Incomplete PE version parsing in python checker on Windows (missing FileVersion from metadata)

[alex-cheng-techman]

Describe the bug

On Windows, the python checker (and potentially others) fails to extract correct FileVersion or ProductVersion from PE files like .dll and .exe, even when these values are present in the version resource of the file.

The fallback super().get_versions() returns UNKNOWN or incorrect version numbers extracted from unrelated strings (e.g. 6.0.0, 1.2.13).

To Reproduce
Steps to reproduce the behavior:

Run cve-bin-tool v3.4 on any recent Windows Python binary (e.g. python310.dll or python.exe from Python 3.10.11).

Use -l debug and observe that:

Log says no ProductVersion/FileVersion found in PE metadata

Version is detected as UNKNOWN

No CVEs are reported

Expected behavior
Proper version should be extracted from PE resource metadata like:

txt
複製
編輯
StringFileInfo > 040904b0 > FileVersion: 3.10.11
and matched against known CVEs.

Proposed fix
Use pefile to properly parse FileInfo structure, like this:

python
複製
編輯
import pefile
pe = pefile.PE(filepath)
for entry in pe.FileInfo:
if entry.Key == b'StringFileInfo':
for st in entry.StringTable:
version = st.entries.get(b'FileVersion') or st.entries.get(b'ProductVersion')
...
or wrap this in a PE-specific helper (e.g. extract_pe_version()).

Environment:

OS: Windows 10/11

Python version: tested with 3.10.11 and 3.13.3

CVE Binary Tool version: 3.4

Additional context
After manually patching the checker to extract PE version via pefile, the tool detects CVEs correctly (e.g., CVE-2023-24329, CVE-2023-27043, etc.).

Suggested workaround (also worth integrating):

python
複製
編輯
VENDOR_PRODUCT = [
("python_software_foundation", "python"),
("python", "python"),
("python", "cpython"),
("cpython", "cpython"),
]

[terriko]

Sounds like a good plan. I honestly don't know much about windows parsing, so I'm not entirely surprised we didn't know to do this. Looks like pefile is MIT licensed so should be okay to use it (though it will take me longer than usual to incorporate any PR because I need to file licensing paperwork behind the scenes).

I'm not likely to get to this any time soon since my cve-bin-tool time is going towards ramping up our new gsoc contributors for the next month or so, but this seems pretty well-described so hopefully someone else can take it on!

[alex-cheng-techman]

Hi maintainers,

As a follow-up to issue #5074, I’ve implemented and tested a working solution that improves PE version parsing on Windows, especially for Python-related binaries (.exe, .dll, .pyd, etc.).

🔧 Solution Summary
The core of the fix is to augment the parsed string data with PE metadata extracted using pefile. Specifically, I added this line after parsing string content in scan_file():

Here is the core of the fix:

# version_scanner.py (in scan_file)
lines = parse_strings(filename)
lines += self.extract_version_from_pe(filename)
...
# The extract_version_from_pe() function:
def extract_version_from_pe(self, filename: str) -> str:
    try:
        info = ""
        with pefile.PE(filename) as pe:
            for fileinfo in pe.FileInfo:
                for entry in fileinfo:
                    if entry.Key == b'StringFileInfo':
                        for st in entry.StringTable:
                            entries = st.entries
                            product_name = entries.get(b'ProductName', b'').decode(errors='ignore')
                            product_version = entries.get(b'ProductVersion', b'').decode(errors='ignore')
                            company_name = entries.get(b'CompanyName', b'').decode(errors='ignore')
                            info = f"{product_name} {product_version} {company_name}"
                            self.logger.debug(f"PE Metadata: {info}")
    except Exception as e:
        LOGGER.debug(f"[PE Metadata] Failed to parse PE file {filename}: {e}")
    return info

The extract_version_from_pe() method reads ProductName, ProductVersion, and CompanyName from the StringFileInfo block of the PE file. This extra metadata significantly improves the accuracy of checker matching on Windows PE binaries.

