From 892693be67962879aad0b08fc72a3a89f249e494 Mon Sep 17 00:00:00 2001
From: Philipp Wolfer <ph.wolfer@gmail.com>
Date: Tue, 10 Oct 2023 08:11:45 +0200
Subject: [PATCH] PICARD-2775: Mitigate libwebp vulnerability (CVE-2023-4863)

A libwebp vulnerarbility allows arbitrary code execution when loading
a manipulated image. Disable the Qt webp imageformat plugin for binary
builds for macOS and Windows for now. WebP images still can be loaded
and saved, but they will not be displayed.
---
 scripts/package/macos-package-app.sh | 4 ++++
 scripts/package/win-common.ps1       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh
index 71c24534a..44d4301c4 100755
--- a/scripts/package/macos-package-app.sh
+++ b/scripts/package/macos-package-app.sh
@@ -69,6 +69,10 @@ pushd "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/"
 ln -s "../../../Resources/$QT5_DIR/translations" .
 popd
 
+# Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+# Disable the Qt webp imageformat plugin.
+rm "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/plugins/imageformats/libqwebp.dylib"
+
 if [ "$CODESIGN" = '1' ]; then
     # Enable hardened runtime if app will get notarized
     if [ "$NOTARIZE" = "1" ]; then
diff --git a/scripts/package/win-common.ps1 b/scripts/package/win-common.ps1
index 30e09fb50..21c30a0fe 100644
--- a/scripts/package/win-common.ps1
+++ b/scripts/package/win-common.ps1
@@ -53,4 +53,8 @@ Function FinalizePackage {
   $Qt5BinDir = (Join-Path -Path $Path -ChildPath PyQt5\Qt5\bin)
   Move-Item -Path (Join-Path -Path $Qt5BinDir -ChildPath *.dll) -Destination $Path -Force
   Remove-Item -Path $Qt5BinDir
+
+  # Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+  # Disable the Qt webp imageformat plugin.
+  Remove-Item -Path (Join-Path -Path $Path -ChildPath PyQt5\Qt5\plugins\imageformats\qwebp.dll)
 }