Due to a recent vulnerability in libwebp before version 1.3.2 (CVE-2023-4863) I want to find out what libwebp version the Windows builds of PHP (downloadable here: https://windows.php.net/) is using. Is there any way to find out the version?
I've tried to find this version in the following places already:
But no luck - I've found out the relevant constants from libwebp are MUX_MAJ_VERSION
, MUX_MIN_VERSION
and MUX_REV_VERSION
, but those are not contained in the debug symbols.
Any idea how to find the linked libwebp version or at least if the vulnerability is present in the used version?
You'll get the info when taking a look on the article Build your own PHP on Windows for PHP >= 7.2 resp. its older version for PHP < 7.2 in The PHP.net wiki, which is "mainly used to track internal development of the PHP project", and is linked to also from the PHP Source Github repository in the section on Building PHP source code
So, there you will find the section Download prerequisites, subsection Get the libraries on which PHP depends, referring to https://windows.php.net/downloads/php-sdk/deps/.
Correspondingly you'll find the following: