28. September 2023
Mitigation of the WebP 0-day vulnerability CVE-2023-4863 in QF-Test
Last updated 10/11/2023, 10:30 AM.
We are aware of the recently disclosed critical vulnerability in the libwebp
library (CVE-2023-4863), potentially enabling remote code execution through a specially crafted WebP image file.
If QF-Test is used for opening files from untrusted sources, QF-Test versions from 4.5.0 to (including) 7.0.5 are vulnerable to this exploit through maliciously modified run logs or test suites.
Today we released QF-Test 7.0.6 which fixes this vulnerability. We advise all our users to update to the latest version.
If you are unable to update to QF-Test 7.0.6 and need to open untrusted run logs or test suites with QF-Test 7.0.5 or older, you can secure that installation of QF-Test against this vulnerability with the following steps:
Open the QF-Test system directory of the QF-Test installation.
To do this, start QF-Test, select "Help" – "About" from the QF-Test menu bar (on macOS "QF-Test" – "About QF-Test"), switch to the "System Info" tab and click the link next to
dir.version
.
Quit all running instances of QF-Test.
Navigate to the subdirectory
bin
of the QF-Test system directory.Delete the directory
webp
from thebin
subdirectory.Download the updated WebP library and extract the included
webp
directory: Updated WebP library.Copy the extracted
webp
directory to thebin
directory.
You may need administrator privileges to perform this update.
Update 10/11/2023:
In the meantime, the embedded Chrome browser for QF-Driver on Windows has also been updated with QF-Test 7.0.7.
Besides, the Electron demos have been updated. These are downloaded automatically by the Electron demo test suites. If you want to be on the safe side, delete possibly existing old demos from the directory electron in the cache directory of QF-Test. This can be found similar to point 1 via the link dir.cache
.