[Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries
Régis Haubourg
regis.haubourg at gmail.com
Wed Jan 22 07:12:29 PST 2025
Hi Matteo,
thanks for raising this.
As for dependencies vulnerabilities, this depends on the packaging
system you use to install QGIS. If you are using the windows installer,
can you please open an issue at https://trac.osgeo.org/osgeo4w. This
requires an osgeo login, that you can obtain at
https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/
If you suspect this is related to QGIS core, or this is a critical
vulnerability, you can join the security team privately at
security at qgis.org, so that we fix and deploy corrective action before a
public disclosure, which is the recommended workflow.
When raising a report from scanner, we will need more details about the
exact versions spotted by the scanner, the vulnerability id (aka CVE
number) and a copy of the full report.
Take also a close look at the vulnerability score, if above 7 or 8, this
becomes urgent. If below, you can just raise us the issue and maybe wait
for upgrades to be delivered in the normal workflow.
Finally, keep a critical approach on security. While QGIS server can be
exposed on a web server and be very sensitive, but is rarely using
windows packaging, QGIS desktop is not supposed to be exposed on the web.
Python ecosystem is full of such vulnerabilities does not make much
sense when you are on a desktop software with python scripting
capabilities, with basically the ability to wipe or encrypt your disk.
We will take care of the packaging, but we need to prioritize urgency
too critical issues.
Thanks again for your help here. We are flooded by vulnerability report,
and we need to learn how to deal with this as a community. Work is
planned on this front to handle this, but every GIS and IT admin will
also have to learn this whole security stuff.
Cheers
Régis
On 22/01/2025 13:31, Matteo Cassio via QGIS-User wrote:
>
> Dear QGIS team,
>
> I hope this email finds you well.
>
> Our vulnerability scan detected a vulnerability in the Python
> libraries in QGIS 3.4.0.2 <http://3.4.0.2>.
>
> The report states:
>
> “The version of the Pandas library installed on the remote host has an
> unpatched exposure. It is, therefore, affected by a code injection
> vulnerability in the pandas.DataFrame.query function. The function is
> intended to allow querying the columns of a DataFrame using a boolean
> expression. A malicious attacker can constructs a malicious query to
> bypass input validation mechanisms and trigger a code injection
> vulnerability which can lead to command execution if the code passes
> untrusted input into self.eval().”
>
>
> The library is stored in this directory: C:\Program Files\QGIS
> 3.40.2\apps\Python312\Lib.
>
> Could you please advice as to whether this is a false positive or a
> known issue?
>
> Thank you.
>
> Kind regards,
>
>
> <https://www.brydenwood.co.uk/>
>
> Matteo Cassio
>
> Senior IT Systems Engineer
>
> MCassio at brydenwood.co.uk
> +44 (0)20 7253 4772
> 101 Euston Road
> London
> NW1 2RA
>
> <https://www.brydenwood.co.uk/>
>
> <https://www.brydenwood.co.uk/>
>
> <https://www.linkedin.com/company/brydenwoodtechnology/><https://twitter.com/BrydenWood><https://www.youtube.com/c/BrydenWoodTech><https://www.instagram.com/brydenwoodtech/><https://www.facebook.com/brydenwoodtech/>
>
> ------------------------------------------------------------------------
>
> Registered Company Address
> Plurenden Manor Farm,
> Plurenden Lane,
> High Halden,
> Kent, TN26 3JW
>
> Bryden Wood
> Technology Limited
> Registered Company
> No 05750083
> VAT Registered 876 8921 58
>
>
> _______________________________________________
> QGIS-User mailing list
> QGIS-User at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4401 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2472 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 19516 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2680 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2676 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2412 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 3228 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 3019 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/f55cf474/attachment-0013.png>
More information about the QGIS-User
mailing list