Picard 2.10 released

The Picard team is happy to announce that the final version 2.10 of MusicBrainz Picard is now available for download. MusicBrainz Picard is the official tag editor for the MusicBrainz database and helps you get your music collection sorted and cleaned up with the latest data from MusicBrainz.

This release mitigates a critical security issue when loading WebP images, see below for details. In addition there are a several improvements, but mainly this release provides bugfixes and changes behind the scenes such as Python 3.12 compatibility and improved translations.

WebP remote execution vulnerability

Picard is affected by a recently discovered critical security issue in the libwebp library, which is used by many software to display images in the WebP format. In affected software a WebP image manipulated by an attacker can be used to execute arbitrary code just by displaying the image. As Picard uses the Qt5 library for the UI, including the display of cover art images, and Qt5 is using libwebp, it is affected by this issue.

To mitigate this issue we have temporarily disabled the WebP image format plugin in the Windows and macOS builds of Picard 2.10. That means while you can still tag your files with WebP images, Picard will not display the image but instead shows a placeholder.

Windows and macOS users are highly advised to update to Picard 2.10 as soon as possible.

Linux users should make sure to install the latest updates provided by their distributions. By now most distributions provide patched libwebp packages. Please consult your distribution’s security advisories for details. The Picard Snap package for Linux has been updated already a couple of days ago to contain the latest security fixes.

If you are using WebP images from unknown or untrusted sources for you music collection please also check any software you are using to display cover art, e.g. music players or media centers, whether it is affected by this issue and upgrade the software if possible.

For more details about this vulnerability in general see CVE-2023-4863.

What’s new?

Python 3.12 compatibility

Python 3.12 removes some APIs that Picard was using to load plugin modules. This release updates Picard’s plugin handling to use the newer Python APIs. Everyone who wants to use Picard with Python 3.12 must update to Picard 2.10.

This release is still compatible with Python 3.7 and later. Future releases will likely drop Python 3.7 support, though.

Translations have moved to Weblate

Translations for Picard have been moved from Transifex to the new MetaBrainz Translations powered by Weblate. As part of this move we have improved both the translations and source strings as well as optimized the project setup on Weblate. Many strings now provide additional screenshots or textual context to aid translation, and the quality checks in place help us to avoid issues with broken placeholders and other translation issues.

If you want to help translating Picard into your native language please see the instructions for Picard, Picard Website and Picard User Guide Internationalization , then head over to the Picard translation project . There are also some Tips to get started .

New icons in the plugin options

The plugin options now provide new icons for installing, updating and enabling plugins. The new icons are consistent across all supported platforms and more clearly indicate their purpose.

And more…

There have been many more improvements and bug fixes. Please see below for a complete list of changes.

Download

Picard 2.10 is available for download from the download page. For Windows 10 users installing from the Windows Store an update will come automatically as soon as the new release has been approved by Microsoft.

Picard is free software and the source code is available on GitHub.

Acknowledgements

This release contains code contributions by Philipp Wolfer, Laurent Monin and Bob Swift. aerozol created the new plugin icons. The translations have been updated by salo.rock, mfmeulenbelt, zer0bitzz, Gateway31, jaimeMF, Laurent Monin and Philipp Wolfer.

Many thanks also to everyone who tested the release candidate and provided feedback on the community forums, IRC and the issue tracker.

Get in touch

Please use the MetaBrainz community forums and the ticket system to give feedback, suggest new features or report bugs.

Changelog

Below is the full list of changes since the last stable release 2.9.2. A full list of changes in the individual pre-releases can be found in the changelog.

Bugfixes

• PICARD-2768 – Series relationships are not loaded for standalone recordings
• PICARD-2774 – Error: 255 is not a valid Id3ImageType
• PICARD-2775 – Disable Qt WebP plugin for Windows and macOS binary builds to mitigate libwebp vulnerability (CVE-2023-4863)
• PICARD-2776 – Track metadata compare ignores video flag check if there is no release
• [PICARD-2748] – KeyError when saving options with removed profile
• [PICARD-2749] – Python 3.12: AttributeError: ‘PathFinder’ object has no attribute ‘find_module’
• [PICARD-2751] – The plugin system uses deprecated APIs, incompatible with Python 3.12
• [PICARD-2754] – Picard crashes in non-existing working directory on start
• [PICARD-2756] – Windows long path support does not work for network drives
• [PICARD-2762] – Linux packaged version does not show the “check for new plugins” option setting
• [PICARD-2764] – Attached profiles dialog does not display on option sub-pages

New Features

• [PICARD-2757] – Add command-line option –audit making use of sys.addaudithook()

Tasks

• [PICARD-2690] – Move locale name translations into separate translation resource
• [PICARD-2731] – Move translations to Weblate

Improvements

• PICARD-2769 – If a tag got unset by scripting display a file’s original tag value in the columns
• [PICARD-1377] – New icons for plugin options
• [PICARD-2717] – Starting a second instance with no commands should change to the running instance
• [PICARD-2740] – Improve SSL error logging
• [PICARD-2746] – Localize XDG desktop file
• [PICARD-2760] – Windows: Timestamp the code signed packages