Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#813 closed defect (fixed)

Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer

Reported by: ascottwwf Owned by: osgeo4w-dev@…
Priority: major Component: Package
Version: Keywords: PostgreSQL, OSGEO, QGIS LTR 3.28.15
Cc:

Description

Hello,

In a similar guise to [ticket #811], I have discovered that the latest installer is deploying a 15.2.0 version of a PostgreSQL executable, in my chosen install path, this is found here: C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe

This version currently contains 7 security vulnerabilities (3 High Severity, 2 Medium and 2 Low) This version of PostgreSQL was only released last year on 9th Febrary 2023 (https://www.postgresql.org/docs/release/15.2/), the latest v15.x version was released on 9th November 2023 (v15.5 - https://www.postgresql.org/docs/release/15.5/)

I am unsure if this PostgreSQL executable is installed as a requirement of QGIS LTR or the OSGEO4W installer, but as this bundled software contains such critical vulnerabilities it needs to be updated as soon as possible to remove the security risk.

Please can you advise whether I need to raise this with QGIS or if the OSGEO4W installer needs to be updated / fixed?

If it is the OSGEO4W installer, please can you give an indication when we can expect to see a fix available?

Thanks in advance, Regards,

Adrian Scott

Change History (6)

comment:1 by jef, 10 months ago

Do those affect the client at all?

comment:2 by jratike80, 10 months ago

I do not know why the pg_dump https://www.postgresql.org/docs/current/app-pgdump.html program comes with QGIS, but I do not see this backup/restore utility mentioned in the vulnerabilities https://security.snyk.io/package/linux/debian:12/postgresql-15.

comment:3 by ascottwwf, 10 months ago

Yes this appears that it might be a false reporting issue <sigh>!

Searching this page (https://www.postgresql.org/support/security/15/) for pg_dump returns no results, however it is not conclusive that just because there is no mention of this specific file it is not still vulnerable.

FYI: I do note however that there are mentions of pg_dump being vulnerable found in much earlier versions of PostgreSQL (e.g. v10).

If it is a case of false reporting, it may take some time to get the false report issue removed.

If it can be done? - It might still be prudent to get the OSGEO / QGIS distro updated to deliver the latest PostgreSQL version v15.5 as mentioned in my original posting, at least then it has not installed a version of pg_dump.exe that comes from a package which is considered vulnerable / has vulnerable components? - Which for now we do have to consider pg_dump.exe could be vulnerable.

Last edited 10 months ago by ascottwwf (previous) (diff)

comment:4 by jef, 10 months ago

Resolution: fixed
Status: newclosed

in reply to:  4 comment:5 by ascottwwf, 10 months ago

Replying to jef:

fixed in https://github.com/jef-n/OSGeo4W/commit/33f5fb72a3357a56d4ab8da8d96c830815039a48

Thanks for the prompt turnaround again @jef

comment:6 by ascottwwf, 10 months ago

As confirmation, I have just updated my QGIS LTR 3.28.15 install, and all the PostgreSQL files have been successfully updated to PostgreSQL v16.1

PowerShell evidence:

PS C:\Program Files\OSGeo4W_v2\bin> Get-ChildItem *.dll,*.exe | % {$_.VersionInfo} | Select-Object * | Where-Object CompanyName -like "PostgreSQL*" | Select-Object ProductVersion,FileVersionRaw,FileName,FileDescription | Format-Table -AutoSize
 
ProductVersion FileVersionRaw FileName                                       FileDescription
-------------- -------------- --------                                       ---------------
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\libpq.dll      PostgreSQL Access Library
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe    pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_dumpall.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\pg_restore.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases
16.1           16.0.1.0       C:\Program Files\OSGeo4W_v2\bin\psql.exe       psql - the PostgreSQL interactive terminal

Thanks again :-)

Note: See TracTickets for help on using tickets.