Today, in coordination with Ilya Lipnitskiy (the maintainer of libcue) and the distros mailing list, the GitHub Security Lab is disclosing CVE-2023-43641, a memory corruption vulnerability in libcue. We have also sent a text-only version of this blog post to the oss-security list.
libcue is a library used for parsing cue sheets—a metadata format for describing the layout of the tracks on a CD. Cue sheets are often used in combination with the FLAC audio file format, which means that libcue is a dependency of some audio players, such as Audacious. But the reason why I decided to audit libcue for security vulnerabilities is that it’s used by tracker-miners: an application that’s included with GNOME—the default graphical desktop environment of many open source operating systems. The purpose of tracker-miners is to index the files in your home directory to make them easily searchable.
To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer.
The offsets in the full PoC need to be tuned for different distributions. I have only done this for Ubuntu 23.04 and Fedora 38, the most recent releases of Ubuntu and Fedora at this time. In my testing, I have found that the PoC works very reliably when run on the correct distribution (and will trigger a SIGSEGV when run on the wrong distribution). I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable.
Sometimes a vulnerability in a seemingly innocuous library can have a large impact. Due to the way that it’s used by tracker-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, please update today!
404 on CVE URL. Thanks for the post.
Relevant links:
https://www.cve.org/CVERecord?id=CVE-2023-43641
https://nvd.nist.gov/vuln/detail/CVE-2023-43641
The link in the first paragraph of the blog post? I think they removed it because
libcue
has since been patched.Releasing a patch doesn’t make the CVE disappear.
I understand that, but I think they removed the security advisory that was previously attached to the libcue GitHub (that’s where that CVE link in the post’s first paragraph went) because the latest commits to the repo patched that vulnerability.