Vulnerable Python 3.9.5 executable exists after install latest of QGIS LTR 3.28.14 using the OSGEO4W installer

[ascottwwf]

Hello,

I have just packaged up the latest QGIS LTR 3.28.14 install (Released back around 22nd December) for distribution to our users, we install using the OSGEO4W installer.

I have discovered that the latest installer is deploying an old 3.9.5 version of Python. This version was released on 3rd May 2021 (​https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-5-final) and has been superceded by numerous 3.9.x versions (mainly to fix various bugs and security vulnerabilities) - the latest 3.9.x branch is currently 3.9.18 (Released 24th August 2023 - ​https://docs.python.org/release/3.9.18/whatsnew/changelog.html#python-3-9-18-final), this latest version cumulatively fixes 15 security vulnerabilities (CVEs) that exist in v3.9.5 - Two of these CVEs are classified as critical.

N.B. There are later branches of Python 3.x available: ​https://www.python.org/downloads/ (all which have a longer support life than 3.9), the latest being 3.12.1 although it is worth noting v3.13 is due for release any day now - You may wish to consider updating Python to a later supported branch.

FYI: This is my PowerShell install script which we trigger on the users machines to install or upgrade to the latest QGIS LTR version:

Write-Host "=== Start installing / upgrading QGIS LTR..." -ForegroundColor Green

# Save current working directory
$starter_path = Get-Location

# Move into the user download directory
Set-Location -Path "$($env:TEMP)"

# Set saved name of File to be downloaded
$OutFile = "osgeo4w-setup.exe"

# Download installer
Write-Host " = Start downloading the OSGeo4W installer..." -ForegroundColor Yellow
Invoke-WebRequest -Uri "https://download.osgeo.org/osgeo4w/v2/osgeo4w-setup.exe" -OutFile $OutFile

# Download and install (same command to upgrade with clean up)
Write-Host " = Start installing / upgrading QGIS LTR..." -ForegroundColor Yellow
& .\$($OutFile) `
    --quiet-mode `
    --advanced `
    --arch x86_64 `
    --autoaccept `
    --delete-orphans `
    --local-package-dir "$($env:APPDATA)\OSGeo4W_v2-Packages" `
    --menu-name "QGIS LTR" `
    --no-desktop `
    --packages qgis-ltr-full `
    --root "$($env:ProgramFiles)\OSGeo4W_v2" `
    --site "https://www.norbit.de/osgeo4w/v2" `
    --site "https://download.osgeo.org/osgeo4w/v2" `
    --site "https://ftp.osuosl.org/pub/osgeo/download/osgeo4w/v2" `
    --upgrade-also `
 | out-null

 # Return to the initial directory
Set-Location -Path $starter_path
Write-Host "==== Work is done!" -ForegroundColor Green

Evidence

Using PowerShell, I can show the existence of these Python 3.9.x files along with their versions within our QGIS install:

PS C:\Program Files\OSGeo4W_v2> Get-ChildItem python*.dll,python*.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | ft -auto

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pythonwin\Pythonwin.exe
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pywin32_system32\pythoncom...
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\win32\pythonservice.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\python.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\pythonw.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\python.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\python3.dll
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\python3.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\python39.dll
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\pythonw.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\apps\Python39\pythonw3.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python3.dll
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python3.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\python39.dll
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\pythonw.exe
3.9.5          3.9.5150.1013  C:\Program Files\OSGeo4W_v2\bin\pythonw3.exe

I am unsure if Python is installed as a requirement of QGIS LTR or the OSGEO4W installer, but as this bundled software contains such critical vulnerabilities it needs to be updated as soon as possible to remove the security risk.

• Please can you advise whether I need to raise this with QGIS or if the OSGEO4W installer needs to be updated / fixed?
  
• If it is the OSGEO4W installer, please can you give an indication when we can expect to see a fix available?
  

Thanks in advance,
Regards,

Adrian Scott

[jef]

Fixed in ​https://github.com/jef-n/OSGeo4W/commit/c290dc6c5d7d2ab4cbe0a5bb256d05839189633c

[ascottwwf]

Thank You jef,

I can confirm a fresh install of QGIS v3.28.14 using the OSGEO4W installer (in a sandbox) now has Python v3.9.18 installed.

A repeat of the PowerShell evidence from above showing the new Python versions:

PS C:\Program Files\OSGeo4W_v2> Get-ChildItem python*.dll,python*.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | ft -auto

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\DLLs\python3.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\DLLs\python39.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\python.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\venv\scripts\nt\pythonw.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\python.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\python3.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\python3.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\python39.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\pythonw.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\apps\Python39\pythonw3.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\python.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\python3.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\python3.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\python39.dll
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\pythonw.exe
3.9.18         3.9.18150.1013 C:\Program Files\OSGeo4W_v2\bin\pythonw3.exe
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pythonwin\Pythonwin.exe
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\pywin32_system32\pythoncom...
3.9.304.0      3.9.304.0      C:\Program Files\OSGeo4W_v2\apps\Python39\Lib\site-packages\win32\pythonservice.exe