libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lipnitsk libcue |
||
fedoraproject fedora 37 |
||
fedoraproject fedora 38 |
||
fedoraproject fedora 39 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
debian debian linux 12.0 |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources One-click exploit could potentially affect most major distros
Researchers discovered a high-severity remote code execution (RCE) vulnerability in an inherent component of GNOME-based Linux distros, potentially impacting a huge number of users. Tracked as CVE-2023-43641, exploiting the vulnerability in the relatively small libcue library takes advantage of the tracker-miners application to facilitate a one-click RCE attack. The issue is thought to affect all GNOME-based distros, including RHEL, SUSE, and Debian, but has only been proven to work on the lates...