vulnerability score, if above 7 or 8, this 
becomes urgent. If below, you can just raise us the issue and maybe wait 
for upgrades to be delivered in the normal workflow.

Finally, keep a critical approach on security. While QGIS server can be 
exposed on a web server and be very sensitive, but is rarely using 
windows packaging, QGIS desktop is not supposed to be exposed on the web.

Python ecosystem is full of such vulnerabilities does not make much 
sense when you are on a desktop software with python scripting 
capabilities, with basically the ability to wipe or encrypt your disk. 
We will take care of the packaging, but we need to prioritize urgency 
too critical issues.

Thanks again for your help here. We are flooded by vulnerability report, 
and we need to learn how to deal with this as a community. Work is 
planned on this front to handle this, but every GIS and IT admin will 
also have to learn this whole security stuff.

Cheers

Régis

On 22/01/2025 13:31, Matteo Cassio via QGIS-User wrote:
>
> Dear QGIS team,
>
> I hope this email finds you well.
>
> Our vulnerability scan detected a vulnerability in the Python 
> libraries in QGIS 3.4.0.2 <http://3.4.0.2>.
>
> The report states:
>
> “The version of the Pandas library installed on the remote host has an 
> unpatched exposure. It is, therefore, affected by a code injection 
> vulnerability in the pandas.DataFrame.query function. The function is 
> intended to allow querying the columns of a DataFrame using a boolean 
> expression. A malicious attacker can constructs a malicious query to 
> bypass input validation mechanisms and trigger a code injection 
> vulnerability which can lead to command execution if the code passes 
> untrusted input into self.eval().”
>
>
> The library is stored in this directory: C:\Program Files\QGIS 
> 3.40.2\apps\Python312\Lib.
>
> Could you please advice as to whether this is a false positive or a 
> known issue?
>
> Thank you.
>
> Kind regards,
>
>
> <https://www.brydenwood.co.uk/>
>
> Matteo Cassio
>
> Senior IT Systems Engineer
>
> MCassio at brydenwood.co.uk
> +44 (0)20 7253 4772
> 101 Euston Road
> London
> NW1 2RA
>
> <https://www.brydenwood.co.uk/>
>
> <https://www.brydenwood.co.uk/>
>
> <https://www.linkedin.com/company/brydenwoodtechnology/><https://twitter.com/BrydenWood><https://www.youtube.com/c/BrydenWoodTech><https://www.instagram.com/brydenwoodtech/><https://www.facebook.com/brydenwoodtech/>
>
> ------------------------------------------------------------------------
>
> Registered Company Address
> Plurenden Manor Farm,
> Plurenden Lane,
> High Halden,
> Kent, TN26 3JW
>
> Bryden Wood
> Technology Limited
> Registered Company
> No 05750083
> VAT Registered 876 8921 58
>
>
> _______________________________________________
> QGIS-User mailing list
> QGIS-User at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4401 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2472 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 19516 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2680 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2676 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2412 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 3228 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 3019 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0013.png>