Impact

An issue in the libwebp library has been recently reported and assigned the CVE id CVE-2023-4863. When a malicious WebP image is passed to the library then it can cause a buffer overflow.

Binary distributions of Picard for Windows and macOS are affected by this, as they bundle the Qt imageformat plugin for webp.

Patches

Qt has issued a patch. Building the webp imageformat plugin with a patched libwebp would solve the issue. This is currently complicated as we distribute the binary build from https://pypi.org/project/PyQt5-Qt5/ , which currently has not yet been updated to address the issue.

Workarounds

• Removing the webp imageformat plugin from the distribution package will disable webp support and avoid the security issue
• User can also manually delete the qwebp.dll or qwebp.so file from Qt5/plugins/imageformats/ in the installed application

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-4863
• https://www.qt.io/blog/two-qt-security-advisorys-gdi-font-engine-webp-image-format