PICARD-2775: Mitigate libwebp vulnerability (CVE-2023-4863)

A libwebp vulnerarbility allows arbitrary code execution when loading a manipulated image. Disable the Qt webp imageformat plugin for binary builds for macOS and Windows for now. WebP images still can be loaded and saved, but they will not be displayed.
metabrainz · Oct 10, 2023 · 892693b · 892693b
1 parent c0e8e2e
commit 892693b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh
@@ -69,6 +69,10 @@ pushd "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/"
 ln -s "../../../Resources/$QT5_DIR/translations" .
 popd
 
+# Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+# Disable the Qt webp imageformat plugin.
+rm "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/plugins/imageformats/libqwebp.dylib"
+
 if [ "$CODESIGN" = '1' ]; then
     # Enable hardened runtime if app will get notarized
     if [ "$NOTARIZE" = "1" ]; then

diff --git a/scripts/package/win-common.ps1 b/scripts/package/win-common.ps1
@@ -53,4 +53,8 @@ Function FinalizePackage {
   $Qt5BinDir = (Join-Path -Path $Path -ChildPath PyQt5\Qt5\bin)
   Move-Item -Path (Join-Path -Path $Qt5BinDir -ChildPath *.dll) -Destination $Path -Force
   Remove-Item -Path $Qt5BinDir
+
+  # Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+  # Disable the Qt webp imageformat plugin.
+  Remove-Item -Path (Join-Path -Path $Path -ChildPath PyQt5\Qt5\plugins\imageformats\qwebp.dll)
 }