CVE-2023-43641: libcue bug allows Remote Code Execution in (at least) GNOME
TL;DR: update libcue to a version released after October 10. I read this last night: <https://arstechnica.com/information-technology/2023/10/one-click-remote-code-exploit-in-cd-cue-files-affects-most-gnome-based-linux-distros/> <https://nvd.nist.gov/vuln/detail/CVE-2023-43641> Summary: - libcue has a bug that allows an attacker to execute arbitrary machine code - libcue handles CUE sheet files - GNOME (at least) uses libcue for file indexing when it finds a suitable file - a bad actor can give you a bad CUE file without you knowing it (eg. via browsing a web site) - GNOME's tracker will automatically run libcue on the CUE file -- kaboom. You can update your system to get a fixed libcue. The fix is in version 2.3.0. Fedora 37 and 38 have fixes in version 2.2.1-13. I checked this by using "rpm -q --changelog libcue | less".
On Fri, Oct 20, 2023 at 11:19:01AM -0400, D. Hugh Redelmeier via talk wrote:
TL;DR: update libcue to a version released after October 10.
I read this last night: <https://arstechnica.com/information-technology/2023/10/one-click-remote-code-exploit-in-cd-cue-files-affects-most-gnome-based-linux-distros/> <https://nvd.nist.gov/vuln/detail/CVE-2023-43641>
[snip]
You can update your system to get a fixed libcue. The fix is in version 2.3.0.
Fedora 37 and 38 have fixes in version 2.2.1-13. I checked this by using "rpm -q --changelog libcue | less".
Fixed in Debian 11 and 12 (bullseye and bookworm, respectively) by debian package versions 2.2.1-3+deb11u1 (for bullseye) and 2.2.1-4+deb12u1 (for bookworm) on 11 October. $ sudo apt update && sudo apt upgrade -- joeDoe
participants (2)
-
D. Hugh Redelmeier -
joeDoe