✔️ Result
The Python checker now correctly identifies version information like 3.10.11, 3.13.3, etc., which were previously undetected or defaulted to UNKNOWN.

Tested across .dll, .exe, .pyd files on Windows.

Also resolved a related file locking issue during temp cleanup (by using with pefile.PE(...) to ensure file handles are released).

I’ve attached the enhanced version of version_scanner.py for your reference.

Would you consider integrating this approach into the main branch?

[Thanks!``]

[terriko]

Yes, please open a PR if you've got a fix. As I said, it'll take longer than usual to merge because I have to complete legal license compatibility paperwork, but there's no reason not to start the code review process now.

[alex-cheng-techman]

Open PR#5159 for it.

[alex-cheng-techman]

I issue a PR#5159 for it. Best Regards, 鄭滇濤 Alex Cheng Techman Robot Inc. www.tm-robot.com<http://www.tm-robot.com> TEL: + 886 3 328 8350 #12902 This e-mail is confidential and may also be privileged. If you are not the intended recipient, please notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. From: DoeWayne ***@***.***> Sent: Wednesday, June 18, 2025 8:15 PM To: intel/cve-bin-tool ***@***.***> Cc: alex.cheng 鄭滇濤 ***@***.***>; Author ***@***.***> Subject: Re: [intel/cve-bin-tool] Incomplete PE version parsing in python checker on Windows (missing FileVersion from metadata) (Issue #5074) [https://avatars.githubusercontent.com/u/32009137?s=20&v=4]DoeWayne left a comment (intel/cve-bin-tool#5074)<#5074 (comment)> Hi maintainers, As a follow-up to issue #5074<#5074>, I’ve implemented and tested a working solution that improves PE version parsing on Windows, especially for Python-related binaries (.exe, .dll, .pyd, etc.). 🔧 Solution Summary The core of the fix is to augment the parsed string data with PE metadata extracted using pefile<https://github.com/erocarrera/pefile>. Specifically, I added this line after parsing string content in scan_file(): Here is the core of the fix: version_scanner.py (in scan_file) lines = parse_strings(filename) lines += self.extract_version_from_pe(filename) ... The extract_version_from_pe() function: def extract_version_from_pe(self, filename: str) -> str: try: info = "" with pefile.PE(filename) as pe: for fileinfo in pe.FileInfo: for entry in fileinfo: if entry.Key == b'StringFileInfo': for st in entry.StringTable: entries = st.entries product_name = entries.get(b'ProductName', b'').decode(errors='ignore') product_version = entries.get(b'ProductVersion', b'').decode(errors='ignore') company_name = entries.get(b'CompanyName', b'').decode(errors='ignore') info = f"{product_name} {product_version} {company_name}" self.logger.debug(f"PE Metadata: {info}") except Exception as e: LOGGER.debug(f"[PE Metadata] Failed to parse PE file {filename}: {e}") return info The extract_version_from_pe() method reads ProductName, ProductVersion, and CompanyName from the StringFileInfo block of the PE file. This extra metadata significantly improves the accuracy of checker matching on Windows PE binaries. ✔️ Result The Python checker now correctly identifies version information like 3.10.11, 3.13.3, etc., which were previously undetected or defaulted to UNKNOWN. Tested across .dll, .exe, .pyd files on Windows. Also resolved a related file locking issue during temp cleanup (by using with pefile.PE(...) to ensure file handles are released). I’ve attached the enhanced version of version_scanner.py for your reference. Would you consider integrating this approach into the main branch? [Thanks!``] where can I get this fix from? — Reply to this email directly, view it on GitHub<#5074 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BRTUUYLX6MGUXIMVN5GSEZD3EFJ4PAVCNFSM6AAAAAB44HIPQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSOBTHE2TQOBXGM>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[yamashita721]

Hi, I'm new here, can i work on this issue?

[alex-cheng-techman]

fixed by PR #5180