Due to a recent vulnerability in libwebp before version 1.3.2 (CVE-2023-4863) I want to find out what libwebp version the Windows builds of PHP (downloadable here: https://windows.php.net/) is using. Is there any way to find out the version?

I've tried to find this version in the following places already:

• phpinfo() - only gives the info whether webp support is enabled or not
• PHP Changelogs
• Texts in the DLLs
• Texts in the debug symbols
• The dependencies the PHP SDK downloads when building PHP

But no luck - I've found out the relevant constants from libwebp are MUX_MAJ_VERSION, MUX_MIN_VERSION and MUX_REV_VERSION, but those are not contained in the debug symbols.

Any idea how to find the linked libwebp version or at least if the vulnerability is present in the used version?

You'll get the info when taking a look on the article Build your own PHP on Windows for PHP >= 7.2 resp. its older version for PHP < 7.2 in The PHP.net wiki, which is "mainly used to track internal development of the PHP project", and is linked to also from the PHP Source Github repository in the section on Building PHP source code

So, there you will find the section Download prerequisites, subsection Get the libraries on which PHP depends, referring to https://windows.php.net/downloads/php-sdk/deps/.

Correspondingly you'll find the following: