What is the vulnerability discovered in the libcue library?

A serious vulnerability, tracked as CVE-2023-43641, was identified in the libcue library used by the GNOME desktop environment, enabling an attacker to execute malicious code embedded in a cue CD track metadata file.

What is the purpose of the libcue library?

Libcue is designed to parse cue sheets, which are metadata formats detailing CD track layouts. It is used by certain audio players and GNOME's file indexing utility, tracker-miners.

How is the vulnerability triggered?

Exploiting this vulnerability is possible if an attacker gets a user to download a malicious cue sheet. Once downloaded, due to the libcue's inadequate validation during parsing, the flaw can be exploited, leading to out-of-bounds writes and allowing remote code execution.

What systems are at risk?

Operating systems using GNOME, including default setups of Ubuntu 23.04 and Fedora 38, are potentially at risk. While other distributions haven't been tested, they may also be vulnerable if they use GNOME.

How can users protect themselves?

Users are advised to apply the patched version of libcue as soon as their Linux distribution releases an update to address this vulnerability.

Advisory

Critical vulnerability in old CD playing library in Linux GNOME Desktop

published: Oct. 9, 2023

Take action: If you are using GNOME desktop, check for updates regularly and update immediately. Otherwise, run a scheduled update of the computer and steer clear of .cue file attachments.

Learn More

A serious vulnerability has been identified in the libcue library, used by the GNOME desktop environment. This security flaw, tracked as CVE-2023-43641 enables the attacker to execute malicious code embedded in a cue CD track metadata file.

Libcue is designed to parse cue sheets, which are metadata formats that detail CD track layouts. Although not widely recognized, certain audio players and the GNOME file indexing utility called tracker-miners use this format. Tracker-miners is set up to automatically inspect new files added to specific directories, such as the Downloads folder.

The vulnerability's root cause is the libcue library's lack of proper validation when it parses cue sheet index values. This flaw is particularly concerning because of tracker-miners, a default component of GNOME—a graphical user interface commonly used in multiple open-source operating systems. Tracker-miners' primary function is to catalog the files in a user's home directory for quick searching. This cataloging process is auto-triggered when new files are added or existing ones are altered in specific home directory subfolders, especially the Downloads folder.

Exploiting this vulnerability is feasible if an attacker prompts a user to download a malicious cue sheet. Once downloaded, the libcue vulnerability can be leveraged, causing out-of-bounds writes. As the compromised file gets automatically scanned, this flaw can be exploited by an attacker to remotely run code on the victim's system.

Security researchers shared a video proof-of-concept of this vulnerability in action. In the demonstration, the researcher managed to execute code reliably on default setups of both Ubuntu 23.04 and Fedora 38. Although untested on other distributions, any operating system using GNOME is potentially at risk. The PoC exploit is not widely available to slow down possible exploits.

Given this vulnerability's significance and its presence in popular Linux distributions like Ubuntu and Fedora, users are strongly advised to apply the patched version of libcue as soon as it's available.

Critical vulnerability in old CD playing library in Linux GNOME Desktop