We have released the final version of Picard 2.10.
Especially Windows and macOS users are highly advised to upgrade as soon as possible, as this release mitigates a critical security issue where displaying WebP images can be used for arbitrary code execution. Linux users should install the latest security fixes of their distribution. More details in the blog post.
I want to give a bit more general background on the WebP security issue. It is one of the most severe security issues in recent times, which affects a whole lot of software. It was first revealed in November for Google Chrome, where it was discovered that a carefully manipulated WebP image could be abused to execute arbitrary code on the target system.
It was then discovered that the issue is in the libwebp library, which is used by most software that is displaying WebP images. Essentially this means that a lot of software is potentially affected by this, including web browser, image viewers and editors, media players, file managers etc. Of course the large browsers and the operating systems have reacted quickly and have already released the necessary security fixes in the last weeks. See CVE-2023-4863.
The good news is that if you are using Picard and download your cover art from the Cover Art Archive then there is no danger, as the CAA does not support WebP yet. But of course you can use Picard to save cover art from other sources as well, including any image file you download from the web. And once you have such an image in your files this image might be viewed by other tools, such as your media player or even file manager.
But if you are frequently using WebP images from the internet or you get audio files from untrusted sources that might contain embedded WebP cover art I really recommend that you install your operating system’s latest security patches. Also check whether tools like your media player or image viewer are affected by this issue and whether they provide a security fix.