Mitigation of the WebP 0-day vulnerability CVE-2023-4863 in QF-Test

Last updated 10/11/2023, 10:30 AM.

We are aware of the recently disclosed critical vulnerability in the libwebp library (CVE-2023-4863), potentially enabling remote code execution through a specially crafted WebP image file.

If QF-Test is used for opening files from untrusted sources, QF-Test versions from 4.5.0 to (including) 7.0.5 are vulnerable to this exploit through maliciously modified run logs or test suites.

Today we released QF-Test 7.0.6 which fixes this vulnerability. We advise all our users to update to the latest version.

If you are unable to update to QF-Test 7.0.6 and need to open untrusted run logs or test suites with QF-Test 7.0.5 or older, you can secure that installation of QF-Test against this vulnerability with the following steps:

1. Open the QF-Test system directory of the QF-Test installation.

   To do this, start QF-Test, select "Help" – "About" from the QF-Test menu bar (on macOS "QF-Test" – "About QF-Test"), switch to the "System Info" tab and click the link next to dir.version.
    

2. Quit all running instances of QF-Test.

3. Navigate to the subdirectory bin of the QF-Test system directory.

4. Delete the directory webp from the bin subdirectory.

5. Download the updated WebP library and extract the included webp directory: Updated WebP library.

6. Copy the extracted webp directory to the bin directory.

You may need administrator privileges to perform this update.

Update 10/11/2023:

In the meantime, the embedded Chrome browser for QF-Driver on Windows has also been updated with QF-Test 7.0.7.

Besides, the Electron demos have been updated. These are downloaded automatically by the Electron demo test suites. If you want to be on the safe side, delete possibly existing old demos from the directory electron in the cache directory of QF-Test. This can be found similar to point 1 via the link dir.cache.