Vulnerability CVE-2023-43641: Information
Description
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
libcue2 | sisyphus | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6257-2 | 331437 | Fixed |
libcue2 | sisyphus_e2k | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6365-1 | - | Fixed |
libcue2 | sisyphus_riscv64 | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6343-1 | - | Fixed |
libcue2 | p10 | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6273-3 | 331488 | Fixed |
libcue2 | p10_e2k | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-7156-1 | - | Fixed |
libcue2 | c10f1 | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6613-2 | 332373 | Fixed |
libcue2 | c9f2 | 2.3.0-alt1 | 2.3.0-alt1 | ALT-PU-2023-6257-2 | 331437 | Fixed |