| Summary: | libcue new security issue CVE-2023-43641 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK | ||
| Source RPM: | libcue-2.2.1-3.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-10-11 10:16:18 CEST
Nicolas Salguero
2023-10-11 10:18:19 CEST
Status comment:
(none) =>
Fixed upstream in 2.3.0 Suggested advisory: ======================== The updated packages fix a security vulnerability: Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. (CVE-2023-43641) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43641 https://www.openwall.com/lists/oss-security/2023/10/09/3 ======================== Updated packages in {8|9}/core/updates_testing: ======================== lib(64)cue2-2.3.0-1.mga{8|9} lib(64)cue-devel-2.3.0-1.mga{8|9} from SRPM: libcue-2.3.0-1.mga{8|9}.src.rpm Status comment:
Fixed upstream in 2.3.0 =>
(none) Advisory from comment 1 uploaded. Please remove the "advisory" keyword if it needs to be changed CC:
(none) =>
marja11 MGA9-64 Xfce on Acer Aspire 5253 No installation issues No previous updates, urmpq shows audacious-plugins as dependent tried a .wav file, error opening stream and Pipewire connection error. Checked MCC - Hardware, shows pulseaudio used. Trae shows a call to libcue. Tried an avi, same result. Both the wav and avi play correctly in parole. Giving up for today. CC:
(none) =>
herman.viaene MGA8-64, Gnome, Ryzen 2600 The following 2 packages are going to be installed: - lib64cue-devel-2.3.0-1.mga8.x86_64 - lib64cue2-2.3.0-1.mga8.x86_64 8.6KB of additional disk space will be used. -- downloaded some cue sheet examples used music to play music and build playlists. no issues Whiteboard:
MGA8TOO =>
MGA8TOO MGA8-64-OK Hi Herman that is an issue with the Audacious build, it defaults to pipewire. I had no issues once I switched audacious to pulse. MGA9-64, Gnome The following 2 packages are going to be installed: - lib64cue-devel-2.3.0-1.mga9.x86_64 - lib64cue2-2.3.0-1.mga9.x86_64 8.6KB of additional disk space will be used. -- validated sound worked, etc. no issues Added audacious tested that - working as expected after changing from pipewire to pulse Whiteboard:
MGA8TOO MGA8-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0300.html Resolution:
(none) =>
FIXED |