Hi, CVE-2023-43641 was announced here: https://www.openwall.com/lists/oss-security/2023/10/09/3 The bug is fixed in version 2.3.0. Mageia 8 and 9 are also affected. Best regards, Nico.
Status comment: (none) => Fixed upstream in 2.3.0Whiteboard: (none) => MGA9TOO, MGA8TOOCC: (none) => nicolas.salgueroSource RPM: (none) => libcue-2.2.1-3.mga9.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. (CVE-2023-43641) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43641 https://www.openwall.com/lists/oss-security/2023/10/09/3 ======================== Updated packages in {8|9}/core/updates_testing: ======================== lib(64)cue2-2.3.0-1.mga{8|9} lib(64)cue-devel-2.3.0-1.mga{8|9} from SRPM: libcue-2.3.0-1.mga{8|9}.src.rpm
Status comment: Fixed upstream in 2.3.0 => (none)Whiteboard: MGA9TOO, MGA8TOO => MGA8TOOVersion: Cauldron => 9Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Advisory from comment 1 uploaded. Please remove the "advisory" keyword if it needs to be changed
CC: (none) => marja11Keywords: (none) => advisory
MGA9-64 Xfce on Acer Aspire 5253 No installation issues No previous updates, urmpq shows audacious-plugins as dependent tried a .wav file, error opening stream and Pipewire connection error. Checked MCC - Hardware, shows pulseaudio used. Trae shows a call to libcue. Tried an avi, same result. Both the wav and avi play correctly in parole. Giving up for today.
CC: (none) => herman.viaene
MGA8-64, Gnome, Ryzen 2600 The following 2 packages are going to be installed: - lib64cue-devel-2.3.0-1.mga8.x86_64 - lib64cue2-2.3.0-1.mga8.x86_64 8.6KB of additional disk space will be used. -- downloaded some cue sheet examples used music to play music and build playlists. no issues
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OKCC: (none) => brtians1
Hi Herman that is an issue with the Audacious build, it defaults to pipewire. I had no issues once I switched audacious to pulse. MGA9-64, Gnome The following 2 packages are going to be installed: - lib64cue-devel-2.3.0-1.mga9.x86_64 - lib64cue2-2.3.0-1.mga9.x86_64 8.6KB of additional disk space will be used. -- validated sound worked, etc. no issues Added audacious tested that - working as expected after changing from pipewire to pulse
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0300.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED