1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202310-10 ] libcue: Arbitrary Code Execution

    From [email protected]@21:1/5 to All on Tue Oct 10 08:20:01 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202310-10
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: libcue: Arbitrary Code Execution
    Date: October 10, 2023
    Bugs: #915500
    ID: 202310-10

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in libcue which could allow for
    arbitrary code execution.

    Background
    ==========

    libcue is a CUE Sheet Parser Library.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ----------------- ------------ ------------
    media-libs/libcue < 2.2.1-r1 >= 2.2.1-r1

    Description
    ===========

    libcue does not check bounds in a loop and suffers from an integer
    overflow flaw which can be exploited to take over the program.

    Impact
    ======

    Untrusted CUE sheet files can lead to arbitrary code execution.

    app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in directories. It is possible that downloading a malicious CUE Sheet file
    into a directory indexed by tracker-miners could lead to remote code
    execution.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All libcue users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/libcue-2.2.1-r1"

    References
    ==========

    [ 1 ] CVE-2023-43641
    https://nvd.nist.gov/vuln/detail/CVE-2023-43641

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202310-10

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmUk67YACgkQFMQkOaVy +9kRfA/8CM8g+ZQvj57n1Oeda007gwCLMuXudOPi+kRlxnk5QUdBYQJBMniR6o/o HA4dCvyj+LSz+cRFXqgrXVjbrjWinsFpm75IV3mqHixsUccFMTsUfAprUtmWdQf2 K+3YOMyhhaCJbOUR0HG+RmtytDAODtSq0ESo0dC4wVB1vkrPkmId1mZfp34r3mp+ 3h7wSvIf/5cWHg2WFdBESIEhFrKK5JREg/J+vXJy5+i3aD6sFOzNgC9PPA+wThKa UL+0U9hjF55tzuNbjBRZz4uXiFEFglWmXbGegLEN+gxPLQmvacxuupqaEcKSedhu eYxR4mIRLsp3JA/fYHNBXuzCgw8tCf6qD/jVOKVXA0fcw/UXW+nlrwu+tv5a+NJj 7lmjo4cixauR6eGqXUpvRpgR7hsDtNh3i/smla+PMV8QARhU8316xiRmiE+38frC FHvMwUtc98wFqSKp1wkNcj2GBddzK/orGyhBEWbJTyy6NQO69J4IzCwBiz5mUf/L 7dMaxAvXcj4l+AbO+aVHrTds/k4BoseZ54dhh9k1pIIJX7lsQRQblkJyu6GMMafC lyIEGts9HHtsqSZeewBOfmQE7p9Z6F6rF/4gaIT4Vp9G1/T9DLONZR40zxtq+wpQ LdW7MJUPdNDuDvK5N3jbabVnGfJTmwlSi8Slg066+pI6IDp13ZA=
    =OdE0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)