PICARD-2775: Mitigate libwebp vulnerability (CVE-2023-4863)

A libwebp vulnerarbility allows arbitrary code execution when loading
a manipulated image. Disable the Qt webp imageformat plugin for binary
builds for macOS and Windows for now. WebP images still can be loaded
and saved, but they will not be displayed.

scripts/package/macos-package-app.sh

@@ -69,6 +69,10 @@ pushd "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/"
 ln -s "../../../Resources/$QT5_DIR/translations" .
 popd
 
+# Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+# Disable the Qt webp imageformat plugin.
+rm "$APP_BUNDLE/Contents/MacOS/PyQt5/$QT5_DIR/plugins/imageformats/libqwebp.dylib"
+
 if [ "$CODESIGN" = '1' ]; then
     # Enable hardened runtime if app will get notarized
     if [ "$NOTARIZE" = "1" ]; then

scripts/package/win-common.ps1

@@ -53,4 +53,8 @@ Function FinalizePackage {
   $Qt5BinDir = (Join-Path -Path $Path -ChildPath PyQt5\Qt5\bin)
   Move-Item -Path (Join-Path -Path $Qt5BinDir -ChildPath *.dll) -Destination $Path -Force
   Remove-Item -Path $Qt5BinDir
+
+  # Mitigate libwebp vulnerability allowing for arbitrary code execution (CVE-2023-4863).
+  # Disable the Qt webp imageformat plugin.
+  Remove-Item -Path (Join-Path -Path $Path -ChildPath PyQt5\Qt5\plugins\imageformats\qwebp.dll)
 }