Hi Matteo,
thanks for raising this.
As for dependencies vulnerabilities, this depends on the packaging
system you use to install QGIS. If you are using the windows installer,
can you please open an issue at https://trac.osgeo.org/osgeo4w. This
requires an osgeo login, that you can obtain at
https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/
If you suspect this is related to QGIS core, or this is a critical
vulnerability, you can join the security team privately at
secur...@qgis.org, so that we fix and deploy corrective action before a
public disclosure, which is the recommended workflow.
When raising a report from scanner, we will need more details about the
exact versions spotted by the scanner, the vulnerability id (aka CVE
number) and a copy of the full report.
Take also a close look at the vulnerability score, if above 7 or 8, this
becomes urgent. If below, you can just raise us the issue and maybe wait
for upgrades to be delivered in the normal workflow.
Finally, keep a critical approach on security. While QGIS server can be
exposed on a web server and be very sensitive, but is rarely using
windows packaging, QGIS desktop is not supposed to be exposed on the web.
Python ecosystem is full of such vulnerabilities does not make much
sense when you are on a desktop software with python scripting
capabilities, with basically the ability to wipe or encrypt your disk.
We will take care of the packaging, but we need to prioritize urgency
too critical issues.
Thanks again for your help here. We are flooded by vulnerability report,
and we need to learn how to deal with this as a community. Work is
planned on this front to handle this, but every GIS and IT admin will
also have to learn this whole security stuff.
Cheers
Régis
On 22/01/2025 13:31, Matteo Cassio via QGIS-User wrote:
Dear QGIS team,
I hope this email finds you well.
Our vulnerability scan detected a vulnerability in the Python
libraries in QGIS 3.4.0.2 <http://3.4.0.2>.
The report states:
“The version of the Pandas library installed on the remote host has an
unpatched exposure. It is, therefore, affected by a code injection
vulnerability in the pandas.DataFrame.query function. The function is
intended to allow querying the columns of a DataFrame using a boolean
expression. A malicious attacker can constructs a malicious query to
bypass input validation mechanisms and trigger a code injection
vulnerability which can lead to command execution if the code passes
untrusted input into self.eval().”
The library is stored in this directory: C:\Program Files\QGIS
3.40.2\apps\Python312\Lib.
Could you please advice as to whether this is a false positive or a
known issue?
Thank you.
Kind regards,
<https://www.brydenwood.co.uk/>
Matteo Cassio
Senior IT Systems Engineer
mcas...@brydenwood.co.uk
+44 (0)20 7253 4772
101 Euston Road
London
NW1 2RA
<https://www.brydenwood.co.uk/>
<https://www.brydenwood.co.uk/>
<https://www.linkedin.com/company/brydenwoodtechnology/><https://twitter.com/BrydenWood><https://www.youtube.com/c/BrydenWoodTech><https://www.instagram.com/brydenwoodtech/><https://www.facebook.com/brydenwoodtech/>
------------------------------------------------------------------------
Registered Company Address
Plurenden Manor Farm,
Plurenden Lane,
High Halden,
Kent, TN26 3JW
Bryden Wood
Technology Limited
Registered Company
No 05750083
VAT Registered 876 8921 58
_______________________________________________
QGIS-User mailing list
QGIS-User@lists.osgeo.org
List info:https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
QGIS-User mailing list
QGIS-User@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
