SB2023101206 - Remote code execution in libcue
Published: October 12, 2023
Security Bulletin ID
SB2023101206
CSH Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Out-of-bounds write (CVE-ID: CVE-2023-43641)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when parsing CUE sheets. A remote attacker can create a specially crafted file, trick the victim into downloading it, trigger an out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
- https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj
- https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea
- https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html
- https://www.debian.org/security/2023/dsa-5524
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/
- https://github.com/lipnitsk/libcue/releases/tag/v2.3.0