CVE-2023-43641

Publication date 9 October 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

8.8 · High

Score breakdown

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

Status

Package Ubuntu Release Status
libcue 24.10 oracular
Fixed 2.2.1-4ubuntu1
24.04 LTS noble
Fixed 2.2.1-4ubuntu1
23.10 mantic
Fixed 2.2.1-4ubuntu1
23.04 lunar
Fixed 2.2.1-4ubuntu0.1
22.04 LTS jammy
Fixed 2.2.1-3ubuntu0.1
20.04 LTS focal
Fixed 2.2.1-2ubuntu0.1
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty Ignored end of standard support

Severity score breakdown

Parameter Value
Base score 8.8 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references