Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer

[ascottwwf]

Hello,

In a similar guise to [ticket #811], I have discovered that the latest installer is deploying a 15.2.0 version of a PostgreSQL executable, in my chosen install path, this is found here: C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe

This version currently contains 7 security vulnerabilities (3 High Severity, 2 Medium and 2 Low) This version of PostgreSQL was only released last year on 9th Febrary 2023 (​https://www.postgresql.org/docs/release/15.2/), the latest v15.x version was released on 9th November 2023 (v15.5 - ​https://www.postgresql.org/docs/release/15.5/)

I am unsure if this PostgreSQL executable is installed as a requirement of QGIS LTR or the OSGEO4W installer, but as this bundled software contains such critical vulnerabilities it needs to be updated as soon as possible to remove the security risk.

Please can you advise whether I need to raise this with QGIS or if the OSGEO4W installer needs to be updated / fixed?

If it is the OSGEO4W installer, please can you give an indication when we can expect to see a fix available?

Thanks in advance, Regards,

Adrian Scott

[jef]

Do those affect the client at all?

[jratike80]

I do not know why the pg_dump ​https://www.postgresql.org/docs/current/app-pgdump.html program comes with QGIS, but I do not see this backup/restore utility mentioned in the vulnerabilities ​https://security.snyk.io/package/linux/debian:12/postgresql-15.

[ascottwwf]

Yes this appears that it might be a false reporting issue <sigh>!

Searching this page (​https://www.postgresql.org/support/security/15/) for pg_dump returns no results, however it is not conclusive that just because there is no mention of this specific file it is not still vulnerable.

FYI: I do note however that there are mentions of pg_dump being vulnerable found in much earlier versions of PostgreSQL (e.g. v10).

If it is a case of false reporting, it may take some time to get the false report issue removed.

If it can be done? - It might still be prudent to get the OSGEO / QGIS distro updated to deliver the latest PostgreSQL version v15.5 as mentioned in my original posting, at least then it has not installed a version of pg_dump.exe that comes from a package which is considered vulnerable / has vulnerable components? - Which for now we do have to consider pg_dump.exe could be vulnerable.

[jef]

fixed in ​https://github.com/jef-n/OSGeo4W/commit/33f5fb72a3357a56d4ab8da8d96c830815039a48

[ascottwwf]

Replying to jef:

fixed in ​https://github.com/jef-n/OSGeo4W/commit/33f5fb72a3357a56d4ab8da8d96c830815039a48

Thanks for the prompt turnaround again @jef

[ascottwwf]

As confirmation, I have just updated my QGIS LTR 3.28.15 install, and all the PostgreSQL files have been successfully updated to PostgreSQL v16.1

PowerShell evidence:

PS C:\Program Files\OSGeo4W_v2\bin> Get-ChildItem *.dll,*.exe | % {$_.VersionInfo} | Select-Object * | Where-Object CompanyName -like "PostgreSQL*" | Select-Object ProductVersion,FileVersionRaw,FileName,FileDescription | Format-Table -AutoSize
 
ProductVersion FileVersionRaw FileName                                       FileDescription
-------------- -------------- --------                                       ---------------
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\libpq.dll      PostgreSQL Access Library
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe    pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_dumpall.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_restore.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\psql.exe       psql - the PostgreSQL interactive terminal

Thanks again :-)