#VU81940 Out-of-bounds write in libcue - CVE-2023-43641
Published: October 12, 2023
Vulnerability identifier: #VU81940
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-43641
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libcue
libcue
Software vendor:
lipnitsk (Ilya Lipnitskiy)
lipnitsk (Ilya Lipnitskiy)
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when parsing CUE sheets. A remote attacker can create a specially crafted file, trick the victim into downloading it, trigger an out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.
External links
- https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
- https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj
- https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea
- https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html
- https://www.debian.org/security/2023/dsa-5524
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/
- https://github.com/lipnitsk/libcue/releases/tag/v2.3.0